Mon Jul 7 16:36:00 CEST 2003
The typical use of this functionality is when you have a large number of records to insert or
If you do not use the parameter binding, then the SQL is parsed by the database for each row. With
parameters, the SQL is parsed once, and therefore the time for lots of inserts or updates is lots
The second issue is a security issue. Without parameters, you can only do string concatenation. Lets
say you allow someone to search from a web page. You expect:
Name = "SMITH" on web page for
SELECT * FROM Customer where Name = '(ValOf Name)'
SELECT * FROM Customer where Name = 'SMITH'
Instead, they enter "SMITH;DELETE * FROM Customer;"
Now you have a disaster.
If you use parameter binding, this cannot happen, since the text is purely a string to be searched
> -----Original Message-----
> From: Ingela Anderton [mailto:ingela@REDACTED]
> Sent: Monday, July 07, 2003 3:17 AM
> To: apeake@REDACTED; erlang-questions@REDACTED
> Subject: Re: ODBC
> Alex Peake wrote:
> > In looking through the ODBC documentation, I do not see a way to bind parameters, as in:
> > "INSERT INTO Customer (FirstName, LastName, Street, City, State, Zip) VALUES(?,?,?,?,?,?)"
> > and SQLBindParameter()
> > Is this available? Was it omitted for a reason? Is it possible for a mere mortal to add?
> Well the Erlang ODBC application aims to provide an erlang style
> programming interface to sql-databases. This means that it tries to
> provide the functionality that an SQL-user wants, which is not a one
> to one mapping with the Microsoft ODBC API, as it is a C-API that has
> to handle memory allocation and stuff that an Erlang programmer does
> not need to think about. Howere ODBC is a big standard and what
> functionalty that has been included depends in first hand what our
> commercial customers have required.
> The erlang odbc is a fairly small application, so it should not be
> that hard to get your head around it. It all of course depends on your
> prior knowledge. The latest version of the documentation includes some
> design info. (Has only been patch on the windows platform) Also there
> is some internal documentation at the top of the c-file odbcserver.c
> The functionality you are talking about was not omitted for any
> special reason it rather has not been considered yet. If you could
> explain a little when and why you want to use this functionality it would
> have a better chance to become part of the official release.
> Ericsson AB - OTP team
More information about the erlang-questions