SQL DOM: compile time checking of dynamic SQL statements

Abstract

Most object oriented applications that involve persistent data interact with a relational database. The most common interaction mechanism is a call level interface (CLI) such as ODBC or JDBC. While there are many advantages to using a CLI - expressive power and performance being two of the most key - there are also drawbacks. Applications communicate through a CLI by constructing strings that contain SQL statements. These SQL statements are only checked for correctness at runtime, tend to be fragile and are vulnerable to SQL injection attacks. To solve these and other problems, we present the SQL DOM: a set of classes that are strongly-typed to a database schema. Instead of string manipulation, these classes are used to generate SQL statements. We show how to extract the SQL DOM automatically from an existing database schema, demonstrate its applicability to solve the mentioned problems, and evaluate its performance.