Tom Lane wrote:
> Oliver Jowett <oliver@opencloud.com> writes:
>
>>... using the V3 extended query protocol (this requires a number of
>>other driver changes, as at a minimum the driver will need to split up
>>queries that contain multiple statements)
>
>
> This is a bit off the thread topic, but: does the JDBC spec actually
> allow/expect multiple SQL commands in a query? Some people thought that
> the V3 restriction to one command per query string was a Good Thing
> because it helps guard against SQL-injection attacks when an application
> is careless about inserting untrustworthy text into a command string.
> If you don't have a spec requirement to cope with this, then I'd advise
> against adding code to support it.
I don't think there's such a requirement. The JDBC spec is vague, but
Sun's JDBC tutorial says:
===
This code does not end with a DBMS statement terminator, which can vary
from DBMS to DBMS. For example, Oracle uses a semicolon (;) to indicate
the end of a statement, and Sybase uses the word go . The driver you are
using will automatically supply the appropriate statement terminator,
and you will not need to include it in your JDBC code.
===
That said, executing multiple commands in a query seems quite common,
and works ok with the current driver. I'd be reluctant to break existing
apps by forbidding it.
Also, the JDBC spec recommends:
===
Drivers should provide access to every feature implemented by the
underlying data source, including features that extend the JDBC API.
When a feature is not supported, the corresponding methods throw an
SQLException. The intent is for applications using the JDBC API to have
access to the same feature set as native applications.
===
-O
