[wsf-c-dev] Embedding mysql to axis2
James Clark
james at wso2.com
Thu Feb 15 02:31:27 PST 2007
> See attached for a small explanation about how the config file is
> used in the java version.
I see it does:
> <parameter name="X">{{XPATH to the parameter value}}</parameter>*
> <select>select * from user where name='<value param="X"/>'</select>
This is not a very good approach. You'll get security problems if
you're not very careful about quoting (Google for "SQL injection"), plus
it's not efficient. It's better to use SQL prepared statements and
parameters. See
http://dev.mysql.com/doc/refman/5.0/en/mysql-stmt-execute.html
http://rpbouman.blogspot.com/2005/11/mysql-5-prepared-statement-syntax-and.html
The XML syntax can be simply:
<operation name="getUser">
<query>select * from user where name = <param>{XPath to param
value}</param></query>
...
</operation>
The <param> element represents a parameter in an SQL prepared statement,
rather than a string which is substituted into the SQL. To implement
this in SQL using the C API, you would do something like this:
/* execute this once per connection */
mysql_stmt_prepare(stmt, "select * from user where name = ?",...);
/* execute this once per request */
mysql_stmt_bind_param(stmt,...);
mysql_stmt_execute(stmt);
It might also be worth having a type attribute on param to convert the
XML value to the appropriate SQL type.
The <output> XML syntax looks pretty ugly to me. Surely we can do
better. Have you looked at what Microsoft/Oracle/IBM have done in this
space?
James
More information about the Wsf-c-dev
mailing list