Calling DB stored routines in Spring

Question

I have MySQL stored routines and need to call them from my Java Spring application. Currently I do it like this:

result = org.springframework.jdbc.core.JdbcTemplate.query(
     "CALL MyRoutine(?, ?);", 
     myRowMapper, 
     parameterOne, 
     parameterTwo);

Questions:

• Is this a recommended way of doing this, in terms of reliability, security and performance? Or is there another best practice approach?
• Is this method safeguarding against SQL injection attacks?
• The parameter order is important, making me vulnerable to confusing it. Some way to get around that?

Answer 1

1. The approach you chose uses vendor syntax instead of JDBC call syntax (see Syntax of JDBC Connection prepareCall SQL) and is therefore not portable across databases (this may not be an issue for you). Spring JDBC offers many different ways to call a stored procedure, there is no obvious best approach.
2. This is safe against SQL injection unless the stored procedure itself is vulnerable to SQL injection (concatenates the parameters into a query).
3. You can bind parameters for stored procedures by name instead of index using the #setX(String, X) methods on CallableStatement. This may not be supported by your database driver. This is different from NamedParameterJdbcTemplate which still binds by index. Also note that NamedParameterJdbcTemplate has some overhead as it parses and rewrites your query.

Answer 2

You can get around the parameter order by using NamedParameterJdbcTemplate. See http://static.springsource.org/spring/docs/3.0.x/reference/jdbc.html