qiuyanjun888 commented on issue #17263:
URL: 
https://github.com/apache/dolphinscheduler/issues/17263#issuecomment-4766155929

   I looked into the current `SqlTask` implementation and the related 
issues/PRs (#17124, #17343, #18231). I agree that the current 
PreparedStatement-based replacement is a bad fit for some SqlTask scenarios, 
especially when `${}` is used in SQL identifiers or DDL statements such as 
`create table test_${dd}`. In those cases the placeholder becomes a JDBC 
parameter marker, which can produce invalid SQL semantics depending on the 
driver.
   
   ## Proposed direction
   
   Change SqlTask parameter handling from JDBC bind parameters to SqlTask-local 
SQL rendering before execution.
   
   ### 1. Keep the change local to SqlTask
   
   The first implementation should avoid changing global `ParameterUtils` 
behavior or datasource plugins. It should be limited to the SQL task execution 
path:
   
   - render `${}` / `!{}` into the SQL string before execution;
   - execute the rendered SQL with `Statement` rather than `PreparedStatement`;
   - preserve existing SQL splitting, pre/main/post execution order, query 
timeout, max rows, cancel support, result processing, alert attachment, output 
params and varPool behavior.
   
   This keeps the first PR smaller than the old WIP #17343 and reduces conflict 
with other task plugins.
   
   ### 2. Define rendering rules explicitly
   
   The main compatibility question is how `${}` should behave after removing 
PreparedStatement binding.
   
   Possible rule set:
   
   - numeric/boolean parameters render as unquoted literals;
   - string/date/time/timestamp parameters render as escaped SQL string 
literals, at least escaping single quotes (`'` -> `''`);
   - list parameters render as comma-separated literals for `IN (...)` use 
cases;
   - `!{}` keeps raw textual replacement semantics for cases where users 
intentionally need raw SQL fragments;
   - identifier/DDL cases such as `test_${dd}` should work when the rendered 
value is intended as an identifier fragment.
   
   The difficult part is that `${name}` can be used either as a value literal 
or as part of an identifier. We should agree on this before implementation, 
because existing SQL like `where name=${name}` worked with PreparedStatement 
even without quotes.
   
   ### 3. Suggested implementation shape
   
   - Add a small SqlTask-local renderer with unit tests.
   - Adapt `SqlBinds` or introduce a new internal value object so the name no 
longer implies JDBC binding.
   - Replace `prepareStatementAndBind()` with a `createStatement()` helper that 
still sets query timeout / max rows and stores `sessionStatement` for 
cancellation.
   - Update query/update execution to call 
`Statement.executeQuery(renderedSql)` / `Statement.executeUpdate(renderedSql)`.
   - Coordinate with #18231 so regex/raw replacement escaping is not solved 
twice in conflicting ways.
   
   ### 4. Test plan
   
   A first PR should include tests for:
   
   - `create table test_${dd}` rendering to `create table test_20250411`;
   - string literal escaping;
   - list parameter rendering for `in (${ids})`;
   - `!{}` replacement with `$` or `\` characters;
   - schedule-time replacement still working;
   - existing result-processing and out-param behavior still working.
   
   ## Questions for maintainers
   
   1. Should `${}` become a value-literal renderer with automatic quoting for 
strings, or should it be raw textual replacement according to the DSIP wording?
   2. Should `!{}` keep its current raw replacement semantics, or should it be 
deprecated/merged with `${}`?
   3. Is the preferred first implementation a small SqlTask-local change, or 
should it revive the larger execution-engine refactor attempted in #17343?
   4. Should the first implementation use a generic escaping rule across 
datasources, or should datasource-specific rendering be introduced from the 
beginning?
   5. How should this work be sequenced with the active parameter replacement 
PR #18231?
   
   If this direction is acceptable, I can prepare a focused PR starting with 
renderer tests.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to