Is it possible to log prepared query with bounded variables?

[Ola Nowak]

Hi,

I was wondering if it is possible to get the text of the query which is run against Cassandra. I'm using prepared statements and then I bind variables to them. I would like to check if the queries are correct. Any ideas?

Regards,

Ola

[Pierre N.]

Same problem here, does someone have an idea how to log the queries using prepared statements either client side or server side. I did try by using TRACE level on logback but no usefull information regarding the queries.

[Olivier Michallat]

Hi,

Do you want to log the bound values?

--

Olivier Michallat

Driver & tools engineer, DataStax

To unsubscribe from this group and stop receiving emails from it, send an email to java-driver-us...@lists.datastax.com.

[Pierre N.]

Yes, I would like to log the query and the bound values, something like that :

10:15:00.819 [qtp1225373914-89] TRACE org.avaje.ebean.SQL - txn[1005] SELECT data FROM table WHERE c1 = ? AND c2 = ?; --bind(1, 20

For Now I just created a dirty debugger:

    public static BoundStatement bindD(PreparedStatement stmt, Object... obj){

        String query = stmt.getQueryString();
        BoundStatement bound = stmt.bind(obj);
        for (Object obj1 : obj) {
            query = query.replaceFirst("\\?",obj1.toString());
        }
        LOG.trace(query);

        return bound;
    }

but it help a little becaus I have to replace all bind call. But you get the idea of what I need.

[Olivier Michallat]

We don't want to provide this out of the box, because logging bound values can introduce security issues (think passwords, etc.).

In 2.1, the API gives you everything to build the string yourself:

    private static String toStringWithValues(BoundStatement bs, ProtocolVersion protocolVersion) {

        PreparedStatement ps = bs.preparedStatement();

        StringBuilder details = new StringBuilder(ps.getQueryString() + "\n");

        ColumnDefinitions defs = ps.getVariables();

        int index = 0;

        for (ColumnDefinitions.Definition def : defs) {

            DataType type = def.getType();

            Object value = type.deserialize(bs.getBytesUnsafe(index), protocolVersion);

            details.append("value " + index + " = " + type.format(value) + "\n");

            index += 1;

        }

        return details.toString();

    }

In 2.0, bound values are not exposed. If you need them, I'll reopen JAVA-115 and provide a method for that.

--

Olivier Michallat

Driver & tools engineer, DataStax

[Pierre N.]

Thanks for the "helper function" but I expected something more simple activated by just enabling TRACE level on something.

I understand security concerns (I'm a pentester before beeing a developper), however there is options that can be turned on in dev env, and must be turned off in production.

I don't agree with disabling a very usefull debugging feature because of "security concerns". Debugging functions aren't mean to be secure, they are here to be usefull and help to solve quickly problems.

In this case, we have to remove everything usefull for debugging purpose that may have impact in security, error messages, backtrace, slow query logs in mysql (I talk about mysql because I know little of cassandra)... Imagine hours of productivity lost because of "security concerns" ?

If this option is disable by default, there is no security issue.

[Olivier Michallat]

That's a sound argument. I've reopened the ticket, we'll find a solution to have it disabled by default.

--

Olivier Michallat

Driver & tools engineer, DataStax