Embedded SQL. csc343, Introduction to Databases Diane Horton with examples from Ullman and Widom Fall 2014

Similar documents
Embedded SQL. csc343, Introduction to Databases Renée J. Miller and Fatemeh Nargesian and Sina Meraji Winter 2018

EMBEDDED SQL. SE 3DB3 Fall 2016 MICHAEL LIUT DEPARTMENT OF COMPUTING AND SOFTWARE MCMASTER UNIVERSITY

Chapter 9 SQL in a server environment

Chapter 9 SQL in a server environment

Non-interactive SQL. EECS Introduction to Database Management Systems

Database-Connection Libraries

Copyright 2016 Ramez Elmasri and Shamkant B. Navathe

Real SQL Programming 1

Database-Connection Libraries. Java Database Connectivity PHP

Chapter 13 Introduction to SQL Programming Techniques

Ghislain Fourny. Information Systems for Engineers 7. The ecosystem around SQL

JDBC, Transactions. Niklas Fors JDBC 1 / 38

Database Programming. Week 9. *Some of the slides in this lecture are created by Prof. Ian Horrocks from University of Oxford

ITCS Implementation. Jing Yang 2010 Fall. Class 14: Introduction to SQL Programming Techniques (Ch13) Outline

Schedule. Feb. 12 (T) Advising Day. No class. Reminder: Midterm is Feb. 14 (TH) Today: Feb. 7 (TH) Feb. 21 (TH) Feb. 19 (T)

Database Application Development

How to program applications. CS 2550 / Spring 2006 Principles of Database Systems. SQL is not enough. Roadmap

SQL in a Server Environment

SQL DML and DB Applications, JDBC

INTRODUCTION TO JDBC - Revised spring

Overview. Database Application Development. SQL in Application Code. SQL in Application Code (cont.)

Database Application Development

Database Application Development

COP4540 TUTORIAL PROFESSOR: DR SHU-CHING CHEN TA: H S IN-YU HA

Programming in Java

Database Applications. SQL/PSM Embedded SQL JDBC

CSC System Development with Java. Database Connection. Department of Statistics and Computer Science. Budditha Hettige

JDBC Drivers Type. JDBC drivers implement the defined interfaces in the JDBC API for interacting with your database server.

Working with Databases and Java

INTRODUCTION TO JDBC - Revised Spring

Pieter van den Hombergh. March 25, 2018

Enterprise Java Unit 1- Chapter 6 Prof. Sujata Rizal

SQL: Programming Midterm in class next Thursday (October 5)

CSCI/CMPE Object-Oriented Programming in Java JDBC. Dongchul Kim. Department of Computer Science University of Texas Rio Grande Valley

ERwin and JDBC. Mar. 6, 2007 Myoung Ho Kim

Database Application Development

Database Application Development

Information Systems for Engineers. Exercise 10. ETH Zurich, Fall Semester Hand-out Due

DataBase Lab JAVA-DATABASE CONNECTION. Eng. Haneen El-masry

Lecture 9&10 JDBC. Mechanism. Some Warnings. Notes. Style. Introductory Databases SSC Introduction to DataBases 1.

SQL: Programming. Announcements (September 25) Motivation. CPS 116 Introduction to Database Systems. Pros and cons of SQL.

Database Application Development

Introduction to Databases

e-pg Pathshala Subject: Computer Science Paper: Web Technology Module: JDBC INTRODUCTION Module No: CS/WT/26 Quadrant 2 e-text

Running SQL in Java and PHP

Embedded SQL. Host Language (record-oriented) 3. Process a tuple at a time. 1. Query. 4. Close Cursor

Options. Real SQL Programming 1. Stored Procedures. Embedded SQL

Java Database Connectivity (JDBC) 25.1 What is JDBC?

Information Systems Engineering. SQL Structured Query Language DDL Data Definition (sub)language

Lab # 9. Java to Database Connection

UNIT III - JDBC Two Marks

Running SQL in Java and PHP

Database Programming Overview. COSC 304 Introduction to Database Systems. Database Programming. JDBC Interfaces. JDBC Overview

JDBC Architecture. JDBC API: This provides the application-to- JDBC Manager connection.

Outline. Lecture 10: Database Connectivity -JDBC. Java Persistence. Persistence via Database

Part I: Stored Procedures. Introduction to SQL Programming Techniques. CSC 375, Fall 2017

Database Design and Programming

JDBC - INTERVIEW QUESTIONS

SQL: Programming. Introduction to Databases CompSci 316 Fall 2017

JDBC. Sun Microsystems has included JDBC API as a part of J2SDK to develop Java applications that can communicate with databases.

Programming and Database Fundamentals for Data Scientists

CMPUT 391 Database Management Systems. JDBC in Review. - Lab 2 -

This lecture. Databases - JDBC I. Application Programs. Database Access End Users

JDBC Programming: Intro

Introduction to Programming Using Java (98-388)

SQL: Data Definition Language. csc343, Introduction to Databases Diane Horton Fall 2017

PESIT Bangalore South Campus

Discuss setting up JDBC connectivity. Demonstrate a JDBC program Discuss and demonstrate methods associated with JDBC connectivity

Real SQL Programming Persistent Stored Modules (PSM)

Overview. SQL from Applications. Accesing data from an application. Embedded SQL JDBC Stored Procedures. UVic C SC 370, Fall 2002

SQL Stored Programs. You Can Not Do Everything in SQL SQL/PSM Cursors Recursion Triggers. Niklas Fors Stored Programs 1 / 21

Top 50 JDBC Interview Questions and Answers

The Design of JDBC The Structured Query Language Basic JDBC Programming Concepts Query Execution Scrollable and Updatable Result Sets

Calling SQL from a host language (Java and Python) Kathleen Durant CS 3200

These are notes for the third lecture; if statements and loops.

Wentworth Institute of Technology COMP570 Database Applications Fall 2014 Derbinsky. SQL Programming. Lecture 8. SQL Programming

Databases 2012 Embedded SQL

Database Lab#9 Connecting to postgresql database from java programs

1. Given the name of a movie studio, find the net worth of its president.

Servlet 5.1 JDBC 5.2 JDBC

Chapter 16: Databases

DATABASE DESIGN - 1DL400

More Database Programming. CS157A Chris Pollett Nov. 2, 2005.

SQL from Applications

Marcin Luckner Warsaw University of Technology Faculty of Mathematics and Information Science

CHAPTER 44. Java Stored Procedures

Pace University. Fundamental Concepts of CS121 1

Cyrus Shahabi Computer Science Department University of Southern California C. Shahabi

Application Programming for Relational Databases

O ne of the most important features of JavaServer

CSE 530A. Inheritance and Partitioning. Washington University Fall 2013

JDBC BASIC 19/05/2012. Objectives. Java Database Connectivity. Definitions of JDBC. Part 1. JDBC basic Working with JDBC Adv anced JDBC programming

L6 Application Programming. Thibault Sellam Fall 2018

Student Number: Please fill out the identification section above as well as the one on the back page, and read the instructions below. Good Luck!

SNS COLLEGE OF ENGINEERING, Coimbatore

CS W Introduction to Databases Spring Computer Science Department Columbia University

CSCC43H: Introduction to Databases. Lecture 9

Visit for more.

Topic 12: Database Programming using JDBC. Database & DBMS SQL JDBC

CSE 135. Three-Tier Architecture. Applications Utilizing Databases. Browser. App. Server. Database. Server

Transcription:

Embedded SQL csc343, Introduction to Databases Diane Horton with examples from Ullman and Widom Fall 2014

Problems with using interactive SQL Standard SQL is not Turing-complete. E.g., Two profs are colleagues if they ve co-taught a course or share a colleague. We can t write a query to find all colleagues of a given professor because we have no loops or recursion. You can t control the format of its output. And most users shouldn t be writing SQL queries! You want to run queries that are based on user input, not have users writing actual queries. 2

SQL + a conventional language If we can combine SQL with code in a conventional language, we can solve these problems. But we have another problem: SQL is based on relations, and conventional languages have no such type. It is solved by feeding tuples from SQL to the other language one at a time, and feeding each attribute value into a particular variable. 3

Approaches Three approaches for combining SQL and a generalpurpose language: Stored Procedures Statement-level Interface Call-level interface 4

Three Approaches

1. Stored Procedures The SQL standard includes a language for defining stored procedures, which can have parameters and a return value, use local variables, ifs, loops, etc., execute SQL queries. Stored procedures can be used in these ways: called from the interpreter, called from SQL queries, called from another stored procedure, be the action that a trigger performs. 6

Not very standard The language is called SQL/PSM (Persistent Stored Modules). It came into the SQL standard in SQL3, 1999. Reference: textbook, section 9.4 By then, various commercial DBMSs had already defined their own proprietary languages for stored procedures They have generally stuck to them. PostgreSQL has defined PL/pgSQL. It supports some, but not all, of SQL/PSM. Reference: Chapter 39 of the PostgreSQL documentation. 7

Example (fig 9.13) A binary function BandW(y INT, s CHAR(15)) that returns true iff movie studio s produced no movies in year y, or produced at least one comedy. 8

The stored procedure CREATE FUNCTION BandW(y INT, s CHAR(15)) RETURNS BOOLEAN IF NOT EXISTS (SELECT * FROM Movies WHERE year = y AND studioname = s) THEN RETURN TRUE; ELSIF 1 <= (SELECT COUNT(*) FROM Movies WHERE year = y AND studioname = s AND genre = comedy ) THEN RETURN TRUE; ELSE RETURN FALSE; END IF; 9

Calling it Now we can say things like this: SELECT StudioName FROM Studios WHERE BandW(2010, StudioName); 10

2. Statement-level interface (SLI) Embed SQL statements into code in a conventional language like C or Java. Use a preprocessor to replace the SQL with calls written in the host language to functions defined in an SQL library. Special syntax indicates which bits of code the preprocessor needs to convert. 11

Data from host language SQL Some special syntax tells the preprocessor things like this: Variable studioname my C code may be referred to by the SQL that s embedded in my C code. Uses the keywords DECLARE SECTION. 12

Example in C (based on figure 9.7) void printnetworth() { } EXEC SQL BEGIN DECLARE SECTION; char studioname[50]; int presnetworth; char SQLSTATE[6]; // Status of most recent SQL stmt EXEC SQL END DECLARE SECTION; /* OMITTED: Get value for studioname from the user. */ EXEC SQL SELECT networth INTO :presnetworth FROM Studio, MovieExec WHERE Studio.name = :studioname; /* OMITTED: Report back to the user */ 13

Data from SQL host language Again, shared variables make the connection. If the query will yield a single tuple, an INTO clause can be added to the query. It lists the host-language variables that should receive the attribute values from that one tuple. For multi-tuple results, a cursor allows you to iterate over the tuples. Much like an iterable object in an Object-oriented language. We won t cover this, but see figures 9.8 and 9.9 for examples. 14

Example in C (based on figure 9.7) void printnetworth() { } EXEC SQL BEGIN DECLARE SECTION; char studioname[50]; int presnetworth; char SQLSTATE[6]; // Status of most recent SQL stmt EXEC SQL END DECLARE SECTION; /* OMITTED: Get value for studioname from the user. */ EXEC SQL SELECT networth INTO :presnetworth FROM Studio, MovieExec WHERE Studio.name = :studioname; /* OMITTED: Report back to the user */ 15

Big picture (figure 9.5) User SLI Host language + Embedded SQL CLI Preprocessor Host language + Function calls Host-language compiler SQL library Object-code program 16

3. Call-level interface (CLI) Instead of using a pre-processor to replace embedded SQL with calls to library functions, write those calls yourself. Eliminates need to preprocess. Each language has its own set of library functions for this. for C, it s called SQL/CLI for Java, it s called JDBC for PHP, it s called PEAR DB We ll look at just one: JDBC. 17

JDBC

Using JDBC on cdf You need to run your JDBC code on dbsrv1. The PostgreSQL driver for JDBC is on cdf here: /local/packages/jdbc-postgresql You ll also find an example program and a how-to in that directory. To run JDBC code, you need this driver in your classpath. Example: Suppose you have a class called Jelly.java. javac Jelly.java java -cp ~/bin/postgresql-8.3-607.jdbc4.jar: Jelly 19

JDBC Example (see section 9.6) Do this once in your program: /* Get ready to execute queries. */ import java.sql.*; /* A static method of the Class class. It loads the specified driver */ Class.forName( org.postgresql.jdbc.driver ); String url = Connection conn = DriverManager.getConnection( jdbc:postgresql://localhost:5432/csc343h-dianeh, dianeh, ); /* Continued... */ 20

The arguments to getconnection jdbc:postgresql We ll use this, but it could be, e.g., jdbc:mysql localhost:5432 You must use exactly this for cdf. csc343h-dianeh and dianeh Substitute your cdf userid. Password (unrelated to your cdf password). Literally use the empty string. 21

Do this once per query in your program: /* Execute a query and iterate through the resulting tuples. */ PreparedStatement execstat = conn.preparestatement( SELECT networth FROM MovieExec ); ResultSet worths = execstat.executequery(); while (worths.next()) { } int worth = worths.getint(1); /* If the tuple also had a float and another int attribute, you d get them by calling worths.getfloat(2) and worths.getint(3). Or you can look up values by attribute name. Example: worths.getint(networth) */ /* OMITTED: Process this net worth */ 22

Exceptions can occur Any of these calls can generate an exception. Therefore, they should be inside try/catch blocks. try { /* OMITTED: JDBC code */ } catch (SQLException ex) { /* OMITTED: Handle the exception */ } The class SQLException has methods to return the SQLSTATE, etc. 23

What is preparation? Preparing a statement includes parsing the SQL, compiling and optimizing it. The resulting PreparedStatement can be executed any number of times without having to repeat these steps. 24

If the query isn t known until run time You may need input and computation to determine the query. You can hard-code in the parts you know, and use? as a placeholder for the values you don t know. This is enough to allow a PreparedStatement to be constructed. Once you know values for the placeholders, methods setstring, setint, etc. let you fill in those values. 25

Example (figure 9.22) PreparedStatement studiostat = conn.preparedstatement( INSERT INTO Studio(name, address) VALUES(?,?) ); /* OMITTED: Get values for studioname and studioaddr */ studiostat.setstring(1, studioname); studiostat.setstring(2, studioaddr); studiostat.executeupdate(); 26

Why not just build the query in a string? We constructed an incomplete preparedstatement and filled in the missing values using method calls. Instead, we could just build up the query in an ordinary string at run time, and ask to execute that. There are classes and methods that will do this in JDBC. But never use that approach because it is vulnerable to injections: insertion of strings into a query with malicious intent. Always use a preparedstatement instead. 27

Example with createstatement Statement stat = conn.createstatement(); String query = SELECT networth FROM MovieExec WHERE execname like %Spielberg% ; ResultSet worths = stat.executequery(query); 28

Example: Some vulnerable code Suppose we want the user to provide the string to compare to You can do this rather than hard-coding Spielberg into the query: Statement stat = conn.createstatement(); String who = /* get a string from the user */ String query = SELECT networth FROM MovieExec WHERE execname like % + who + % ; ResultSet worths = stat.executequery(query); 29

A gentle user does no harm If a user enters Milch, the SQL code we execute is this: SELECT networth FROM MovieExec WHERE execname like %Milch% ; Nothing bad happens. 30

An injection can exploit the vulnerability But if a malicious user enters Milch% ; drop table Contracts; -- the code we execute is this: SELECT networth FROM MovieExec WHERE execname like %Milch% ; DROP TABLE Contracts; --% ; In other words: SELECT networth FROM MovieExec WHERE execname like %Milch% ; DROP TABLE Contracts; --% ; Ouch! 31

Queries vs updates in JDBC The previous examples used executequery. This method is only for pure queries. For SQL statements that change the database (insert, delete or modify tuples, or change the schema), use the analogous method executeupdate. 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback