Don’t mix glue and SQL

May 23, 2007
This post isn’t really related to ADF in particular, but it is of benefit. I’ve seen a number of posts (well, OK 2 of them) on the Oracle JDeveloper forum in the past week where someone “glues” literals into their SQL statements like this:

String sqlStmt = “select x from y where username='” + userName + “‘”;

stmt = new PreparedStatement(sqlStmt, 0);

//etc

Now, anyone who reads Ask Tom is already falling out of their chair. The real problem is in the first line of code; first of all, imagine what happens if someone puts this string into userName: x’ or ‘1’ = ‘1

Can you say “SQL Injection?” The second problem with this approach is that for each value of userName, this generates a unique SQL statement, which Oracle has never seen before, and must hard parse. Hard parsing in Oracle, well in most any database, really, is an operation that takes lots of CPU and inherently limits scalability. If you run this query a lot with different values of userName, you’ll bring the system to it’s knees. What the query should do is use binds, like this:

String sqlStmt = “select x from y where username= :1”;

stmt = new PreparedStatement(sqlStmt, 0);

stmt.setString(1, userName);

//etc

/

Now, no matter what that pesky user puts in userName, this code does not expose the security risks as the first one. Additionally, the SQL is the same from call to call (it never changes) – therefore you don’t have the hard parsing problem, either. Now to make the code even better, we could cache the prepared statement and bind/execute on subsequent calls, but I’ll leave that one to you.

Advertisements

I just don’t get Ruby on Rails

May 11, 2007

In addition to all of the cool toys (robots and helicopters) shown at the Java Toy Show (general session of JavaOne 2007 on Friday morning), a NetBeans guy from Sun got up and did a demo of Netbeans 6.0 and JRuby on Rails (a scripting-languaged based web application framework). He created a Ruby on Rails application, created persistence classes from a database using a wizard, created a simple web page showing the database information, and ran it all from within the IDE. Judging by the audience reaction, people were impressed. My reaction, on the other hand, was, as we used to say as kids, “big whoop.” Haven’t we been doing this in JDeveloper for, I dunno, 8 years or something?


The fun side of JavaOne 2007

May 10, 2007

There’s more to JavaOne than listening to presentations. You could…

View a 3D world:


Watch (and buy for around $300 US) a fully Java-programmable robot with MP3 and MPEG video playback:

Use the Java real-time API’s to write a control program for a race car and try to have it be the fastest around the track (without falling off):


I have some video clips of the robot dancing to some music and the race car doing fine, until it falls off the banked turn, but I need to figure out how to post them. More to come…


JavaOne 2007: Shay Shmeltzer on "What’s new in JDeveloper"

May 10, 2007

Shay Shmeltzer of Oracle (note the fast hands)


delivered a session today (Thursday) at JavaOne detailing what’s new in JDeveloper release 11, which was just released the other day as a technology preview. The session was attended by (my estimate) 150 people:


After talking about the overall purpose of JDeveloper (keep people in the Java fold by providing a productive alternative to .Net), Shay gave a brief overview of version 10.1.3.2 of JDev, and built a nice demo, which of course, did not run. Stupid oranls18.jar!

Then came the exciting stuff. Any omissions or errors in this section are my own… The focus areas for JDeveloper 11 include:

  • Improved IDE
  • J2EE 5 support
  • Taking JSF to the next level
  • Further ADF improvements
  • Metadata Management

In the area of the improved IDE:

  • Javascript editor/debugger
  • SQL Developer integration (try opening a .sql file in JDev 11 – you’ll get the SQL Developer window)
  • New profilers – it looks like the dependency on Oracle’s JVM (ojvm) is removed, and you can profile with a standard JVM.
  • JUnit 4 support

J2EE 5.0:

  • EJB 3 diagramming, dialogs for managing persistence.xml and orm.xml
  • JSF 1.2 support
  • Web services improvements (JAX-WS, WSDL editor, WS tester, JSF 181 property inspector).

For me, the exciting stuff was in the JSF arena:

  • The new AJAX/Rich Client Framework components (100+ of them)
  • Reusability (page templates, page fragments, task flows, declarative components)
  • Security
  • Graphs (rendered in flash!)
  • Dialog/pop-up framework. In my view, much improved over the 10g release – pop-ups are now rendered in the page itself, not in a new browser window – solves a lot of problems.
  • Navigation menus. I see JDev 11 has a wizard for creating trees of managed beans instead of forcing us to edit XML by hand – quite nice.
  • (not in the technology preview) an “active data framework,” described as a push technology for JSF.
  • Advanced data streaming – if you have 3 tables on the JSF page, they can populate in parallel – the page render can happen before the data is fully loaded.

The ADF Task flows were also quite interesting. They are an extension of the JSF page flow concept, but are modular and re-usable. In addition to pages, page fragments, and method calls, ADF Task flows can also include other task flows. They also have support for bookmarking, transaction management, exception handling, and (ta-daaa!) the dreaded browser back button. I had a hard time conceptualizing the task flows until the demo…

In the demo, one of the things Shay did was to create a simple task flow composed of two JSF page fragments. Just like the simple tutorial we’ve all done, he created two fragments (instead of pages) – one to list (in an af:table) some items, and another to edit a newly created item. Then, he simply dragged the page flow into one of the declared facets on the JSF page template that he was using. Now, whenever he ran his demo, the list -> edit record -> return to list was rendered in the area of the template, independently of the rest of the page content. This looked to me like it was using PPR, so it was quite responsive. I’m going to have to play with this myself…

Shay covered more detail (obviously) than I’ve included here, but this looks like a serious new release of JDev. As Lucas Jellema writes, the Rich Client Framework components are being donated to Apache – with such an amazing, high quality set of JSF components available for free, it’s going to put a lot of pressure on JSF component vendors.


And now, for something completely different

May 10, 2007

By far, my favorite musician is Pepe Kalle He passed away a few years back from heart problems.

He sings in a mixture of language, but mostly a language from Congo (fka Zaire) called “Lingala.” I like lingala music in general for it’s good harmonic singing and the styles of dancing that go along with it. There are a variety of different music/dance styles, including ndombolo, soukouss, kwassa-kwassa, etc. For a non-African like me (read “dance and rhythm-challenged white guy”), it’s still fun. Just don’t expect to see me dancing like this at JavaOne, unless his band, or perhaps Kanda Bongo Man shows up.

YouTube is great…


Thomas Kurian Keynote at JavaOne

May 9, 2007

Thomas Kurian

did the morning keynote today at JavaOne. He pretty much went over the entire Oracle Middleware stack (Java/BPEL/ESB/WebCenter/Identity Management). There were some really cool demos. Duncan Mills (gotta get his picture) did a demo of the new rich client framework JSF components that come with JDev 11. Let’s just say, “you gotta see it for yourself.”

It’s pretty amazing to see a very responsive, AJAX application with not a lot of coding needed – certainly no hand-written Javascript. I was expecially amazed by the drag-and-drop (drag an item from a list of products and drop it in the shopping cart). Was that really just a browser?


Tables, Templates, and Task Flows; oh my!

May 9, 2007

As I mentioned yesterday, I’ve been “wowed” by some of the new stuff floating around in the JDeveloper 11 preview release that came out the other day. The ADF Faces components (both the new and the old) have some great stuff. I’m also excited to see a true templating capability, which looks to be much better than the old af:region; I haven’t had a chance to dive into this yet, so templates is going to have to be a topic for another day.

Another interesting new addition is the concept of an ADF Task Flow. Again, I haven’t had the time yet to do a “deep dive,” but task flows look to me like the JSF faces-config.xml on steroids – instead of one large faces-config, we can have multiple re-usable adf task flows that can then be pieced together. There’s even a new memory scope, the task flow scope, that is longer than request but shorter than session to facilitate this. I’m going to have to spend a bit of time understanding this one before I post the details.

The instant “wow” factor in JDev 11 is the ADF Faces components. In addition to some really cool visualization components (Flash-y graphs, bar charts, gannt charts, etc), the old venerable ADF Faces components have gotten a great face lift. The applications created using JDev 11 have a much more responsive, AJAX-y, Web 2.0 feel. Today, I thought I’d take one of the components I use most often, af:table, and give a preview of how it has changed in this release.

The first thing I noticed is that there is no more selection or actions facet in the table; hmmm, how am I going to perform the typical “select a row and edit it” or “create a new row” buttons? After some poking around the docs, I discovered a new component (find it in the layout section of the control pallete) called “af:panelCollection:”


The af:panelCollection provides a container for af:table that allows for toolbars and menus (!) that allow you to act on the table. After putting one of these on my page, I dragged-and-dropped a view object from the data control pallete as an af:table. The resulting dialog, although similar to the one in 10.1.3.2, has an interesting new checkbox, “Filtering.” Wonder what this does…..

After ok-ing the dialog, it’s time to run and see it. There are so many new things to look at just on this simple page… First of all, selecting an item is just as simple as clicking in some of the blank space in the row. The selected row is automatically highlighted:

This “highlight the selected row” is something that I’ve seen asked over and over again on the OTN JDeveloper forum, so it’s a nice thing. It’s not all good, in my opinion; if you look at the screen shot, there’s precious little “blank space” to click – it was pretty hard to select the row in this case. It’s also a bit less obvious that in 10.1.3 how to select the row; there is no “Select and…” text floating up there on the top.

Next up is sorting; just hover the mouse over the column label and:

Nice up-and-down sorting indicators. Right above the column labels is the filtering. Just type a letter in the filter area, press enter, and:

Hiding and showing columns is pretty easy too:


Re-ordering columns by dragging and dropping them is supposed to work (I got the nice drag-and-drop effect), but got stuck:

It is a preview release, after all. The next thing I went looking for was the range scrolling. Where is that “next 10, previous 10?” It turns out, you just move the scroll bar; rows are fetched on demand:


That alone is worth the price of admission. The final thing I wanted to show was how to add a CreateInsert item to the menu to support creating a new row in the table. First, I simply dragged and dropped the Create operation from the data control pallete inside of an af:menu in the menus facet of the af:panelCollection:


Next, I needed to change the binding from Create to CreateInsert. Now where is that pageDef? Oh, there it is, hiding in the “bindings” tab of the JSF editor window:

I really like the visual representation showing the relationship among the bindings, executables, and data controls. After double-clicking the Create binding and changing the action to CreateInsert, I set up the partial triggers (so that the table refreshed after I selected the “Create” menu item), and it was time to test. Here’s the menu in action:

In summary, I showed some of the great new capabilities of just one (!) of the who-knows-how-many ADF Faces components that are in JDev 11. Over the next days and weeks, I’m going to continue digging in to the new features (the eye candy and the meat) and posting my views here.