JDBC

Goals

Become acquainted with the JDBC approach to using SQL.
Connect to the database and create statements using JDBC.
Discover the benefits of JDBC prepared statements.
Learn about advanced JDBC features.

Concepts

connection
cursor
driver
Java Database Connectivity (JDBC)
Java Naming and Directory Interface (JNDI)
Open Database Connectivity (ODBC)
prepared statement
result set
scrollable result set
statement
updatable result set

Library

Dependencies

org.postgresql:postgresql:42.2.1

Lesson

SQL is by far the most common language for accessing a database, and Java is an excellent language for programming database applications. For Java to access a database, there must be some way for Java to send SQL commands to the database to be executed. One brute-force approach would be for Java to issue shell commands to the database command interpreter, but that would be unwieldy and would tie the application to some particular database product.

In the early 1990s Microsoft created Open Database Connectivity (ODBC) API as a common way for programs to interact with a database. At one time ODBC was the most popular API for accessing databases, and it is still in wide use today. But ODBC is based on the C language, is difficult to learn, and does not yet provide access to later SQL features. Java instead provides the Java Database Connectivity (JDBC) API, which was modeled on ODBC but provides a pure-Java database connectivity solution.

The JDBC classes are found in two main packages, java.sql and javax.sql. It defines several concepts, presented in the API as Java interfaces. Here are the central ones:

connection: Encapsulates a session of interaction with the database.
statement: Provides a means to send an SQL command to the database, once a connection is established.
result set: Represents the result of an SQL command, with a means for iterating and/or updating individual rows in the result.

Drivers

JDBC thus provides a level of indirection allowing you to program to the JDBC API, rather than the using the database's proprietary protocol, in order to send the database SQL for execution. For this single API to work across database products, you must use a specific JDBC driver for each database product you access, which functions as an implementation of the API. Most of the time database vendors will provide a JDBC driver. These drivers are normally one of four types:

Type 1: JDBC-ODBC bridge: The JDBC driver talks to an existing ODBC driver for the database. This is mostly a stop-gap solution for a product that does not yet offer a JDBC driver.
Type 2: Java/native driver: Part of the JDBC driver is written in Java, but the part that speaks to the database is written in native code.
Type 3: Java/middleware driver: The driver is written in pure Java, but it doesn't talk directly to the database; instead, it talks to some “middleware” server, which in turn talks to the database.
Type 4: Pure Java driver: The driver is written in pure Java and talks directly with the database using its proprietary protocol.

JDBC 4 drivers are loaded automatically via the Java Service Provider mechanism briefly described in the lesson on configuration. To verify whether the JDBC driver you are using supports automatic loading, consult its documentation. You may also check manually by opening its JAR file to verify that it contains a META-INF/services/java.sql.Driver file containing the full name of the driver class. Otherwise, if the driver does not support the Java Service Provider mechanism, or you are using an old version of Java, you will need to load driver manually by explicitly loading the driver class once at the beginning of your program. Here is how you would manually load the PostgreSQL driver in an old version of Java:

Class.forName("org.postgresql.Driver");

Connecting to the Database

Before interacting with the database, you must first connect to it. The traditional approach is to ask java.sql.DriverManager for a connection using DriverManager.getConnection(String url, String user, String password). If you want to configure additional connection parameters, you can call DriverManager.getConnection(String url, Properties info) passing database-specific key/value pairs, usually including values for user and password.

The JDBC connection “URL” must be in the form jdbc:subprotocol:subname, where subprotocol identifies the database product being used. The format of the subname portion is left to the discretion of the driver. Here are a few JDBC URL formats for common databases, with links to their specification.

Database	URL Format	Examples
PostgreSQL	`jdbc:postgresql://[host][:port]/[database]`	`jdbc:postgresql://localhost/warehouse`
Oracle	`jdbc:oracle:thin:@[//]host[:port][:service]`	`jdbc:oracle:thin:@localhost:warehouse`
H2	`jdbc:h2:[file:][path]database` `jdbc:h2:mem:database` `jdbc:h2:tcp://host[:port]/[path]database` `jdbc:h2:ssl://host[:port]/database` `jdbc:h2:zip:file!/database`	`jdbc:h2:file:/date/warehouse` `jdbc:h2:mem:warehouse` `jdbc:h2:tcp://localhost/data/warehouse` `jdbc:h2:ssl://localhost/data/warehouse` `jdbc:h2:zip:examplezip!/warehouse`

The JDBC “URL” does not follow all the URI syntax rules, and would probably be better called a “connection string”. Its encoding rules is left to the discretion of the driver. In particular the space character, which would be encoded as %20 in a true URL, is usually left as a space and passed to the driver unmodified. Some drivers use special encoding delimiters. Check the reference documentation for your product's JDBC driver.

The driver manager will determine the appropriate database driver to use based upon the connection URL. Once you have connected to the database, the driver returns a java.sql.Connection instance.

Connecting to a database using DriverManager.

final String CONNECTION_URL = "jdbc:postgresql://example.amazonaws.com:5432/warehouse";
final Properties properties = new Properties();
properties.setProperty("user", "jdoe"); //example only; do not include in source code!
properties.setProperty("password", "secret"); //example only; do not include in source code!
properties.setProperty("ssl", "true");
try(final Connection connection = DriverManager.getConnection(CONNECTION_URL, properties)) {
  //TODO talk to the database
}

Java indicates that the “preferred means” of obtaining a connection is to use a javax.sql.DataSource rather than DriverManager. A DataSource instance usually comes preconfigured with all the necessary database connection parameters, allowing you to access a connection merely by calling DataSource.getConnection(). The most common approach is for the application to retrieve a DataSource instance using the Java Naming and Directory Interface (JNDI), which you looked at briefly in the lesson on configuration.

final Context context = new InitialContext();
final DataSource dataSource = (DataSource)context.lookup("jdbc/warehouseDb");
try(final Connection connection = dataSource.getConnection()) {
  //TODO talk to the database
}

The benefit is that the setup of the data source is completely removed from the main program, allowing it to be configured independently. The program does not need to set any connection parameters—the URL connection string need not even be known in the program code. Connection pooling, for example, can be enabled automatically from outside the application. All that is needed is the JNDI identifier, in this case jdbc/warehouseDb. The drawback is that a data source specific for the database product must still be configured, usually in a server configuration. Moreover the actual DataSource implementation class usually needs to be known and specified, and then registered with JNDI. If configured in code, even at the server level, separate configuration files will still be needed. For simple application, it may be simpler and more direct to simply place the URL string, credentials, and other parameters in an external configuration file, loading them using some standard framework as discussed in the lesson on configuration. You may need to create a DataSource instance if you want to use Connection Pooling. See JDBC Basics: Connecting with DataSource Objects.

Connection Pooling

TODO; see e.g. https://stackoverflow.com/q/2835090/421049, https://stackoverflow.com/q/2299469/421049, https://www.developer.com/java/data/understanding-jdbc-connection-pooling.html

Statements

After you are connected, you will be able to send SQL commands to the database. The java.sql.Statement interface encapsulates an SQL command or query.

DDL Statements

The connection acts as a statement factory, so you can ask for a statement using Connection.createStatement(). This provides a basic statement instance which might be used for data definition SQL commands, such as creating a table. These types of commands do not return results, so you can execute the literal SQL string using Statement.executeUpdate(String sql).

Creating a database schema using JDBC statements.

final String CREATE_SUPPLIER_TABLE_SQL = "CREATE TABLE Supplier ("
    + "  id INTEGER NOT NULL GENERATED ALWAYS AS IDENTITY PRIMARY KEY,"
    + "  name VARCHAR(9999) NOT NULL UNIQUE,"
    + "  address VARCHAR(9999) NOT NULL"
    + ")";
final String CREATE_ITEM_TABLE_SQL = "CREATE TABLE Item ("
    + "  code VARCHAR(99) NOT NULL,"
    + "  name VARCHAR(9999) NOT NULL,"
    + "  stock INTEGER DEFAULT 0 NOT NULL,"
    + "  supplierId INTEGER NOT NULL,"
    + "  CONSTRAINT Item_pk PRIMARY KEY (code),"
    + "  CONSTRAINT Item_name_un UNIQUE (name),"
    + "  CONSTRAINT Item_supplierId_fk FOREIGN KEY (supplierId) REFERENCES Supplier(id)"
    + ")";
final String CREATE_CATEGORY_TABLE_SQL = "CREATE TABLE Category ("
    + "  id INTEGER NOT NULL GENERATED ALWAYS AS IDENTITY PRIMARY KEY,"
    + "  name VARCHAR(9999) NOT NULL,"
    + "  CONSTRAINT Category_name_un UNIQUE (name)"
    + ")";
final String CREATE_ITEM_CATEGORY_TABLE_SQL = "CREATE TABLE ItemCategory ("
    + "  itemCode VARCHAR(99) NOT NULL,"
    + "  categoryId INTEGER NOT NULL,"
    + "  CONSTRAINT ItemCategory_pk PRIMARY KEY (itemCode, categoryId),"
    + "  CONSTRAINT ItemCategory_itemCode_fk FOREIGN KEY (itemCode) REFERENCES Item(code),"
    + "  CONSTRAINT ItemCategory_categoryId_fk FOREIGN KEY (categoryId) REFERENCES Category(id)"
    + ")";
try(final Connection connection = DriverManager.getConnection(CONNECTION_URL, "jdoe", "secret")) {
  try(final Statement statement = connection.createStatement()) {
    statement.executeUpdate(CREATE_SUPPLIER_TABLE_SQL);
    statement.executeUpdate(CREATE_ITEM_TABLE_SQL);
    statement.executeUpdate(CREATE_CATEGORY_TABLE_SQL);
    statement.executeUpdate(CREATE_ITEM_CATEGORY_TABLE_SQL);
  }
}

Because each JDBC statement is sent separately, unlike in an interactive environment, there is no need to indicate the end of a statement with a semicolon ; character.

As with Connection, you should call Statement.close() after you are finished using it. The Statement interface implements AutoCloseable, so you can use it with Java's try-with-resources.

DML Statements

SQL statements that perform CRUD operations, such as inserting or querying data, have a couple of special characteristics: essentially the same SQL statement may be called many times; and those statements may have parameters that vary slightly with each call. Manually constructing query strings is not only tedious, it can also be dangerous if the query parameters are not properly encoded. Moreover performance of repeated statements is not optimal if the database has to parse and process the statement afresh with each call.

For DML commands JDBC provides a special kind of statement object called a prepared statement. This type of statement “prepares” the SQL command by sending it to the database for analysis before actually being executed. A prepared statement can have variable placeholders, allowing a program to substitute specific values immediately before execution. When multiple commands are sent this can be more efficient because the database already knows the format of the statement. The prepared statement automatically encodes the replacement values as needed, preventing “injection attacks” in which malicious users provide raw SQL as entry values.

The java.sql.PreparedStatement interface extends the Statement interface. Instead of calling Connection.createStatment(), call Connection.prepareStatement(String sql) to acquire a prepared statement. If the SQL statements has information that could vary between calls, use the question mark ? character as a placeholder.

Before executing the update, call one of the prepared statement's setXXX() methods such as PreparedStatement.setInt(int parameterIndex, int x) or PreparedStatement.setString(int parameterIndex, String x) for the type you want to set. The parameterIndex indicates the one-based position of the parameter to replace. Once you have set all the parameters, call PreparedStatement.executeUpdate(). The method will return the number of rows updated.

Changing the address of a supplier by name using a prepared statement.

final String CHANGE_SUPPLIER_ADDRESS_BY_NAME_SQL = "UPDATE Supplier"
    + "  SET address = ?"
    + "  WHERE name = ?";
try(final Connection connection = DriverManager.getConnection(CONNECTION_URL, "jdoe", "secret")) {
  try(final PreparedStatement preparedStatement = connection.prepareStatement(CHANGE_SUPPLIER_ADDRESS_BY_NAME_SQL)) {
    preparedStatement.setString(2, "Acme Furniture Company");  //name
    preparedStatement.setString(1, "789 Last Lane");  //new address
    final int rowsUpdated = statement.executeUpdate();
    //TODO provide error handling if rowsUpdated != 1
  }
}

The “index” of the first parameter is 1, not 0 as you might have expected.

JDBC 4.2 drivers come with support for many of the Java date and time types from JSR 310. Because JDBC interfaces were not modified to add support for these types, you must use PreparedStatement.setObject(int parameterIndex, Object x) and pass the JSR 310 date/time instance as an Object. See Java SE 8 Date and Time.

Java Type	SQL Type
`java.time.LocalDate`	`DATE`
`java.time.LocalTime`	`TIME`
`java.time.LocalDateTime`	`TIMESTAMP`
`java.time.OffsetTime`	`TIME_WITH_TIMEZONE`
`java.time.OffsetDateTime`	`TIMESTAMP_WITH_TIMEZONE`

The most popular database products now provide JDBC 4.2 drivers supporting JSR 310 types:

PostgreSQL as of version 9.4.1208.
Oracle as of version 12.2 (ojdbc8.jar).
H2 as of version 1.4.193.

For storing an instant of time JDBC provides the java.sql.Timestamp class, which adds nanosecond precision and can be used to set a parameter using PreparedStatement.setTimestamp(int parameterIndex, Timestamp x). You can create a Timestamp from a java.time.Instant using Timestamp.from(Instant instant), or convert back using Timestamp.toInstant(). The class also has the Timestamp.valueOf(LocalDateTime dateTime) and Timestamp.toLocalDateTime() methods for converting from and to java.time.LocalDateTime instances, but these are usually not needed if you have a JDBC 4.2 driver, as explained above. See New Methods On Old Classes.

Prepared statements really shine when you need to perform several consecutive updates with different parameters. Consider adding the suppliers to the database for the first time, and assume that you have some sort of Supplier implementation class that holds suppliers. You can use a loop to add each of these suppliers to the database, using the same prepared statement.

Reusing a prepared statement to add multiple rows to the database.

final List<Supplier> suppliers = Arrays.asList(
  new Supplier("Acme Furniture Company", "123 Some Street"),
  new Supplier("Bozo Toy Company", "321 Other Street"),
  new Supplier("Top Toys Corporation", "456 Far Avenue")
);
final String INSERT_SUPPLIER_SQL = "INSERT INTO Supplier (name, address)"
    + "  VALUES (?, ?)";
try(final Connection connection = DriverManager.getConnection(CONNECTION_URL, "jdoe", "secret")) {
  try(final PreparedStatement preparedStatement = connection.prepareStatement(INSERT_SUPPLIER_SQL)) {
    for(final Supplier supplier : suppliers) {
      preparedStatement.setString(1, supplier.getName());  //name
      preparedStatement.setString(2, supplier.getAddress());  //new address
      final int rowsUpdated = statement.executeUpdate();
      //TODO provide error handling if rowsUpdated != 1
    }
  }
}

Processing Results

Queries by definition have a distinction that sets them apart from other DML statement: they potentially return results. For such statements JDBC provides the PreparedStatement.executeQuery() method, which provides a java.sql.ResultSet for accessing the result of the query. The Statement interface provides a similar Statement.executeQuery(String sql) method, although most of the time it is recommended to use PrepareStatement instead for queries.

In the relational algebra, the result of an operation is always a relation. In SQL the result of a query is table, which may have duplicate rows. A ResultSet provides access to the rows a query produces by maintaining a cursor indicating the current row being accessed. It is similar to java.util.Iterator<E> in that it provides a way to repeatedly retrieve a “next” row until there no more rows remaining. Unlike the Iterator<E> interface, there is no “has next” functionality; the method to advance to the next row, ResultSet.next(), will simply return false if there is no next row. ResultSet.next() does not return the next row; rather the ResultSet instance itself provides access to data in the row pointed to by the cursor.

A ResultSet is initialized with its cursor pointing before the first row of the result. This means that ResultSet.next() must be called before information can retrieved from the row. If ResultSet.next() returns true, use the getXXX() method for the appropriate type to retrieve a value from a column. These methods such as ResultSet.getInt(String columnLabel) and ResultSet.getString(String columnLabel) are analogous to the setXXX() methods of PreparedStatement and support the same types. The columnLabel identifies the name of the result column from which to retrieve the value for the current row.

Listing all the stocks of toys.

final String LIST_ITEMS_FOR_CATEGORY_SQL = "SELECT Item.name AS itemName, Item.stock AS itemStock"
    + "  FROM Item"
    + "    JOIN ItemCategory ON ItemCategory.itemCode = Item.code"
    + "    JOIN Category ON ItemCategory.categoryId = Category.id"
    + "  WHERE Category.name = ?";
try(final Connection connection = DriverManager.getConnection(CONNECTION_URL, "jdoe", "secret")) {
  try(final PreparedStatement preparedStatement = connection.prepareStatement(LIST_SUPPLIERS_SQL)) {
      preparedStatement.setString(1, "toy");  //set category name to filter on
      try(final ResultSet resultSet = statement.executeQuery()) {
        while(resultSet.next()) {
          System.out.println(String.format("%s: %d", resultSet.getString("itemName"), resultSet.getInt("itemStock")));
        }
      }
    }
  }
}

ResultSet provides alternate accessor methods such as ResultSet.getInt(int columnIndex) and ResultSet.getString(int columnIndex) which return values based upon the one-based order of the columns (which SQL maintains, unlike the relational algebra). Nevertheless it will lead to more understandable and more maintainable code to refer to results only by column name.

If a result produces multiple columns with the same name, when accessing values by column name a ResultSet will return the first column with that name. For example, if the above query had returned both the name column of the Item table and the name column of the Category table, it would not be possible to access both name columns in the ResultSet without modifying the query. It would be best to use SQL AS to rename the column in the result, for example SELECT Item.name AS itemName, Category.name AS categoryName ….

You cannot retrieve a value from a ResultSet based on the qualified name of a column, even if you used the qualified name in the query. If the query uses SELECT Item.name …, for example, you cannot access the item's name using resultSet.getString("Item.name"). JDBC does not keep track of the original tables—only the resulting unqualified columns. If you qualified one or more column names in the query because of duplicate column names in the result, you should rename the result column using SQL AS, as illustrated in the warning above.

Although Java primitive types such as int cannot be null, relational databases allow any column to be NULL, provided there is not a not-null constraint in place. Thus if you retrieve a primitive value from the ResultSet, if the underlying value is NULL JDBC will return some default value. For example if you call ResultSet.getInt(String columnLabel) for a column containing NULL, the method will return 0. In such cases you must call ResultSet.wasNull() after the initial value retrieve to determine if the actual value

If you are using a JDBC 4.2 driver, retrieving and updating values from a ResultSet supports many of the Java date and time types from JSR 310, similar to support in PreparedStatement.setObject(int parameterIndex, Object x) as discussed above.

Scrollable, Updatable Result Sets

The scrollability and concurrency values are int values, providing no type safety; be careful not to switch them. These should have been enum types, but they were added to JDBC before Java had enums.

A scrollable result set has the ability to move its cursor both forward and backwards, and an updatable result set allows you to change the underlying data. By default a result set can only iterate forward, and its contents are read-only. If you want a scrollable and/or an updatable result set, you must specify this when you create the statement using Connection.createStatement(int resultSetType, int resultSetConcurrency). The scrolling types and concurrency types are defined in the ResultSet interface.

Result set scrollability values.

ResultSet.TYPE_FORWARD_ONLY: The result set cursor can only move forward. This is the default for Connection.createStatement().
ResultSet.TYPE_SCROLL_INSENSITIVE: The result set is scrollable, but will not reflect changes made to the database.
ResultSet.TYPE_SCROLL_SENSITIVE: The result set is scrollable, and changes to the underlying data will be visible.

Result set concurrency values.

ResultSet.CONCUR_READ_ONLY: The result set does not allow updating the database. This is the default for Connection.createStatement().
ResultSet.CONCUR_UPDATABLE: The result set allows updating the underlying data.

Scrolling

A scrollable result set can move forward as can a non-scrollable result set, but can also move backward using ResultSet.previous(). Remember that a the result set's cursor starts out before the first row. You can later return to this position using ResultSet.beforeFirst(). You can also move the cursor to after the last row by using ResultSet.afterLast() if you wish to work backwards. ResultSet comes with several other methods for scrolling backward and forward absolute and relative amounts; see the API documentation for details.

Updating

If you requested an updatable result set, you can use the appropriate updateXXX() method for the appropriate type to update a value in a column for the current row. These methods such as ResultSet.updateInt(String columnLabel, int x) and ResultSet.updateString(String columnLabel, String x) correspond to the getXXX() methods for retrieving values. There is also a ResultSet.updateNull(String columnLabel) method for setting a column to NULL. The columnLabel identifies the name of the result column for which to set the value for the current row. Once you update columns for a particular row, you must call ResultSet.updateRow() to save the updated values to the database; otherwise, your changes will be lost when you move to a different row.

Avoid updating data in the database via the ResultSet interface unless there are no other options, as programmatic updates of the database are not as efficient as updating the database in a set-based approach via SQL. For example, to add some value to some column, would never want to add the value programmatically on a row-by-row basis unless the calculation were too complicated for an SQL UPDATE statement.

Review

Summary

TODO table of JDBC Java/SQL mappings from specification

Gotchas

Prepared statement parameter indexes are one-based, not zero-based.
Make sure duplicate columns do not appear in the result unless rename them using SQL AS.
ResultSet does not maintain the names of the original tables in a query; you therefore cannot access values using qualified column names, even if you qualified those names in the SQL query.
Don't forget to call ResultSet.updateRow() after updating column values in a particular row.

In the Real World

Do not hard code prepared statement parameter positions. Instead create constants or use the ordinal of enum with a beginning dummy value to make the values one-based.
Access result set values by column name, not column position. This leads to more maintainable code, greatly offsetting any small performance benefit which index-based access might theoretically bring.
You should almost always use PreparedStatement, which is safer and can be much more efficient than Connection.

Think About It

TODO

Self Evaluation

What does Java indicate is the preferred source to use as a connection factory?
What is an “injection attack”?
Explain two advantages of prepared statements.
What are two differences between the ResultSet interface and the Iterator<E> interface?
When a result set is created, where does its cursor point?

Task

Implement a JdbcPublicationRepository that loads and stores publications in your database.

Ensure that you have already created your schema in your remote PostgreSQL database.
For now the implementation must only implement those methods related to adding and retrieving publications, such as PublicationRepository.addPublication() and PublicationRepository.publications().
- You do not need to implement deleting publications.
- Stock manipulation methods need not be implemented.
A method not yet implemented should throw an UnsupportedOperationException.
Provide a JDBC-specific implementation of PublicationRepository.publicationsByType() that uses a query to efficiently retrieve only publications of the indicated type, rather than loading all publications and filtering them afterwards.

References

Resources

Acknowledgments

JDBC™ API Tutorial and Reference, 3rd Edition, Chapter 1: Introduction (Maydene Fisher, Jon Ellis, Jonathan Bruce - Addison-Wesley Professional, 2013)
Java Database Best Practices (George Reese - O'Reilly, 2009)
Expert Oracle JDBC Programming (R. M. Mennon - Apress, 2005)
JDBC 4.0 and Oracle JDeveloper for J2EE Development (Deepak Vohra, Packt)
Some symbols are from Font Awesome by Dave Gandy.