问题标签 [callable-statement]

当我从命令行调用存储过程时，我得到以下信息。

这是我的 Java 代码片段

当我执行语句时，只返回 event_table 结果。我阅读了以下查询：

我试图避免向数据库发出多个请求，因为它非常慢（300 毫秒，取决于有多少结果）

甚至可能吗？

我编写了一个 java 代码来调用一个返回一些数据的存储过程。以下是代码 -

“Get_DailyCampaignReachReport”是存储过程的名称。现在，当我执行此代码时，我得到一个异常“可调用语句没有返回任何值”。当在 callablestatement 上调用 execute 方法时会发生这种情况。但我无法理解为什么会这样。谁能帮我理解我在哪里犯了错误？以下是存储过程在数据库中的外观。

我有一个存储过程，我使用标准语法调用它（我这么说，但我以前从未调用过一个过程）。

当通过 Toad 或 SQLDeveloper 调用存储过程时，它会返回正确的值（它是一个数字）。存储过程从一个表中提取数据并将其插入到另一个表中。该过程确实有效，并且在我调用它时正在工作，它根本没有返回正确的值。

但是，当我使用下面的代码时，我在使用 getInt 时得到 0（相当于 null）：

如果有人能给我任何关于为什么返回 null 的指导，那么将不胜感激。我很欣赏如果没有看到程序代码可能会很困难（它很长，所以我不发布它），但是任何指导都很棒。

谢谢。

编辑：

这是程序的声明：

这是从 proecure 返回值的部分：

我在 Oracle 11g 中有一个存储过程，我使用 Oracle 瘦数据库驱动程序和 CallableStatement 从 Java 程序调用它。此存储过程在同一连接上的循环中被调用数千次。

对于callableStatement.execute()前 10-20 次调用，调用在 < 200 毫秒内返回，但是，性能会随着时间的推移而开始下降。200 次调用后，callableStatement.execute()现在需要 600 毫秒，并且会继续降级。

如果我定期关闭连接，执行时间会恢复到正常的 < 200ms 范围。很明显，有些东西在 JDBC 连接中被错误地缓存了，尽管文档指出 CallableStatements 没有被缓存。

在 C 程序中使用 Oracle OCI 驱动程序运行相同的存储过程没有显示性能下降，并且在 < 200 毫秒内连续返回。

有没有人注意到这种行为或对 Java 的解决方法有任何想法？

编辑：这是运行多次的代码部分；连接是共享的，每个循环都会创建 CallableStatement。如果 CallableStatement 被缓存，则没有任何改进。

如何将列中具有 RAW 数据类型的 Oracle 表映射到 Java JDBC 代码？

我尝试如下，但是当它到达数据库时值会改变。

存储在数据库中的值看起来像581F0A15DBB6C27F003F6F26C6A319A5

这个相同的值在上面的 java 代码中被转换成3538314630413135444242364332374630303346364632364336413331394135但 DB 期望的581F0A15DBB6C27F003F6F26C6A319A5.

We have a Java application that communicates with multiple SQL Server databases on the same box. The number of and names of these databases vary. By and large, we use almost exclusively stored procedures with CallableStatement to access the databases. We are extremely good about avoiding SQL injection and using bind variables.

The only area of concern is that the database name itself is concatenated into the SQL that we pass to the CallableStatement as such:

procName is hard-coded into child classes using a template method pattern, so that string is guaranteed safe.

dbName is defined externally. I have tried setting dbName to all sorts of patterns to escape the syntax and exploit this on my development environment and have been unsuccessful.

I have set it to the following to produce the following SQL calls (table and proc names changed to protect the innocent):

becomes

and

becomes

Results in Incorrect syntax near ')'. and poor_victim_table still has rows. I have used truncate table, drop table and drop database and when they didn't work, I switched to simple delete to rule out security settings.

If I use a proc that takes bind parameters, I always get a mismatch between the number of expected parameters and supplied parameters such as The index 1 is out of range..

becomes

All roads seem to lead to a runtime error and the SQL does not execute. Of course, this is great. But I want to make sure it's failing because it cannot succeed and not failing because I am failing to try the right combination.

The popular opinion / urban myth is that using a stored procedure makes you immune to SQL injection, but I prefer to not trust absolute statements like that when it comes to security.

After researching this for a while, the best I came up with is this stackoverflow question: SQL injection - no danger on stored procedure call (on iSeries)?. It seems to support using CallableStatement because it protects you from SQL injection unless your proc code itself makes dynamic SQL out of an input parameter.

So, my question to the community is, assuming the SQL code in a proc is safe, does using CallableStatement in JDBC really prevent SQL injection? Or does the SQL Server driver parse the string in a way that prevents it, but other drivers may not? Or am I not trying hard enough?

If it is safe, how is that guarantee made? Is it due to the abstract syntax of using { call blah(?) } which is not real SQL, but gets translated to SQL?

我正在尝试 sql 实用程序类 CallableStatement 该过程在 DB 中执行良好，但 arrayindex 超出范围错误是我得到的我试图调试它似乎 callablestatement 的语法有问题

这是我收到的错误

I have a requirement to do hundreds of inserts in a certain part of a web app. It currently works by looping over a prepared statement and committing each one individually. This process is very prone to a Transaction timeout (Extending the timeout time is not viable). It needs to be completely rewritten to be more efficient. I have been able to come up with two ideas:

1. Instead of using a prepared statement use a normal statement and simple loop over each additional item I want to insert and append it to the query. I am not very concerned with sql injection because this all stems off of one single id that is verified earlier in the process. Please feel free to tell me if this is naive.

2. Have a stored procedure in the database that does all of the inserts. I would call it by using a callable statement.

If there is another (better) way not mentioned here, please let me know.

我使用的是 mybatis-3.1.1，下面的代码没有问题。

DAO 实施

映射器

映射器 XML。

升级到 mybatis-3.2.5 后，它现在将 null 作为 DATE 传递给 Oracle 过程。

你能帮我解决这个问题吗？不确定我是否必须更新我的映射器 XML 并包含一些东西来告诉它正确解析。

我在 java 中使用 java.util.Date。

谢谢奇拉格

如何使用 JDBC 执行在子句INSERT中有用户定义的 PL/SQL 函数的VALUES语句？

应该使用prepareStatement()还是callablestatement()使用？