for example, Delphi has components TADOQuery, TADOStoredProcedure, TADOtable.
Do they represent Embedded SQL??
What is the difference between Embedded SQL and just using SQL in programming languages??
No, TADO* aren't embedded SQL.
Embedded SQL is a (mostly archaic) technique where you write specially delimited SQL in your code and use a pre-processing application to convert that to direct DB API calls.
You can read about it in Chapter 14 of the InterBase Embedded SQL guide [PDF], if you care to.
No those Delphi components are not embedded SQL. In embedded SQL the SQL statements are intermixed with regular code, the most common form I know of is ESQL/C. It should be considered deprecated.
The way it works is a preprocessor that translates all the SQL related stuff to the host language, and that pretranslated code is fed through the host language compiler.
A short fragment based on PostgreSQL's ESQL/C implementation:
void showesql() {
EXEC SQL BEGIN DECLARE SECTION;
int FooBar;
VARCHAR DooDad;
EXEC SQL END DECLARE SECTION;
EXEC SQL DECLARE foo_bar CURSOR FOR
SELECT number, ascii FROM foo
ORDER BY ascii;
EXEC SQL OPEN foo_bar;
EXEC SQL FETCH foo_bar INTO :FooBar, DooDad;
printf ("number is %d and ascii was %s\n",FooBar, DooDad);
EXEC SQL CLOSE foo_bar;
EXEC SQL COMMIT;
}
In my experience working in such code is quite hard, and that's why this once pretty common technique has been abandoned.
Embedded SQL is using SQL statements within your program code
http://en.wikipedia.org/wiki/Embedded_SQL
Related
I use tons of dynamic SQL -
I figured that there must some good guidelines, frameworks and/or tools to help one use dynamic SQL queries.
I'm looking for any suggestions on how exactly should one compose dynamic SQL query (with out the obvious solution of simply writing it, then adding ' ' ect).
The big problem here that sometimes it gets way to messy (dynamic sql that contains another dynamic sql ect).
If it matters at all, I am using sql-server.
I'll take any advice I can get,
Thanks! ;)
Vague question.. But one piece of advice:
Use sp_executesql and pass in any variables/parameters whenever possible to prevent SQL injection
If possible generate the dynamic SQL as much as possible, don't write it yourself.
Execute the dynamic SQL without appending the parameters to the SQL string, use parameters and pass those to sp_executesql to avoid having to do double quoting (too tedious). It is also a solid guard against SQL Injection. Example:
DECLARE #stmt NVARCHAR(MAX)='SELECT * FROM your_table WHERE id=#par1 AND ... AND thename=#parn;';
EXECUTE sp_executesql #stmt, N'#par1 INT, ..., #parn VARCHAR(256)', #par1, ... , #parn;
I've decided to use postgreSQL as database for a game project(C++).
At the moment I'm using Oracle and it's Pro*C precompiler at work and heard that postgreSQL also has something similar called ECPG.
It's also possible to access data from the the postgres database directly by using the SQL in a string.
So the difference between "normal" and using ECPG, is that you can write your SQL statements like code?, or are there any other differences I should be aware of?.
(PS: i know I'm using it at work, but I haven't noticed any other differences)
Looking forward to hearing from you guys.
Yes, ECPG is covered in the documentation.
So the difference between "normal" and using ECPG, is that you can
write your SQL statements like code?
Well, SQL statements are code. A SQL statement just looks like a SQL statement. This is what a CREATE TABLE statement might look like in ECPG.
EXEC SQL CREATE TABLE foo (number integer, ascii char(16));
ECPG allows variable substitution. (Maybe that's what you meant by "write your SQL statements like code".)
EXEC SQL INSERT INTO sometable VALUES (:v1, 'foo', :v2);
All this stuff is in the documentation.
3GLs provide mechanisms to prepare statements before executing them. E.g.
SELECT name
FROM people
WHERE age=:AGE
The same query can then be executed for different ages. But can such a statement also be prepared in a "plain" Oracle SQL client? Can the same be done in e.g. SQL Plus or dbForge Studio for Oracle as in Java or C# or any other programming language that supports prepared statements?
In dbForge Studio for Oracle, named parameters can be used, preceded by a colon :
SELECT *
FROM people
WHERE name=:name
The parameters can then be filled in with the "Edit parameters dialog box", available from the SQL toolbar.
I know you didn't ask about PostgreSQL but about Oracle. However, of note, PostgreSQL has this feature right in its SQL language.
The SQL standard includes a PREPARE statement, but it is only for use in embedded SQL. The PostgreSQL version of the PREPARE statement works like this:
PREPARE nameByAge(number) AS
SELECT name
FROM People
WHERE age=$1;
and you use it like this:
EXECUTE nameByAge(18);
EXECUTE nameByAge(50);
So unfortunately for Oracle SQLPlus the answer seems to be no, not bind variables. But SQLPlus has substitution variables, similar to shell scripts. You use them as &1, &2, &3, ... and they get their parameters from the way you call the SQLPlus script.
sqlplus user/password #script.sql 18
sqlplus user/password #script.sql 50
with the script.sql being
SELECT name
FROM People
WHERE age=&1;
this would work, even though it is not bind. But then, do you really care about the slight savings in repeat parse time? In fact Oracle hashes SQL statements and already replaces constants with bind variables to be able to better reuse query plans. So the savings you would get with PREPARE and BIND are really minuscule.
I'm new to pro*c coding and oracle. I need to insert data into various tables at run time depending on certain condition. Can anyone point me if I can implement the same using dynamic sql method4. Reading through the doc Im really confused.
Oracle doc gave some really nice examples but really confusing. Can anyone point me any simple documents or sites which it is easily understood or any sample code which is easy to understand.
I'm new to this forum, please forgive me if I'm asking too much. And google, I have been doing it this whole day and I'm lost.
Also, There are two types of implementations in method4, ORACLE & ANSI. ANSI seems to be simple method. any suggestion on this?
Here is simple Pro*C snippet to execute Query immediately. Hope you've understood creating contexts.
int OraExecQuery(sql_context *sql_ctx, char *sql_query)
{
/* Error Handling formalities */
EXEC SQL WHENEVER SQLERROR GOTO OracleError;
EXEC SQL CONTEXT USE :sql_ctx;
EXEC SQL EXECUTE IMMEDIATE :sql_query;
EXEC SQL COMMIT;
return (/*Success*/);
OracleError:
/* Handle errors using struct sqlca */
return (/*Failure*/);
}
I too have read manuals from Oracle of necessary versions and did tryouts. On the other hand OCI is tougher to grasp.
i have a delphi application which uses database
interbase / firebird. To consult and write data I use the
InterBase components palette (IBTable, IBQuery, IBDataset). I'm
performing the conversion of my system to sqlserver / Oracle but i have
thousands of queries that are assembled at runtime with SQL Instructions
Specific of database InterBase/Firebird. Anyone know
any component or tool that makes Parse commands Interbase -> SQL Server or Interbase-> Oracle ?
what i need its something like:
Var
Parser: TParser;
OutputSql: String;
Begin
Parser := TParser.Create();
Parser.Text := 'SELECT FIRST 10 CITYNAME FROM TBCITY';
if Firebird then
OutPutSql := Parser.ParseTo('SQLSERVER');
if Oracle then
OutPutSql := Parser.ParseTo('ORACLE');
ComponentAccess.Sql.Text := OutPutSql;
...
The Result Of:
Parser.ParseTo('SQLSERVER');
Will Be
'SELECT TOP 10 CITYNAME FROM TBCITY'
And
Parser.ParseTo('ORACLE');
Will Be
'SELECT CITYNAME FROM TBCITY WHERE ROWNUM <= 10'
1) AFAIK, libraries like AnyDAC, have SQL abstraction syntax. May be you can use this feature in your SQL command text.
2) If you are assembling your SQL at runtime, then why not just code like that:
if Firebird then
SQL.Add(...)
else if Oracle then
SQL.Add(...)
...
We have implemented that in AnyDAC. You may use LIMIT escape function:
ADQuery1.Sql.Text := 'SELECT {LIMIT(10)} CITYNAME FROM TBCITY';
AnyDAC will automatically translate that into target DBMS syntax.
I have used kbmMW from Components4Developers and it has an abstracted set of queries that provide macros and the like to enable /easier/ cross database work but it's mainly for client/server use. Devart also do a good set of cross database components - we use their SQL Server set. However, each project I've done I've ended up writing a specific set of SQL scripts for each database. Obviously there is a fair bit of common ground for simple select stuff but the feature sets of the different databases are often too different to make it easily workable.
I end up with something similar to #oodesigner's response except that we use $ifdef and define my SQL strings in a separate const unit.
{$ifdef USE_MSSQL}
QUERY_ONE = 'select blah blah blah...';
{$else}
QUERY_ONE = 'select nah nah nah...';
{$endif}
Then in the main unit a simple assignment
SQL.Text := QUERY_ONE;
or
SQL.Text := Format(QUERY_TWO, [some_very_carefully_quoted_stuff_or_use_params]);
Don't know of anything that would automate or parse it. And the problem with that is that you still have to go through and check every single query because it's too easy to get things wrong when converting.