small medium large xlarge

28 Nov 2013, 22:12
Jeffrey Madynski (1 post)

I like the book, thanks for your hard work.

Many companies do not allow for raw sql execution as it opens the door to sql injection attacks. Instead stored procedures are preferred. That certainly brings its own complexity with syncing the db with the version of code running against it.

I think it is worth mentioning in chapter 4 that stored procedures are not well supported or give a hyperlink to show how people are doing it until there is better support in org.clojure/java.jdbc . I did not find an easy way to execute one besides wrapping some java, but maybe I did not look hard enough.

29 Nov 2013, 01:15
Dmitri Sotnikov (149 posts)

Parameterized queries are used in order to prevent SQL injection, so this alone shouldn’t be a reason to use stored procs.

However, you’re right that there’s no native way to work with them at the moment. Something like this would be your best bet. I’ll take a look at making a mention about this in the DB chapter.

Also, it’s worth noting that db-do-prepared can be used for stored procedures that don’t require OUT parameters:

(require '[ :as j])
(j/db-do-prepared (connection) "EXEC SomeProc ?" [COLUMN_NAME])

Good news is that this is a recognized issue and native support is coming.