1 Databases & Web-based Applications JDBC & Java Servlets A. Benabdelkader ©UvA, 2002/2003

2 JDBC

3 JDBC Java Database Connectivity - JDBC n Modeled after ODBC, JDBC API supports basic SQL functionality n With JDBC, Java can be used as host language for writing database applications n On top of JDBC, higher-level APIs can be built n Currently, two types of higher-level APIs: q An embedded SQL for Java (eg. SQLJ) q A direct mapping of relational database tables to Java classes (eg. Java Blend from Sun) Connolly © Addison Wesley, 2002

4 JDBC n JDBC API consists of two main interfaces: an API for application writers, and a lower-level driver API for driver writers n Applications and applets can access databases using: q ODBC drivers and existing database client libraries q JDBC API with pure Java JDBC drivers Connolly © Addison Wesley, 2002

5 JDBC Connolly © Addison Wesley, 2002

6 JDBC - Advantages/Disadvantages n Advantage of using JDBC drivers is that they are a de facto standard for PC database access, and are available for many DBMSs, for very low price n Disadvantages with this approach: q Non-pure JDBC driver will not necessarily work with a Web browser q Currently downloaded applet can connect only to database located on host machine q Deployment costs increase Connolly © Addison Wesley, 2002

7 java.sql Package JDBC - java.sql Package q Driver : supports the creation of a data connection q Connection : represents the connection between a Java client and an SQL database server q DatabaseMetaData : contains information about the database server q Statement : includes methods for executing SQL queries q PreparedStatement : represents a pre-compiled and stored query q CallableStatement : used to execute SQL stored procedures q ResultSet : contains the results of the execution of a select query q ResultSetMetaData, contains information about a ResultSet, including the attribute names and types A. Benabdelkader ©UvA, 2002/2003

8 JDBC - Connecting to Databases n java.sql.Driver q no methods for users q DriverManager.Connect method create connection n java.sql.Connection q createStatement n java.sql.Statement q executeQuery returns table as ResultSet q executeUpdate returns integer update count A. Benabdelkader ©UvA, 2002/2003

9 Connections JDBC - Connections n Loading driver classes q Class.forName("myDriver.ClassName"); u Class.forName(“sun.jdbc.odbc.JdbcOdbcDriver”); n Database connection URL q jdbc: : u jdbc:odbc:mydatabase q subname example  //hostname:port/databasename u //enp01.enp.fsu.edu:3306/gsim n Database MetaData q DatabaseMetaData dma = con.getMetaData(); A. Benabdelkader ©UvA, 2002/2003

10 Connection JDBC Examples - Connection import java.sql.*; public class JDBC_Connection { public static void main(String args[]) { String url = "jdbc:mt://amelie.wins.uva.nl/QueryDemo"; try { Class.forName("com.matisse.sql.MtDriver"); } catch(java.lang.ClassNotFoundException e) { System.err.println(e.getMessage());} try { Connection con = DriverManager.getConnection(url); DatabaseMetaData dma = con.getMetaData(); // Get information about the connection System.out.println("\nConnected to : " + dma.getURL() + "\nDriver : " + dma.getDriverName() + "\nVersion : " + dma.getDriverVersion()); } con.close(); } catch(SQLException ex) {System.err.println(ex.getMessage());} } A. Benabdelkader ©UvA, 2002/2003

11 Meta Data JDBC Examples - Meta Data ….. String query = “Select ….” Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery(query); ResultSetMetaData rsmd = rs.getMetaData (); int numCols = rsmd.getColumnCount (); for (i=1; (i<=numCols); i++) { System.out.println("\n” + “Column Name: " + rsmd.getColumnLabel(i) + ”Type: " + rsmd.getColumnType(i)); } A. Benabdelkader ©UvA, 2002 /2003

12 Execute Query JDBC Examples - Execute Query public class SQLStatement { try { // make the connection …... Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery(query); While (rs.next()) { For (int i = 1; i <= numCols; i++) { System.out.print(“Column “+ i + ": "); System.out.println(rs.getString(i)); } } stmt.close(); con.close(); } catch(SQLException ex) { System.err.println(ex.getMessage());} } A. Benabdelkader ©UvA, 2002 /2003

13 Update Statements JDBC - Update Statements n Create new Objects String insertSQL = ”insert into Course (Code, Name) ” +”values (’Brown’,’Web Databases’)”; int rowcount = stmt.executeUpdate(insertSQL); if (rowcount == 0) // insert failed n Update Objects String updateSQL = “update Course set “ +”Course.Credit = 7 where Code =’BI301004’”; int count = stmt.execute(updateSQL); // count is number of rows affected A. Benabdelkader ©UvA, 2002 /2003

14 Executing unknown SQL JDBC - Executing unknown SQL n Arbitrary SQL may return table (ResultSet) or row count (int) n Statement.execute method stmt.execute(sqlStatement); result = stmt.getResultSet(); while (true) {// loop through all results if (result != null) // process result else {// result is not a ResultSet rowcount = stmt.getUpdateCount(); if (rowcount == -1) break // no more results else // process row count } result = stmt.getMoreResults()) } A. Benabdelkader ©UvA, 2002/2003

15 Universal Database Discovery JDBC - Universal Database Discovery n Get DB MetaData - Get DB Tables DatabaseMetaData dmd; try {dmd = con.getMetaData(); try { String tables[] = {"TABLE", "VIEW"}; results = dmd.getTables("", "", "", tables); } catch (SQLException e){out.println(e);} } catch (Exception e) {out.println(e);} // GET ALL RESULTS A. Benabdelkader ©UvA, 2002/2003

16 Universal Database Discovery JDBC - Universal Database Discovery n Get Tables Results try { ResultSetMetaData rsmd = results.getMetaData(); int numCols = rsmd.getColumnCount(); while (results.next()) { System.out.println("Table Name: " + results.getString("TABLE_NAME")); } results.close(); con.close(); } catch (Exception e) { out.println(e); } A. Benabdelkader ©UvA, 2002/2003

17 Core Servlets & JSP book: More Servlets & JSP book: Servlet and JSP Training Courses: courses.coreservlets.com Java Servlets

18 Outline Java servlets Advantages of servlets Servlet structure Servlet examples Handling the client request –Form Data –HTTP request headers

19 A Servlet’s Job Read explicit data sent by client (form data) Read implicit data sent by client (request headers) Generate the results Send the explicit data back to client (HTML) Send the implicit data to client (status codes and response headers)

20 Why Build Web Pages Dynamically? The Web page is based on data submitted by the user –E.g., results page from search engines and order- confirmation pages at on-line stores The Web page is derived from data that changes frequently –E.g., a weather report or news headlines page The Web page uses information from databases or other server-side sources –E.g., an e-commerce site could use a servlet to build a Web page that lists the current price and availability of each item that is for sale.

21 The Advantages of Servlets Over “Traditional” CGI Efficient –Threads instead of OS processes, one servlet copy, persistence Convenient –Lots of high-level utilities Powerful –Sharing data, pooling, persistence Portable –Run on virtually all operating systems and servers Secure –No shell escapes, no buffer overflows Inexpensive –There are plenty of free and low-cost servers.

22 Simple Servlet Template import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class ServletTemplate extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Use "request" to read incoming HTTP headers // (e.g. cookies) and HTML form data (query data) // Use "response" to specify the HTTP response status // code and headers (e.g. the content type, cookies). PrintWriter out = response.getWriter(); // Use "out" to send content to browser }

23 A Simple Servlet That Generates Plain Text import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class HelloWorld extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.println("Hello World"); }

24 A Servlet That Generates HTML public class HelloWWW extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String docType = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 " + "Transitional//EN\">\n"; out.println(docType + " \n" + " Hello WWW \n" + " \n" + " Hello WWW \n" + " "); }

25 The Servlet Life Cycle init –Executed once when the servlet is first loaded. Not called for each request. service –Called in a new thread by server for each request. Dispatches to doGet, doPost, etc. Do not override this method! doGet, doPost, doXxx –Handles GET, POST, etc. requests. –Override these to provide desired behavior. destroy –Called when server deletes servlet instance. Not called after each request.

26 Handling the Client Request: Form Data Form data Processing form data Reading request parameters Filtering HTML-specific characters

27 The Role of Form Data Example URL at online travel agent – –Names come from HTML author; values usually come from end user Parsing form (query) data in traditional CGI –Read the data one way (QUERY_STRING) for GET requests, another way (standard input) for POST requests –Chop pairs at ampersands, then separate parameter names (left of the equal signs) from parameter values (right of the equal signs) –URL decode values (e.g., "%7E" becomes "~") –Need special cases for omitted values (param1=val1&param2=&param3=val3) and repeated parameters (param1=val1&param2=val2&param1=val3)

28 Creating Form Data: HTML Forms A Sample Form Using GET A Sample Form Using GET First name: Last name: See CSAJSP Chapter 16 for details on forms

29 HTML Form: Initial Result

30 Reading Form Data In Servlets request.getParameter("name") –Returns URL-decoded value of first occurrence of name in query string –Works identically for GET and POST requests –Returns null if no such parameter is in query request.getParameterValues("name") –Returns an array of the URL-decoded values of all occurrences of name in query string –Returns a one-element array if param not repeated –Returns null if no such parameter is in query request.getParameterNames() –Returns Enumeration of request params

31 An HTML Form With Three Parameters First Parameter: Second Parameter: Third Parameter:

32 Reading the Three Parameters public class ThreeParams extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String title = "Reading Three Request Parameters"; out.println(ServletUtilities.headWithTitle(title) + " \n" + " " + title + " \n" + " \n" + " param1 : " + request.getParameter("param1") + "\n" + " param2 : " + request.getParameter("param2") + "\n" + " param3 : " + request.getParameter("param3") + "\n" + " \n" + " "); }}

33 Reading Three Parameters: Result

34 Filtering Strings for HTML-Specific Characters You cannot safely insert arbitrary strings into servlet output – can cause problems anywhere –& and " can cause problems inside of HTML attributes You sometimes cannot manually translate –The string is derived from a program excerpt or another source where it is already in some standard format –The string is derived from HTML form data Failing to filter special characters from form data makes you vulnerable to cross-site scripting attack – –