1

Databases & Web-based Applications

JDBC & Java Servlets

A. Benabdelkader ©UvA, 2002/2003

2

JDBC

3

Java Database Connectivity - JDBCJDBC

Modeled after ODBC, JDBC API supports basic SQL functionality

With JDBC, Java can be used as host language for writing database applications

On top of JDBC, higher-level APIs can be built Currently, two types of higher-level APIs:

An embedded SQL for Java (eg. SQLJ)

A direct mapping of relational database tables to Java classes (eg. Java Blend from Sun)

Connolly © Addison Wesley, 2002

4

JDBC

JDBC API consists of two main interfaces: an API for application writers, and a lower-level driver API for driver writers

Applications and applets can access databases using: ODBC drivers and existing database client libraries JDBC API with pure Java JDBC drivers

Connolly © Addison Wesley, 2002

5

JDBC

Connolly © Addison Wesley, 2002

6

JDBC - Advantages/Disadvantages

Advantage of using JDBC drivers is that they are a de facto standard for PC database access, and are available for many DBMSs, for very low price

Disadvantages with this approach: Non-pure JDBC driver will not necessarily work with a

Web browser Currently downloaded applet can connect only to

database located on host machine Deployment costs increase

Connolly © Addison Wesley, 2002

7

JDBC - java.sql Packagejava.sql Package

Driver: supports the creation of a data connection

Connection: represents the connection between a Java client and an SQL database server

DatabaseMetaData: contains information about the database server

Statement: includes methods for executing SQL queries

PreparedStatement: represents a pre-compiled and stored query

CallableStatement: used to execute SQL stored procedures

ResultSet: contains the results of the execution of a select query

ResultSetMetaData, contains information about a ResultSet, including the attribute names and types

A. Benabdelkader ©UvA, 2002/2003

8

JDBC - Connecting to Databases

java.sql.Driver no methods for users DriverManager.Connect method create connection

java.sql.Connection createStatement

java.sql.Statement executeQuery returns table as ResultSet executeUpdate returns integer update count

A. Benabdelkader ©UvA, 2002/2003

9

JDBC - ConnectionsConnections

Loading driver classes Class.forName("myDriver.ClassName");

Class.forName(“sun.jdbc.odbc.JdbcOdbcDriver”);

Database connection URL jdbc:<subprotocol>:<subname>

jdbc:odbc:mydatabase

subname example //hostname:port/databasename

//enp01.enp.fsu.edu:3306/gsim

Database MetaData DatabaseMetaData dma = con.getMetaData();

A. Benabdelkader ©UvA, 2002/2003

10

JDBC Examples - ConnectionConnection

import java.sql.*;public class JDBC_Connection {

public static void main(String args[]) {String url = "jdbc:mt://amelie.wins.uva.nl/QueryDemo";try {

Class.forName("com.matisse.sql.MtDriver");} catch(java.lang.ClassNotFoundException e) {

System.err.println(e.getMessage());}try { Connection con = DriverManager.getConnection(url); DatabaseMetaData dma = con.getMetaData();

// Get information about the connection System.out.println("\nConnected to : " + dma.getURL() + "\nDriver : " + dma.getDriverName() + "\nVersion : " + dma.getDriverVersion());

}con.close();

} catch(SQLException ex) {System.err.println(ex.getMessage());}}

A. Benabdelkader ©UvA, 2002/2003

11

JDBC Examples - Meta DataMeta Data

…..

String query = “Select ….”

Statement stmt = con.createStatement();

ResultSet rs = stmt.executeQuery(query);

ResultSetMetaData rsmd = rs.getMetaData ();

int numCols = rsmd.getColumnCount ();

for (i=1; (i<=numCols); i++) {System.out.println("\n” +

“Column Name: " + rsmd.getColumnLabel(i) + ”Type: " + rsmd.getColumnType(i));

}

A. Benabdelkader ©UvA, 2002 /2003

12

JDBC Examples - Execute QueryExecute Query

public class SQLStatement {try {

// make the connection …...

Statement stmt = con.createStatement();

ResultSet rs = stmt.executeQuery(query);While (rs.next()) {

For (int i = 1; i <= numCols; i++) { System.out.print(“Column “+ i + ":

"); System.out.println(rs.getString(i));

} } stmt.close(); con.close();} catch(SQLException ex) {System.err.println(ex.getMessage());}

}

A. Benabdelkader ©UvA, 2002 /2003

13

JDBC - Update StatementsUpdate Statements

Create new ObjectsString insertSQL = ”insert into Course (Code, Name) ”

+”values (’Brown’,’Web Databases’)”;

int rowcount = stmt.executeUpdate(insertSQL);

if (rowcount == 0) // insert failed

Update ObjectsString updateSQL = “update Course set “ +”Course.Credit = 7 where Code =’BI301004’”;int count = stmt.execute(updateSQL);

// count is number of rows affected

A. Benabdelkader ©UvA, 2002 /2003

14

JDBC - Executing unknown SQLExecuting unknown SQL

Arbitrary SQL may return table (ResultSet) or row count (int)

Statement.execute methodstmt.execute(sqlStatement);result = stmt.getResultSet();while (true) {// loop through all resultsif (result != null) // process result else {// result is not a ResultSet

rowcount = stmt.getUpdateCount(); if (rowcount == -1) break // no more resultselse // process row count

}result = stmt.getMoreResults())

}

A. Benabdelkader ©UvA, 2002/2003

15

JDBC - Universal Database DiscoveryUniversal Database Discovery

Get DB MetaData - Get DB Tables

DatabaseMetaData dmd;

try {dmd = con.getMetaData();

try {

String tables[] = {"TABLE", "VIEW"};

results = dmd.getTables("", "", "", tables);

} catch (SQLException e){out.println(e);}

} catch (Exception e) {out.println(e);}

// GET ALL RESULTS

A. Benabdelkader ©UvA, 2002/2003

16

JDBC - Universal Database DiscoveryUniversal Database Discovery

Get Tables Resultstry {

ResultSetMetaData rsmd = results.getMetaData();

int numCols = rsmd.getColumnCount();

while (results.next())

{

System.out.println("Table Name: " +results.getString("TABLE_NAME"));

}

results.close();

con.close();

} catch (Exception e) {

out.println(e);

}

A. Benabdelkader ©UvA, 2002/2003

17

Core Servlets & JSP book: www.coreservlets.comMore Servlets & JSP book: www.moreservlets.com

Servlet and JSP Training Courses: courses.coreservlets.com

Java Servlets

18 www.coreservlets.com

Outline

• Java servlets• Advantages of servlets• Servlet structure• Servlet examples• Handling the client request

– Form Data– HTTP request headers

19 www.coreservlets.com

A Servlet’s Job

• Read explicit data sent by client (form data)• Read implicit data sent by client

(request headers)• Generate the results• Send the explicit data back to client (HTML)• Send the implicit data to client

(status codes and response headers)

20 www.coreservlets.com

Why Build Web Pages Dynamically?

• The Web page is based on data submitted by the user– E.g., results page from search engines and order-

confirmation pages at on-line stores• The Web page is derived from data that changes

frequently– E.g., a weather report or news headlines page

• The Web page uses information from databases or other server-side sources – E.g., an e-commerce site could use a servlet to build a

Web page that lists the current price and availability of each item that is for sale.

21 www.coreservlets.com

The Advantages of Servlets Over “Traditional” CGI

• Efficient – Threads instead of OS processes, one servlet copy,

persistence• Convenient

– Lots of high-level utilities• Powerful

– Sharing data, pooling, persistence• Portable

– Run on virtually all operating systems and servers• Secure

– No shell escapes, no buffer overflows• Inexpensive

– There are plenty of free and low-cost servers.

22 www.coreservlets.com

Simple Servlet Template

import java.io.*;import javax.servlet.*;import javax.servlet.http.*;

public class ServletTemplate extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Use "request" to read incoming HTTP headers // (e.g. cookies) and HTML form data (query data) // Use "response" to specify the HTTP response

status // code and headers (e.g. the content type,

cookies). PrintWriter out = response.getWriter(); // Use "out" to send content to browser }}

23 www.coreservlets.com

A Simple Servlet That Generates Plain Text

import java.io.*; import javax.servlet.*;import javax.servlet.http.*;

public class HelloWorld extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.println("Hello World"); }}

24 www.coreservlets.com

A Servlet That Generates HTML

public class HelloWWW extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String docType = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 " + "Transitional//EN\">\n"; out.println(docType + "<HTML>\n" + "<HEAD><TITLE>Hello WWW</TITLE></HEAD>\n"

+ "<BODY>\n" + "<H1>Hello WWW</H1>\n" + "</BODY></HTML>"); }}

25 www.coreservlets.com

The Servlet Life Cycle

• init– Executed once when the servlet is first loaded. Not called for each request.

• service– Called in a new thread by server for each request.

Dispatches to doGet, doPost, etc. Do not override this method!

• doGet, doPost, doXxx– Handles GET, POST, etc. requests.– Override these to provide desired behavior.

• destroy– Called when server deletes servlet instance. Not called after each request.

26

Handling the Client Request: Form Data

• Form data• Processing form data• Reading request parameters• Filtering HTML-specific characters

27 www.coreservlets.com

The Role of Form Data

• Example URL at online travel agent– http://host/path?user=Marty+Hall&origin=bwi&dest=lax– Names come from HTML author;

values usually come from end user• Parsing form (query) data in traditional CGI

– Read the data one way (QUERY_STRING) for GET requests, another way (standard input) for POST requests

– Chop pairs at ampersands, then separate parameter names (left of the equal signs) from parameter values (right of the equal signs)

– URL decode values (e.g., "%7E" becomes "~")– Need special cases for omitted values

(param1=val1&param2=&param3=val3) and repeated parameters (param1=val1&param2=val2&param1=val3)

28 www.coreservlets.com

Creating Form Data: HTML Forms

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><TITLE>A Sample Form Using GET</TITLE></HEAD><BODY BGCOLOR="#FDF5E6"><H2 ALIGN="CENTER">A Sample Form Using GET</H2>

<FORM ACTION="http://localhost:8088/SomeProgram"> <CENTER> First name: <INPUT TYPE="TEXT" NAME="firstName" VALUE="Joe"><BR> Last name: <INPUT TYPE="TEXT" NAME="lastName" VALUE="Hacker"><P> <INPUT TYPE="SUBMIT"> <!-- Press this to submit form --> </CENTER></FORM></BODY></HTML>

• See CSAJSP Chapter 16 for details on forms

29 www.coreservlets.com

HTML Form: Initial Result

30 www.coreservlets.com

Reading Form Data In Servlets

• request.getParameter("name")– Returns URL-decoded value of first occurrence of name

in query string– Works identically for GET and POST requests– Returns null if no such parameter is in query

• request.getParameterValues("name")– Returns an array of the URL-decoded values of all

occurrences of name in query string– Returns a one-element array if param not repeated– Returns null if no such parameter is in query

• request.getParameterNames()– Returns Enumeration of request params

31 www.coreservlets.com

An HTML Form With Three Parameters

<FORM ACTION="/servlet/coreservlets.ThreeParams"> First Parameter: <INPUT TYPE="TEXT" NAME="param1"><BR> Second Parameter: <INPUT TYPE="TEXT" NAME="param2"><BR> Third Parameter: <INPUT TYPE="TEXT" NAME="param3"><BR> <CENTER><INPUT TYPE="SUBMIT"></CENTER></FORM>

32 www.coreservlets.com

Reading the Three Parameters

public class ThreeParams extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String title = "Reading Three Request Parameters"; out.println(ServletUtilities.headWithTitle(title) + "<BODY BGCOLOR=\"#FDF5E6\">\n" + "<H1 ALIGN=CENTER>" + title + "</H1>\n" + "<UL>\n" + " <LI><B>param1</B>: " + request.getParameter("param1") + "\n" + " <LI><B>param2</B>: " + request.getParameter("param2") + "\n" + " <LI><B>param3</B>: " + request.getParameter("param3") + "\n" + "</UL>\n" + "</BODY></HTML>"); }}

33 www.coreservlets.com

Reading Three Parameters:Result

34 www.coreservlets.com

Filtering Strings for HTML-Specific Characters

• You cannot safely insert arbitrary strings into servlet output– < and > can cause problems anywhere– & and " can cause problems inside of HTML attributes

• You sometimes cannot manually translate– The string is derived from a program excerpt or another

source where it is already in some standard format– The string is derived from HTML form data

• Failing to filter special characters from form data makes you vulnerable to cross-site scripting attack– http://www.cert.org/advisories/CA-2000-02.html– http://www.microsoft.com/technet/security/crssite.asp