[hibernate-dev] 6.0 - HQL literals

Christian Beikov christian.beikov at gmail.com
Thu Jan 9 09:10:31 EST 2020 

Ok, just wanted to make sure I didn't miss anything and understand the 
reasoning for your preference :)

Am 09.01.2020 um 13:06 schrieb Steve Ebersole:
> Well, again, this is configurable.  If you don't want to use it, don't ;)
>
> On Thu, Jan 9, 2020 at 1:28 AM Christian Beikov 
> <christian.beikov at gmail.com <mailto:christian.beikov at gmail.com>> wrote:
>
>     Am 08.01.2020 um 20:21 schrieb Steve Ebersole:
>>     On Wed, Jan 8, 2020 at 9:22 AM Christian Beikov
>>     <christian.beikov at gmail.com <mailto:christian.beikov at gmail.com>>
>>     wrote:
>>
>>
>>         This is about JPA Criteria whereas I was referring to how a
>>         literal in
>>         HQL ends up in the SQL. I agree that with JPA Criteria things
>>         are
>>         different as the API for parameters in queries is not very
>>         neat. A flag
>>         for controlling how literals should be rendered in for JPA
>>         Criteria
>>         sounds ok, but ultimately, a literal should be just that, a
>>         literal.
>>
>>
>>     Well no - its about how literals defined in ORM queries should be
>>     handled in JDBC.  The HQL / criteria distinction is not important
>>     here.
>>
>>     We'll agree to disagree that query literals should always be
>>     rendered as SQL literals.
>
>     I got that you are concerned with the security aspect and think
>     that the DBMS optimizer will not be able to build significantly
>     better plans than with parameters. Is there any other reason why
>     you prefer rendering literals as JDBC parameter by default?
>
>     Since string literals in JPQL/HQL are defined syntactically like
>     in SQL, the security part sounds managable to me as other
>     (currently existing) literals are non-problematic due to their
>     nature i.e. being numeric or strictly typed such the
>     representation can't interferre with the SQL they are embedded into.
>
>     The performance part is for me actually very critical. I attached
>     a few links[1][2][3][4] to articles that cover this topic.
>     Essentially, the difference in execution plans come from wrong row
>     count estimates because of wrong selectivity. When using
>     parameters, DBMS do a few tricks to overcome the problems of
>     unknown selectivity due to a missing value. Oracle is pretty good
>     at that AFAIU, but the behavior is configurable and we might run
>     in an environment where it isn't configure how we'd expect it to be.
>
>     PostgreSQL seems to use a generic plan(with wrong selectivity
>     estimates) after the 5th execution and other DBMS probably have
>     similar problems. In general, using literals is imporant when
>     there are only a few values or when the row distribution is
>     non-uniform. The problem gets big when a query has lots of joins
>     that multiply to the wrong estimates, leading to e.g. full table
>     scans rather than index scans.
>
>     [1]
>     http://davetechnotes.blogspot.com/2009/02/literal-vs-bind-variables-bind-variable.html
>
>     [2]
>     https://medium.com/@FranckPachot/postgresql-bind-variable-peeking-fb4be4942252
>
>     [3]
>     https://blog.jooq.org/2018/04/12/why-sql-bind-variables-are-important-for-performance/
>
>     [4]
>     https://blog.jooq.org/2017/05/30/when-to-use-bind-values-and-when-to-use-inline-values-in-sql/
>

More information about the hibernate-dev mailing list