* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Lecture note 8
Serializability wikipedia , lookup
Asynchronous I/O wikipedia , lookup
Entity–attribute–value model wikipedia , lookup
Microsoft Access wikipedia , lookup
Oracle Database wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Concurrency control wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Relational model wikipedia , lookup
Versant Object Database wikipedia , lookup
Database model wikipedia , lookup
COMPS311F Li Tak Sing Database programming JDBC (Java Database Connectivity) Java version of ODBC (Open Database Connectivity) ODBC provides a standard software interface for accessing database management systems. Before ODBC, if an application needs to connect to a database, it has to use tailar made APIs for that particular database. Therefore, the program has to be changed if the database is changed, say from Oracle to Access. ODBC separates the application from the underlying database. The programmer would use the APIs of ODBC. Then ODBC would connact the underlying database. ODBC When the programmer wants to change database, he/she need to install the corresponding ODBC driver for the database. Then, the application program does not have to be changed. JDBC Similarly, JDBC provides a standard set of APIs to access the underlying database. So when the programmer wants to change the database, there is no need to change the program, but to install the correct JDBC driver for the database. Of course, since the JDBC and ODBC are still based on the SQL, and difference databases have slight differences in SQL, it is still possible that the programmer may need to change the SQL statements when using the standard JDBC APIs. Using JDBC Step 1 -Loading JDBC driver The driver translates the vendor-independent JDBC API calls to SQL statements for the database system you are using. The driver is usually stored as a .jar file. For example, the MySQL driver is called mysql-connector-java-xxx.jar where xxx is the version number. This .jar file must be placed somewhere so that your application can find it. For example, place it in the class path. To load the driver, execute the statement: class.forName("com.mysql.jdbc.Driver"); This only load the mysql driver. For other database, you need to find out the name of the class. One way to do this is to use an application like winzip, to open the .jar file to see that name. Using JDBC Step 2 - Establishing a connection In your Java program, you will call the DriverManager to get a database connection. Connection connection = DriverManager.getConnection("jdbc:mysql://127.0.0.1/jdata base","user","password"); The getConnection method has three parameters, the first one specifies the URL of the database. The example shows that we want to connect to the mysql database in localhost. The name of the database is called jdatabase. The user name is "user" and the password is "password". Using JDBC Step 2 (cont.) Of course, in order for the statement to work, the database must be up and running. Note that this connection will be used through out the application. Step 3 Creating a statement Now we create a statement using the Connection object. Statement statement = connection.createStatement(); Using JDBC Step 4 - executing a statement ResultSet resultSet=statement.executeQuery ("select firstName, lastName from Student where lastname='Wong'"); This is for query. For update operations, we can use the executeUpdate method: statement.executeUpdate("insert into Student values('Chan Tai Man')"); Using JDBC Processing the result The ResultSet object returned allows us to retrieve the result row by row. The following loop prints the first and last columns returned by the select statement with a space inserted in between. while (resultSet.next()) { System.out.println(resultSet.getString(1)+" "+resultSet.getString(2)); } The next() method of ResultSet will move the cursor to the next position. Catching SQLException SQLException is not a checked example, so you may choose to ignore the example in writing the program. Dynamically constructed queries It is usually necessary to create a query dynamically. For example, you may have the following query: statement.executeQuery("select * from student where firstName='"+name+"'"); Here, name is a value obtained from a JTextfield. Problems of constructing a query from a string The first problem is that there is no validation of the input field. For example, when a parameter is expected to be an integer, but a string is input. There is a possibility of malicious attack. For example, if the user type in a value so that the name variable now has the value: nobody'; delete from student; select * from student where firstName='nobody Problems of constructing a query from a string Then, the query in last example would become: select * from student where firstName=' nobody'; delete from student; select * from student where firstName='nobody' Now, this is valid SQL statement but it will delete all rows in the table student. Prepared statements We can solve this problem using PreparedStatement. preparedStatement=connection.prepareStatement("select * from student where firstName=?"); Now, before you can use this statement to make a query, you need to set the unknown value specified by the ? in the above statement. preparedStatement.setString(1,"Chan Tai Man"); This statement set the first unknown to be "Chan Tai Man". Prepared statements If you invoke the following statement for the above example: preparedStatement.setString(1," nobody'; delete from student; select * from student where firstName='nobody"); do you think that the rows in student will still be deleted? The answer is no because using the setString method will allow Java to know that the input is just a string value to be passed to an SQL statement. It itself will not be part of the SQL statement. Therefore, if the query is executed, it will just look for student with this long name. It is very likely that this query will just return zero row. Other methods of PreparedStatement setInt(int index, int v) //set integer value setDouble(int index, double x) //set double value setLong(int index, long x) //set long setTimestamp(int index, Timestamp time) //set timestamp setDate(int index, Date date) //set date By using these methods, it is less likely to input a wrong type of data. Other methods of PreparedStatements Of course there are also statements to execute query and update: ResultSet executeQuery(); int executeUpdate();