Static Checking of Dynamically Generated Queries in Database Applications

Many data-intensive applications dynamically constructqueries in response to client requests and execute them.Java servlets, e.g., can create string representations ofSQL queries and then send the queries, using JDBC, to adatabase server for execution. The servlet programmer enjoysstatic checking vi...

Full description

Saved in:

Bibliographic Details
Published in:	International Conference on Software Engineering: Proceedings of the 26th International Conference on Software Engineering; 23-28 May 2004 pp. 645 - 654
Main Authors:	Gould, Carl, Su, Zhendong, Devanbu, Premkumar
Format:	Conference Proceeding
Language:	English
Published:	Washington, DC, USA IEEE Computer Society 23.05.2004
Series:	ACM Conferences
Subjects:	Applied sciences Computer science; control theory; systems Exact sciences and technology Information systems > Data management systems > Database management system engines > Database query processing Information systems > Data management systems > Query languages Information systems > Information retrieval > Information retrieval query processing Information systems. Data bases Memory organisation. Data processing Software Software and its engineering > Software notations and tools > General programming languages > Language types Software and its engineering > Software organization and properties > Software functional properties > Correctness Software engineering Theory of computation > Logic > Logic and verification Theory of computation > Logic > Proof theory Theory of computation > Semantics and reasoning > Program reasoning > Program analysis Theory of computation > Semantics and reasoning > Program semantics Theory of computation > Theory and algorithms for application domains > Database theory > Database query languages (principles) Theory of computation > Theory and algorithms for application domains > Database theory > Database query processing and optimization (theory) Type theory High performance JAVA language Software development Database query Very large databases Information retrieval Program analysis Distributed computing Program verification SQL Character string Sound analysis Static analysis Defect Purchases Computer server Algorithm analysis Software engineering
ISBN:	9780769521633, 0769521630
ISSN:	0270-5257
Online Access:	Get full text
Tags:	Add Tag No Tags, Be the first to tag this record!

Abstract	Many data-intensive applications dynamically constructqueries in response to client requests and execute them.Java servlets, e.g., can create string representations ofSQL queries and then send the queries, using JDBC, to adatabase server for execution. The servlet programmer enjoysstatic checking via Javaýs strong type system. However,the Java type system does little to check for possible errorsin the dynamically generated SQL query strings. Thus,a type error in a generated selection query (e.g., comparinga string attribute with an integer) can result in an SQLruntime exception. Currently, such defects must be rootedout through careful testing, or (worse) might be found bycustomers at runtime. In this paper, we present a sound,static, program analysis technique to verify the correctnessof dynamically generated query strings. We describe ouranalysis technique and provide soundness results for ourstatic analysis algorithm. We also describe the details of aprototype tool based on the algorithm and present severalillustrative defects found in senior software-engineeringstudent-team projects, online tutorial examples, and a real-worldpurchase order system written by one of the authors.
AbstractList	Many data-intensive applications dynamically constructqueries in response to client requests and execute them.Java servlets, e.g., can create string representations ofSQL queries and then send the queries, using JDBC, to adatabase server for execution. The servlet programmer enjoysstatic checking via Javaýs strong type system. However,the Java type system does little to check for possible errorsin the dynamically generated SQL query strings. Thus,a type error in a generated selection query (e.g., comparinga string attribute with an integer) can result in an SQLruntime exception. Currently, such defects must be rootedout through careful testing, or (worse) might be found bycustomers at runtime. In this paper, we present a sound,static, program analysis technique to verify the correctnessof dynamically generated query strings. We describe ouranalysis technique and provide soundness results for ourstatic analysis algorithm. We also describe the details of aprototype tool based on the algorithm and present severalillustrative defects found in senior software-engineeringstudent-team projects, online tutorial examples, and a real-worldpurchase order system written by one of the authors. Many data-intensive applications dynamically constructqueries in response to client requests and execute them.Java servlets, e.g., can create string representations ofSQL queries and then send the queries, using JDBC, to adatabase server for execution. The servlet programmer enjoysstatic checking via Javays strong type system. However,the Java type system does little to check for possible errorsin the dynamically generated SQL query strings. Thus,a type error in a generated selection query (e.g., comparinga string attribute with an integer) can result in an SQLruntime exception. Currently, such defects must be rootedout through careful testing, or (worse) might be found bycustomers at runtime. In this paper, we present a sound,static, program analysis technique to verify the correctnessof dynamically generated query strings. We describe ouranalysis technique and provide soundness results for ourstatic analysis algorithm. We also describe the details of aprototype tool based on the algorithm and present severalillustrative defects found in senior software-engineeringstudent-team projects, online tutorial examples, and a real-worldpurchase order system written by one of the authors.
Author	Su, Zhendong Devanbu, Premkumar Gould, Carl
Author_xml	– sequence: 1 givenname: Carl surname: Gould fullname: Gould, Carl organization: University of California at Davis – sequence: 2 givenname: Zhendong surname: Su fullname: Su, Zhendong organization: University of California at Davis – sequence: 3 givenname: Premkumar surname: Devanbu fullname: Devanbu, Premkumar organization: University of California at Davis
BackLink	http://pascal-francis.inist.fr/vibad/index.php?action=getRecordDetail&idt=17809650$$DView record in Pascal Francis
BookMark	eNqFkDFPwzAQRi1RJErpyO4FJlLspLZzY9VCqVQJIWC2LqkNpokT4nTov8colRj5llve3el7l2TkG28IueZsJmLuAXKpxAwA5jI_I1NQOVMSRMpllo3ImKWKJSIV6oJMQ_hiMYIplvMx2bz22LuSLj9NuXf-gzaWro4ea1diVR3p2njTYW929OVgOmcCdZ6usMcCg6GLtq0i2LvGhytybrEKZnqaE_L--PC2fEq2z-vNcrFNkIPqE8ukAJyzgoHdcYMq50KA5ZnNGbcpE8j4TmUyLXiKRVwBlClkHAq0OS9MNiG3w922a74PJvS6dqE0VYXeNIegMy4AYrkI3pxADLGM7dCXLui2czV2R82jJJCCRe5u4LCsddE0-6A5079i9SBWD2J1Efvbv___4NkPR2l2_A
ContentType	Conference Proceeding
Copyright	2006 INIST-CNRS
Copyright_xml	– notice: 2006 INIST-CNRS
DBID	IQODW 7SC 8FD JQ2 L7M L~C L~D
DOI	10.5555/998675.999468
DatabaseName	Pascal-Francis Computer and Information Systems Abstracts Technology Research Database ProQuest Computer Science Collection Advanced Technologies Database with Aerospace Computer and Information Systems Abstracts Academic Computer and Information Systems Abstracts Professional
DatabaseTitle	Computer and Information Systems Abstracts Technology Research Database Computer and Information Systems Abstracts – Academic Advanced Technologies Database with Aerospace ProQuest Computer Science Collection Computer and Information Systems Abstracts Professional
DatabaseTitleList	Computer and Information Systems Abstracts
DeliveryMethod	fulltext_linktorsrc
Discipline	Applied Sciences Computer Science
EndPage	654
ExternalDocumentID	17809650
Genre	Conference Paper
GroupedDBID	6IE 6IH 6IK 6IL AAJGR AAVQY ACM ADPZR ALMA_UNASSIGNED_HOLDINGS APO BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK GUFHI LHSKQ OCL RIB RIC RIE RIL RIO AAWTH IQODW -~X 123 23M 29O 5VS 6IM 6IN 7SC 8FD 8US ADZIZ AFFNX AVWKF CHZPO FEDTE I07 IPLJI JQ2 L7M L~C L~D M43 RNS
ID	FETCH-LOGICAL-a197t-f0659a40b09fd1ea781559f13f801f205a01d7362b12ab1979a629319baf81be3
ISBN	9780769521633 0769521630
ISSN	0270-5257
IngestDate	Fri Sep 05 11:17:39 EDT 2025 Wed Apr 02 07:25:31 EDT 2025 Wed Jan 31 06:48:48 EST 2024 Sun Dec 01 06:31:06 EST 2024
IsPeerReviewed	false
IsScholarly	true
Keywords	Type theory High performance JAVA language Software development Database query Very large databases Information retrieval Program analysis Distributed computing Program verification SQL Character string Sound analysis Static analysis Defect Purchases Computer server Algorithm analysis Software engineering
Language	English
License	CC BY 4.0
LinkModel	OpenURL
MeetingName	ICSE04: 26th International Conference on Software Engineering
MergedId	FETCHMERGED-LOGICAL-a197t-f0659a40b09fd1ea781559f13f801f205a01d7362b12ab1979a629319baf81be3
Notes	SourceType-Conference Papers & Proceedings-1 ObjectType-Conference Paper-1 content type line 25
PQID	31599708
PQPubID	23500
PageCount	10
ParticipantIDs	acm_books_10_5555_998675_999468_brief proquest_miscellaneous_31599708 acm_books_10_5555_998675_999468 pascalfrancis_primary_17809650
PublicationCentury	2000
PublicationDate	20040523 2004
PublicationDateYYYYMMDD	2004-05-23 2004-01-01
PublicationDate_xml	– month: 05 year: 2004 text: 20040523 day: 23
PublicationDecade	2000
PublicationPlace	Washington, DC, USA
PublicationPlace_xml	– name: Washington, DC, USA – name: Los Alamitos CA
PublicationSeriesTitle	ACM Conferences
PublicationTitle	International Conference on Software Engineering: Proceedings of the 26th International Conference on Software Engineering; 23-28 May 2004
PublicationYear	2004
Publisher	IEEE Computer Society
Publisher_xml	– name: IEEE Computer Society
SSID	ssj0000507081 ssj0006499
Score	1.9435147
Snippet	Many data-intensive applications dynamically constructqueries in response to client requests and execute them.Java servlets, e.g., can create string...
SourceID	proquest pascalfrancis acm
SourceType	Aggregation Database Index Database Publisher
StartPage	645
SubjectTerms	Applied sciences Computer science; control theory; systems Exact sciences and technology Information systems -- Data management systems -- Database management system engines -- Database query processing Information systems -- Data management systems -- Query languages Information systems -- Information retrieval -- Information retrieval query processing Information systems. Data bases Memory organisation. Data processing Software Software and its engineering -- Software notations and tools -- General programming languages -- Language types Software and its engineering -- Software organization and properties -- Software functional properties -- Correctness Software engineering Theory of computation -- Logic -- Logic and verification Theory of computation -- Logic -- Proof theory Theory of computation -- Semantics and reasoning -- Program reasoning -- Program analysis Theory of computation -- Semantics and reasoning -- Program semantics Theory of computation -- Theory and algorithms for application domains -- Database theory -- Database query languages (principles) Theory of computation -- Theory and algorithms for application domains -- Database theory -- Database query processing and optimization (theory)
Title	Static Checking of Dynamically Generated Queries in Database Applications
URI	https://www.proquest.com/docview/31599708
hasFullText	1
inHoldings	1
isFullTextHit
isPrint
link	http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV1bb9MwFLa6iQeeuA1RLsMPwEsViJPWjl_pNoFUStE61DfLSWxabUtLL2P9d_w0zolz60Ca9sBLVKWpY_t8tb9z8TmEvElkGofShF4S-AYUFF97Mk2lZ7kWsH31enFu0P8-EMNhNJnIUav1uzwLc3Uhsiy6vpaL_ypquAfCxqOzdxB31SjcgM8gdLiC2OF6gxH_c_PZNfHVB_rQK3AKa-4vDPVqZCFEk8CoamhVxgwEfD3t3L2tj50g9IKo80Vv82SFTUQir50lnf7UJOdFrPXRNtN5voKLbZEAGwnwtw1mX84DdY_0WuNG69hy07yoG-W5-3pZBYqcbnJ_y9RgmZIfFU83oDHE-Vejpbk8x8DyHYNHF3317kxypff6gkvgHTwMG8tlIHwPc7s2lmPuUlUWOzt36apvbhqISIwTkREoT--BMHddoZ_d5NzDr-rkbDBQ4-PJ-N3ip4d1y9C_XxRx2SN7QjB3frCy8flAtv2oDjni3byeadVTZ0ZyIynyj9UjcwlhsXMfdrqGNCq5xBhevQL5WFd_5S8qkfOj8UNyUIOD1mh6RFome0welKVDaLGTPCGfHRhoCQY6t7QBBlqBgRZgoLOMlmCgTTAckLOT43H_k1dU9fA0k2LtWfTk664f-9KmzGgRoWfcstACWbKB39M-SwXwqpgFOoafSM2BkzIZaws6lgmfkv1snplnhKZMcJOwxNiIdxOjo8gKwyULQ1iXojRok9cwVQr_nCsF2i5OpnKTqdxktsnbW55QMQzStsnhznSrhcsFoxiITIKWA68q51_BAo1eN52Z-WalQlAYJMDg-a1PvCD3a7y_JPvr5ca8IveSq_VstTzMofUHCveo6w
linkProvider	IEEE
openUrl	ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=International+Conference+on+Software+Engineering%3A+Proceedings+of+the+26th+International+Conference+on+Software+Engineering%3B+23-28+May+2004&rft.atitle=Static+Checking+of+Dynamically+Generated+Queries+in+Database+Applications&rft.au=Gould%2C+Carl&rft.au=Su%2C+Zhendong&rft.au=Devanbu%2C+Premkumar&rft.date=2004-05-23&rft.isbn=9780769521633&rft.issn=0270-5257&rft.spage=645&rft.epage=654&rft_id=info:doi/10.5555%2F998675.999468&rft.externalDBID=NO_FULL_TEXT
thumbnail_l	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0270-5257&client=summon
thumbnail_m	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0270-5257&client=summon
thumbnail_s	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0270-5257&client=summon