SQLに直接変数書き込んて実行すると下記のように警告が出ます。(処理は正しく走ります)
2 23, 2012 7:01:26 午前 groovy.sql.Sql asSql
警告: In Groovy SQL please do not use quotes around dynamic expressions (which start with $) as this means we cannot use a JDBC PreparedStatement and so is a security hole. Groovy has worked around your mistake but the security hole is still there. The expression so far is: select * from data where name='?'
セキュリティ的にヤヴァイからPreparedStatement使ってる「select * from data where name='?'」の形で書くといいよ。って感じ?
import groovy.sql.Sql
def name = "yamap"
def sql = Sql.newInstance("jdbc:mysql://localhost:3309/test", "yamap", "yamap", "com.mysql.jdbc.Driver")
println "警告表示".center(30,"-")
sql.eachRow("select * from data where name='${name}'") {
println it
}
println "PreparedStatement使用".center(30,"-")
sql.eachRow("select * from data where name = ?", [name]) {
println it
}