[xquery-talk] questions about security and dynamically
constructedqueries
Paul Cotton
pcotton at microsoft.com
Wed Oct 22 15:29:29 PDT 2003
>Is that considered "direct SQL"?
No this use in JDBC is "dynamic SQL". In fact the JDBC
PreparedStatement interface supports the setting of input parameter
values for those locations in the dynamic SQL statement that were coded
as "?". If there are no parameters then you can use the Statement
interface but this is still "dynamic SQL".
/paulc
Paul Cotton, Microsoft Canada
17 Eleanor Drive, Nepean, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:pcotton at microsoft.com
> -----Original Message-----
> From: Per Bothner [mailto:per at bothner.com]
> Sent: October 22, 2003 1:43 PM
> To: Paul Cotton
> Cc: talk at xquery.com
> Subject: Re: [xquery-talk] questions about security and dynamically
> constructedqueries
>
> Paul Cotton wrote:
> >>I assumed that most relational databases have query interface where
> >
> > you
> >
> >>can type in SQL queries and get results back, so at least in that
> >
> > sense
> >
> >>you can create SQL dynamically.
> >
> >
> > Yes they do.
> >
> > This is actually called "direct invocation of SQL" or "direct SQL",
is
> > very different than "dynamic SQL" and is NOT supported through any
of
> > the defined API's (e.g. embedded, CLI, JDBC, etc.). In fact it
should
> > probably be consider an API in itself.
>
> I'm missing something here. In JDBC you can create an SQL query at
> run-time by pasting together a String and passing that to the
> executeQuery method. Is that considered "direct SQL"? If so, it
> appears well-supported by at least JDBC.
>
> (I admit we're getting a bit off-topic here ...)
> --
> --Per Bothner
> per at bothner.com http://per.bothner.com/
>
More information about the talk
mailing list