Lecture note 8
Download
Report
Transcript Lecture note 8
COMPS311F
Li Tak Sing
Database programming
JDBC (Java Database Connectivity)
Java version of ODBC (Open Database Connectivity)
ODBC provides a standard software interface for accessing
database management systems.
Before ODBC, if an application needs to connect to a database,
it has to use tailar made APIs for that particular database.
Therefore, the program has to be changed if the database is
changed, say from Oracle to Access.
ODBC separates the application from the underlying database.
The programmer would use the APIs of ODBC. Then ODBC
would connact the underlying database.
ODBC
When the programmer wants to change database, he/she
need to install the corresponding ODBC driver for the
database. Then, the application program does not have to be
changed.
JDBC
Similarly, JDBC provides a standard set of APIs to access the
underlying database. So when the programmer wants to
change the database, there is no need to change the program,
but to install the correct JDBC driver for the database.
Of course, since the JDBC and ODBC are still based on the
SQL, and difference databases have slight differences in SQL,
it is still possible that the programmer may need to change
the SQL statements when using the standard JDBC APIs.
Using JDBC
Step 1 -Loading JDBC driver
The driver translates the vendor-independent JDBC API calls to
SQL statements for the database system you are using.
The driver is usually stored as a .jar file. For example, the
MySQL driver is called mysql-connector-java-xxx.jar where
xxx is the version number. This .jar file must be placed
somewhere so that your application can find it. For example,
place it in the class path.
To load the driver, execute the statement:
class.forName("com.mysql.jdbc.Driver");
This only load the mysql driver. For other database, you need to find out
the name of the class. One way to do this is to use an application like
winzip, to open the .jar file to see that name.
Using JDBC
Step 2 - Establishing a connection
In your Java program, you will call the DriverManager to get a
database connection.
Connection connection =
DriverManager.getConnection("jdbc:mysql://127.0.0.1/jdata
base","user","password");
The getConnection method has three parameters, the first one
specifies the URL of the database. The example shows that we
want to connect to the mysql database in localhost. The name
of the database is called jdatabase. The user name is "user" and
the password is "password".
Using JDBC
Step 2 (cont.)
Of course, in order for the statement to work, the database
must be up and running.
Note that this connection will be used through out the
application.
Step 3 Creating a statement
Now we create a statement using the Connection object.
Statement statement = connection.createStatement();
Using JDBC
Step 4 - executing a statement
ResultSet resultSet=statement.executeQuery
("select firstName, lastName from Student where
lastname='Wong'");
This is for query. For update operations, we can use the
executeUpdate method:
statement.executeUpdate("insert into Student values('Chan Tai
Man')");
Using JDBC
Processing the result
The ResultSet object returned allows us to retrieve the result
row by row. The following loop prints the first and last columns
returned by the select statement with a space inserted in
between.
while (resultSet.next()) {
System.out.println(resultSet.getString(1)+"
"+resultSet.getString(2));
}
The next() method of ResultSet will move the cursor to the
next position.
Catching SQLException
SQLException is not a checked example, so you may choose
to ignore the example in writing the program.
Dynamically constructed queries
It is usually necessary to create a query dynamically. For
example, you may have the following query:
statement.executeQuery("select * from student where
firstName='"+name+"'");
Here, name is a value obtained from a JTextfield.
Problems of constructing a query
from a string
The first problem is that there is no validation of the input
field. For example, when a parameter is expected to be an
integer, but a string is input.
There is a possibility of malicious attack. For example, if the
user type in a value so that the name variable now has the
value:
nobody'; delete from student; select * from student where
firstName='nobody
Problems of constructing a query
from a string
Then, the query in last example would become:
select * from student where firstName=' nobody'; delete from
student; select * from student where firstName='nobody'
Now, this is valid SQL statement but it will delete all rows in
the table student.
Prepared statements
We can solve this problem using PreparedStatement.
preparedStatement=connection.prepareStatement("select *
from student where firstName=?");
Now, before you can use this statement to make a query, you
need to set the unknown value specified by the ? in the above
statement.
preparedStatement.setString(1,"Chan Tai Man");
This statement set the first unknown to be "Chan Tai Man".
Prepared statements
If you invoke the following statement for the above example:
preparedStatement.setString(1," nobody'; delete from
student; select * from student where firstName='nobody");
do you think that the rows in student will still be deleted?
The answer is no because using the setString method will
allow Java to know that the input is just a string value to be
passed to an SQL statement. It itself will not be part of the
SQL statement. Therefore, if the query is executed, it will
just look for student with this long name. It is very likely
that this query will just return zero row.
Other methods of
PreparedStatement
setInt(int index, int v) //set integer value
setDouble(int index, double x) //set double value
setLong(int index, long x) //set long
setTimestamp(int index, Timestamp time) //set timestamp
setDate(int index, Date date) //set date
By using these methods, it is less likely to input a wrong type
of data.
Other methods of
PreparedStatements
Of course there are also statements to execute query and
update:
ResultSet executeQuery();
int executeUpdate();