[xquery-talk] questions about security and dynamically constructedqueries

Paul Cotton pcotton at microsoft.com
Tue Oct 21 20:43:29 PDT 2003 

> I assumed that most relational databases have query interface where
you
> can type in SQL queries and get results back, so at least in that
sense
> you can create SQL dynamically.

Yes they do.  

This is actually called "direct invocation of SQL" or "direct SQL", is
very different than "dynamic SQL" and is NOT supported through any of
the defined API's (e.g. embedded, CLI, JDBC, etc.).  In fact it should
probably be consider an API in itself.  

In ISO 9075 it is defined in the following text and the feature is
effectively completely implementation-defined:

"4.25 Direct invocation of SQL

Direct invocation of SQL is a mechanism for executing direct
SQL-statements, known as <direct SQL statement>s. In direct invocation
of SQL, the method of invoking <direct SQL statement>s, the method of
raising conditions that result from the execution of <direct SQL
statement>s, the method of accessing the diagnostics information that
results from the execution of <direct SQL statement>s, and the method of
returning the results are implementation-defined."

/paulc

Paul Cotton, Microsoft Canada 
17 Eleanor Drive, Nepean, Ontario K2E 6A3 
Tel: (613) 225-5445 Fax: (425) 936-7329 
mailto:pcotton at microsoft.com

  

> -----Original Message-----
> From: Per Bothner [mailto:per at bothner.com]
> Sent: October 21, 2003 6:26 PM
> To: Paul Cotton
> Cc: Dhruba Borthakur; talk at xquery.com
> Subject: Re: [xquery-talk] questions about security and dynamically
> constructedqueries
> 
> Paul Cotton wrote:
> 
> >>After all most databases allow you to create SQL dynamically,
> >>so you there is no reason not to do the same for XQuery.
> >
> >
> > This is not really true. Most SQL systems I am familiar with allow
you
> > to submit a SQL-statement dynamically with known <dynamic parameter
> > marker>s (question marks) in the statement in many locations where a
> > constant value can be supplied.  But SQL systems do NOT provide a
> > generalized eval() function that can take any SQL-statement at
runtime.
> > And I think this is what Dhruba was asking about.
> 
> I assumed that most relational databases have query interface where
you
> can type in SQL queries and get results back, so at least in that
sense
> you can create SQL dynamically.  But I understand that creating a
query
> dynamically as part of executing some "outer" query may be a different
> matter ...
> --
> 	--Per Bothner
> per at bothner.com   http://per.bothner.com/
>

More information about the talk mailing list