28 Nov 2013, 22:12
Jeff_pragsmall

Jeffrey Madynski (1 post)

I like the book, thanks for your hard work.

Many companies do not allow for raw sql execution as it opens the door to sql injection attacks. Instead stored procedures are preferred. That certainly brings its own complexity with syncing the db with the version of code running against it.

I think it is worth mentioning in chapter 4 that stored procedures are not well supported or give a hyperlink to show how people are doing it until there is better support in org.clojure/java.jdbc . I did not find an easy way to execute one besides wrapping some java, but maybe I did not look hard enough.

29 Nov 2013, 01:15
Profile_pic_pragsmall

Dmitri Sotnikov (36 posts)

Parameterized queries are used in order to prevent SQL injection, so this alone shouldn’t be a reason to use stored procs.

However, you’re right that there’s no native way to work with them at the moment. Something like this would be your best bet. I’ll take a look at making a mention about this in the DB chapter.

Also, it’s worth noting that db-do-prepared can be used for stored procedures that don’t require OUT parameters:

(require '[clojure.java.jdbc :as j])
(j/db-do-prepared (connection) "EXEC SomeProc ?" [COLUMN_NAME])

Good news is that this is a recognized issue and native support is coming.

  You must be logged in to comment