Russell A. McClure
ABSTRACT
Most object oriented applications that involve persistent data interact with a relational database. The most common interaction mechanism is a call level interface (CLI) such as ODBC or JDBC. While there are many advantages to using a CLI -- expressive power and performance being two of the most key -- there are also drawbacks. Applications communicate through a CLI by constructing strings that contain SQL statements. These SQL statements are only checked for correctness at runtime, tend to be fragile and are vulnerable to SQL injection attacks. To solve these and other problems, we present the SQL DOM: a set of classes that are strongly-typed to a database schema. Instead of string manipulation, these classes are used to generate SQL statements. We show how to extract the SQL DOM automatically from an existing database schema, demonstrate its applicability to solve the mentioned problems, and evaluate its performance.
- .NET Framework. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/netfxanchor.asp, 2004.Google Scholar
- ADO.NET. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaccessingdatawithadonet.asp, 2004.Google Scholar
- Atkinson, M. P., and Morrison, R. Orthogonally persistent object systems. VLDB Journal, 4(3):319--401, 1995. Google ScholarCross Ref
- American National Standard for Information Technology. Database languages -- SQLJ -- Part 1: SQL routines using the Java programming language. Technical Report ANSI/INCITS 331.1-1999, InterNational Committee for Information Technology Standards (formerly NCITS), 1999.Google Scholar
- Brant, J., and Yoder, J. W. Creating reports with query objects. In Harrison, N., Foote, B., and Rohnert, H., editors, Pattern Languages of Program Design 4. Addison Wesley, 2000.Google Scholar
- C#. http://msdn.microsoft.com/vcsharp/, 2004.Google Scholar
- Cengija, D. Hibernate your data. onJava.com, 2004.Google Scholar
- Clark, J., and DeRose, S. XML Path Language (XPath) Version 1.0. Technical report, W3C, 1999.Google Scholar
- Cook, W., and Rai, S. Safe Query Objects: Statically-typed objects as remotely-executable queries. http://www.cs.utexas.edu/users/wcook/Drafts/SafeQuery_CookRai.pdf, 2004.Google Scholar
- Dub, J. A., Sapir, R., and Purich, P. Oracle Application Server TopLink application developers guide, 10g (9.0.4). Oracle Corporation, 2003.Google Scholar
- Embedded SQL for C. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/esqlforc/ec_6_epr_01_3m03.asp, 2004.Google Scholar
- Gould, C., Su, Z., and Devanbu, P. Static checking of dynamically generated queries in database applications. In Proceedings, 26 th International Conference on Software Engineering (ICSE). IEEE Press, 2004. Google ScholarDigital Library
- Hamilton, G., and Cattell, R. JDBC patterns. Sun Microsystems, 2003.Google Scholar
- Howard, M., and LeBlanc, D. Writing Secure Code, Second Edition, Microsoft Press, ch. 12, 2003. Google ScholarDigital Library
- Keller, W. Mapping objects to tables - a pattern language. In Proceedings of the 1997 European Pattern Languages of Programming Conference, number 120/SW1/FB in Siemens Technical Report, Irsee, Germany, X. EA Generali, Vienna, Austria.Google Scholar
- Leijen, D., and Meijer, E., Domain specific embedded compilers. In Proceedings of the 2 nd conference on Domain-specific languages, pages 109--122. ACM Press, 1999. Google ScholarDigital Library
- Maier, D. Representing database programs as objects. In Bancilhon, F., and Buneman, P., editors, Advances in Database Programming Languages, Papers from DBPL-1, September 1987, Roscoff, France, pages 377--386. ACM Press / Addison Wesley, 1987. Google ScholarDigital Library
- Matena, V., and Hapner, M. Enterprise Java Beans Specification 1.0. Sun Microsystems, 1998.Google Scholar
- Oracle SQLJ Roadmap, http://www.oracle.com/technology/tech/java/sqlj_jdbc/pdf/oracle_sqlj_roadmap.pdf, 2004.Google Scholar
- Russell, C. Java Data Objects (JDO) Specification JSR-12. Sun Microsystems, 1998.Google Scholar
- Sanders, R. E. ODBC 3.5 Developer's Guide. M&T Books, 1998. Google ScholarDigital Library
- Smith, E. J. CodeSmith. http://www.ericjsmith.net/codesmith/, 2004.Google Scholar
Index Terms
- SQL DOM: compile time checking of dynamic SQL statements
Recommendations
SQL: From Traditional Databases to Big Data
SIGCSE '16: Proceedings of the 47th ACM Technical Symposium on Computing Science EducationThe Structured Query Language (SQL) is the main programing language designed to manage data stored in database systems. While SQL was initially used only with relational database management systems (RDBMS), its use has been significantly extended with ...
Comparing NoSQL MongoDB to an SQL DB
ACMSE '13: Proceedings of the 51st ACM Southeast ConferenceNoSQL database solutions are becoming more and more prevalent in a world currently dominated by SQL relational databases. NoSQL databases were designed to provide database solutions for large volumes of data that is not structured. However, the ...
Generating SQL/XML query and update statements
CIKM '09: Proceedings of the 18th ACM conference on Information and knowledge managementThe XML support in relational databases and the SQL/XML language are still relatively new as compared to purely relational databases and traditional SQL. Today, most database users have a strong relational and SQL background. SQL/XML enables users to ...
Comments