|
35 | 35 | import static java.util.stream.Collectors.toSet; |
36 | 36 |
|
37 | 37 | import java.math.BigDecimal; |
38 | | -import java.sql.PreparedStatement; |
39 | 38 | import java.time.Instant; |
40 | 39 | import java.time.LocalDate; |
41 | 40 | import java.time.OffsetDateTime; |
|
120 | 119 | * <dl><dt><STRONG>Compile-time Protection</STRONG></dt></dl> |
121 | 120 | * |
122 | 121 | * <p>The templating engine uses compile-time checks to guard against accidental use of |
123 | | - * untrusted strings in the SQL, ensuring that they can only be sent as parameters of |
124 | | - * PreparedStatement: try to use a dynamically generated String as the SQL template and |
125 | | - * you'll get a compilation error. |
| 122 | + * untrusted strings in the SQL, ensuring that they can only be sent as Spanner query parameters: |
| 123 | + * try to use a dynamically generated String as the SQL template and you'll get a compilation error. |
126 | 124 | * |
127 | 125 | * <p>In addition, the same set of compile-time guardrails from the {@link StringFormat} class |
128 | 126 | * are in effect to make sure that you don't pass {@code lastName} in the place of |
|
250 | 248 | * .build(); |
251 | 249 | * }</pre> |
252 | 250 | * |
253 | | - * Spanner considers the quoted "@searchTerm" as a literal so the {@code setString()} |
254 | | - * call will fail. You'll need to use the following workaround: <pre>{@code |
| 251 | + * Spanner considers the quoted "@searchTerm" as a literal so the query won't work as expected. |
| 252 | + * You'll need to use the following workaround: <pre>{@code |
255 | 253 | * String searchTerm = ...; |
256 | 254 | * Statement.newBuilder("SELECT id FROM Users WHERE firstName LIKE @searchTerm") |
257 | 255 | * .bind("searchTerm", "%" + searchTerm + "%") |
@@ -340,16 +338,10 @@ private ParameterizedQuery(String sql, List<Parameter> parameters) { |
340 | 338 | * .query(dataSource, Long.class); |
341 | 339 | * }</pre> |
342 | 340 | * |
343 | | - * <p>Note that if you plan to create a {@link PreparedStatement} and use it multiple times |
344 | | - * with different sets of parameters, it's more efficient to use {@link #prepareToQuery |
345 | | - * prepareToQuery()} or {@link #prepareToUpdate prepareToUpdate()}, which will reuse the same |
346 | | - * PreparedStatement for multiple calls. The returned {@link Template}s are protected at |
347 | | - * compile-time against incorrect varargs. |
348 | | - * |
349 | 341 | * @param template the sql template |
350 | 342 | * @param params The template parameters. Parameters that are themselves {@link ParameterizedQuery} are |
351 | | - * considered trusted subqueries and are appended directly. Other types are passed through JDBC |
352 | | - * {@link PreparedStatement#setObject}, with one exception: when the corresponding placeholder |
| 343 | + * considered trusted subqueries and are appended directly. Other types are passed through as |
| 344 | + * Spanner query parameters, with one exception: when the corresponding placeholder |
353 | 345 | * is quoted by backticks like {@code `{columns}`}, its string parameter value |
354 | 346 | * (or {@code Iterable<String>} parameter value) are directly appended (quotes, backticks, |
355 | 347 | * backslash and other special characters are disallowed). |
|
0 commit comments