ODBC

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ODBC

Alex Peake
In looking through the ODBC documentation, I do not see a way to bind parameters, as in:

"INSERT INTO Customer (FirstName, LastName, Street, City, State, Zip) VALUES(?,?,?,?,?,?)"

and SQLBindParameter()

Is this available? Was it omitted for a reason? Is it possible for a mere mortal to add?

Alex



Reply | Threaded
Open this post in threaded view
|

ODBC

Ingela Anderton Andin-2

Alex Peake wrote:
> In looking through the ODBC documentation, I do not see a way to bind parameters, as in:
>
> "INSERT INTO Customer (FirstName, LastName, Street, City, State, Zip) VALUES(?,?,?,?,?,?)"
>
> and SQLBindParameter()
>
> Is this available? Was it omitted for a reason? Is it possible for a mere mortal to add?

Well the Erlang ODBC application aims to provide an erlang style
programming interface to sql-databases. This means that it tries to
provide the functionality that an SQL-user wants, which is not a one
to one mapping with the Microsoft ODBC API, as it is a C-API that has
to handle memory allocation and stuff that an Erlang programmer does
not need to think about. Howere ODBC is a big standard and what
functionalty that has been included depends in first hand what our
commercial customers have required.

The erlang odbc is a fairly small application, so it should not be
that hard to get your head around it. It all of course depends on your
prior knowledge. The latest version of the documentation includes some
design info. (Has only been patch on the windows platform) Also there
is some internal documentation at the top of the c-file odbcserver.c

The functionality you are talking about was not omitted for any
special reason it rather has not been considered yet. If you could
explain a little when and why you want to use this functionality it would
have a better chance to become part of the official release.

--
/Ingela

Ericsson AB - OTP team











Reply | Threaded
Open this post in threaded view
|

ODBC

Alex Peake
The typical use of this functionality is when you have a large number of records to insert or
update.

If you do not use the parameter binding, then the SQL is parsed by the database for each row. With
parameters, the SQL is parsed once, and therefore the time for lots of inserts or updates is lots
less.

The second issue is a security issue. Without parameters, you can only do string concatenation. Lets
say you allow someone to search from a web page. You expect:

Name = "SMITH" on web page for
SELECT * FROM Customer where Name = '(ValOf Name)'
yielding
SELECT * FROM Customer where Name = 'SMITH'

Instead, they enter "SMITH;DELETE * FROM Customer;"

Now you have a disaster.

If you use parameter binding, this cannot happen, since the text is purely a string to be searched
on.

Alex

> -----Original Message-----
> From: Ingela Anderton [mailto:ingela]
> Sent: Monday, July 07, 2003 3:17 AM
> To: apeake; erlang-questions
> Subject: Re: ODBC
>
>
>
> Alex Peake wrote:
> > In looking through the ODBC documentation, I do not see a way to bind parameters, as in:
> >
> > "INSERT INTO Customer (FirstName, LastName, Street, City, State, Zip) VALUES(?,?,?,?,?,?)"
> >
> > and SQLBindParameter()
> >
> > Is this available? Was it omitted for a reason? Is it possible for a mere mortal to add?
>
> Well the Erlang ODBC application aims to provide an erlang style
> programming interface to sql-databases. This means that it tries to
> provide the functionality that an SQL-user wants, which is not a one
> to one mapping with the Microsoft ODBC API, as it is a C-API that has
> to handle memory allocation and stuff that an Erlang programmer does
> not need to think about. Howere ODBC is a big standard and what
> functionalty that has been included depends in first hand what our
> commercial customers have required.
>
> The erlang odbc is a fairly small application, so it should not be
> that hard to get your head around it. It all of course depends on your
> prior knowledge. The latest version of the documentation includes some
> design info. (Has only been patch on the windows platform) Also there
> is some internal documentation at the top of the c-file odbcserver.c
>
> The functionality you are talking about was not omitted for any
> special reason it rather has not been considered yet. If you could
> explain a little when and why you want to use this functionality it would
> have a better chance to become part of the official release.
>
> --
> /Ingela
>
> Ericsson AB - OTP team
>
>
>
>
>
>
>
>
>