Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP 430 Intro. to Database Systems SQL from application code.

Published byJoy Fleming Modified over 7 years ago

Similar presentations

Presentation on theme: "COMP 430 Intro. to Database Systems SQL from application code."— Presentation transcript:

1 COMP 430 Intro. to Database Systems SQL from application code

2 Some issues How to connect to database Where, what type, user credentials, … How to send SQL commands How to get communicate data to/from DB Data type conversion Details vary by language & library.

3 Connecting to database – Java example public class Example { public static void main(String[] args) { Connection connection = null; Class.forName(“com.Microsoft.jdbc.sqlserver.SQLServerDriver”); String url = “jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=MYDB”; connection = DriverManager.getConnection(url, “USERNAME”, “PASSWORD”); … } Need sqljdbc4.jar in CLASSPATH. Imports and error handling omitted for brevity. Key pieces: Driver Host DB name User credentials

4 Connecting to database – Python + SQLAlchemy example engine = create_engine(“mssql+pyodbc://USERNAME:PASSWORD@localhost/MYDB” + “driver=SQL+Server+Native+Client+10.0”) Key pieces: Driver Host DB name User credentials String split for readability.

5 Connecting to database Those connection strings share a standard syntax, although some arguments can be specified separately by library.

6 Commands & data often strings connection = …; Statement stmt1 = connection.createStatement(); stmt1.executeUpdate(“CREATE TABLE Student” + “(id INT, first VARCHAR(50), last VARCHAR(50))”); … Statement stmt2 = connection.createStatement(); ResultSet result = stmt2.executeQuery(“SELECT id FROM Student”); …

7 Problems with string representation Two data conversions: application  string, string  DB Minimal API Requires SQL knowledge SQL commands not limited to an API Lacks structure Arbitrary data representation in application No static checking

8 Plain strings allows SQL injection attacks

9 What are some bad input strings? studentId = getRequestString(“StudentID”); String query = “SELECT first, last FROM Student WHERE id = “ + studentId; Statement stmt = connection.createStatement(query); Many variations on these themes. 123456789 OR 1=1 WHERE clause irrelevant: 123456789; DROP TABLE Student Destructive behavior:

10 Techniques for preventing injection attacks Validate input used in SQL command strings Build SQL commands via parameterized APIs (next) Access DB via stored procedures Tightly manage user permissions

11 Simple parameterization – Java example studentId = getRequestString(“StudentID”); Statement stmt = connection.preparedStatement( “SELECT first, last FROM Student WHERE id=?”); Stmt.setInt(1, Integer.parseInt(studentId)); ResultSet result = Stmt.executeQuery(stmt); while (result.next()) { String first = result.getString(“first”); String last = result.getString(“last”); … } Essentially a cursor.

12 Object-Relational Mapping (ORM) A high-level overview

13 Primary goal – persistent objects DB viewed as a tool for implementing persistent objects. Relational DB assumed for practical or legacy reasons. But, DB isn’t organized in terms of objects. Programmer think in terms of application & objects. Specify which objects persistent Interaction with DB largely(?) hidden

14 Focus on data

15 CREATE TABLE Student ( id INT AUTOINCREMENT, first_name VARCHAR(50), last_name VARCHAR(50), PRIMARY KEY (id) ); public class Student { private int id; private String firstName; private String lastName; public Student(…) {} … /* getters & setters */ }

16 What an ORM can provide Generate code for simple object/table-record mapping API for OO-style CRUD (Create-Read-Update-Delete) of objects API for OO-style queries Manage how & when data is moved

17 Generate object (& table?) from specification class Student(Base): __tablename__ = ‘Student’ id = Column(Integer, primary_key=True, autoincrement=True) first_name = Column(String) last_name = Column(String) Hibernate SQLAlchemy

18 OO-style CRUD Object constructor Object getters & setters Methods corresponding to CREATE, INSERT, UPDATE, DELETE engine.execute(Student.insert(), {‘first_name’: ‘John’, ‘last_name’: ‘Smith’})

19 OO-style queries Potentially no explicit SQL in application code. But programmer still needs to understand SQL concepts. resultset = session.query(User, Document, DocumentPermission).join(Document).join(DocumentPermission).filter(User.email == ‘john_smith@foo.com’)

20 How & when data is moved Granularity: Application-level traditionally accesses an attribute at a time. DB-level access one or more records at a time. Consistency Are application & DB data guaranteed to be consistent? Eager vs. lazy loading

21 Some ORM problems Complicated Hard to learn Some would say bloated Fragmented Many frameworks, many standards Hard to move from one to another Only partially successful

Download ppt "COMP 430 Intro. to Database Systems SQL from application code."

Similar presentations

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
19-Jun-15 SQL. SQL is Structured Query Language Some people pronounce SQL as “sequel” Other people insist that only “ess-cue-ell” is the only correct.

19-Jun-15 SQL. SQL is Structured Query Language Some people pronounce SQL as “sequel” Other people insist that only “ess-cue-ell” is the only correct.
DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.

DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.
Liang, Introduction to Java Programming, Seventh Edition, (c) 2009 Pearson Education, Inc. All rights reserved. 0136012671 Chapter 37 Java Database Programming.

Liang, Introduction to Java Programming, Seventh Edition, (c) 2009 Pearson Education, Inc. All rights reserved Chapter 37 Java Database Programming.
CVSQL 2 The Design. System Overview System Components CVSQL Server –Three network interfaces –Modular data source provider framework –Decoupled SQL parsing.

CVSQL 2 The Design. System Overview System Components CVSQL Server –Three network interfaces –Modular data source provider framework –Decoupled SQL parsing.
CSE446 S OFTWARE Q UALITY M ANAGEMENT Spring 2014 Yazılım ve Uyguluma Geliştirme Yöneticisi Orhan Başar Evren.

CSE446 S OFTWARE Q UALITY M ANAGEMENT Spring 2014 Yazılım ve Uyguluma Geliştirme Yöneticisi Orhan Başar Evren.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
CSE470 Software Engineering Fall 2000 1 Database Access through Java.

CSE470 Software Engineering Fall Database Access through Java.
Beginning Databases with JDBC Mike Bradley Adapted from and notes by Kevin Parker, Ph.D.

Beginning Databases with JDBC Mike Bradley Adapted from and notes by Kevin Parker, Ph.D.
NHibernate in Action Web Seminar at UMLChina By Pierre Henri Kuaté 2008/08/27

NHibernate in Action Web Seminar at UMLChina By Pierre Henri Kuaté 2008/08/27
Dr. Magdi AMER Unit 2 Introduction to Database. Intro Many programs need to save information on disk. The role of DB system is to provide a layer of abstraction.

Dr. Magdi AMER Unit 2 Introduction to Database. Intro Many programs need to save information on disk. The role of DB system is to provide a layer of abstraction.
Georgia Institute of Technology Making Text for the Web part 5 Barb Ericson Georgia Institute of Technology March 2006.

Georgia Institute of Technology Making Text for the Web part 5 Barb Ericson Georgia Institute of Technology March 2006.
JDBC Tutorial MIE456 - Information Systems Infrastructure II Vinod Muthusamy November 4, 2004.

JDBC Tutorial MIE456 - Information Systems Infrastructure II Vinod Muthusamy November 4, 2004.
12-CRS-0106 REVISED 8 FEB 2013 CSG2H3 Object Oriented Programming.

12-CRS-0106 REVISED 8 FEB 2013 CSG2H3 Object Oriented Programming.
NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.

NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.
JDBC Java and Databases, including Postgress. JDBC l Developed by Industry leaders l Three main goals: –JDBC should be an SQL-level API –JDBC should capitalize.

JDBC Java and Databases, including Postgress. JDBC l Developed by Industry leaders l Three main goals: –JDBC should be an SQL-level API –JDBC should capitalize.
CS 160: Software Engineering October 1 Class Meeting Department of Computer Science San Jose State University Fall 2014 Instructor: Ron Mak www.cs.sjsu.edu/~mak.

CS 160: Software Engineering October 1 Class Meeting Department of Computer Science San Jose State University Fall 2014 Instructor: Ron Mak
JDBC Java and Databases. RHS – SOC 2 JDBC JDBC – Java DataBase Connectivity An API (i.e. a set of classes and methods), for working with databases in.

JDBC Java and Databases. RHS – SOC 2 JDBC JDBC – Java DataBase Connectivity An API (i.e. a set of classes and methods), for working with databases in.
Hibernate Persistence. What is Persistence Persist data to database or other storage.  In OO world, persistence means persist object to external storage.

Hibernate Persistence. What is Persistence Persist data to database or other storage.  In OO world, persistence means persist object to external storage.
Hibernate 3.0. What is Hibernate Hibernate is a free, open source Java package that makes it easy to work with relational databases. Hibernate makes it.

Hibernate 3.0. What is Hibernate Hibernate is a free, open source Java package that makes it easy to work with relational databases. Hibernate makes it.

Similar presentations

Ads by Google