Database Reference
In-Depth Information
going to pass. We also register parameters 3, 4, and 5 as OUT parameters that we will be able to read later.
If we fail to register the parameters that way, we may be surprised when we go to read them later—they
won't be available.
Listing 5-16. An OracleCallableStatement for Client/Server Encryption
OracleCallableStatement stmt =
( OracleCallableStatement )conn.prepareCall(
"CALL p_get_rsa_crypt_sysdate(?,?,?,?,?)" );
stmt.registerOutParameter( 3, OracleTypes.RAW );
stmt.registerOutParameter( 4, OracleTypes.NUMBER );
stmt.registerOutParameter( 5, OracleTypes.VARCHAR );
stmt.setString( 1, clientPubModulus );
stmt.setString( 2, clientPubExponent );
stmt.setNull( 3, OracleTypes.RAW );
stmt.setInt( 4, 0 );
stmt.setNull( 5, OracleTypes.VARCHAR );
stmt.executeUpdate();
After preparing the Statement , we set the input parameters. The only parameters we have to pass to
the procedure are our RSA public key modulus and exponent. We call stmt.setString() for each of those
parameters.
Notice, however, that we set the remainder of the parameters to null using the stmt.setNull()
method, or to 0 in the case of the int . There are two things to mention about setting these to null: first, it
may not be necessary because we don't read or test the values of those parameters in the Oracle
procedure, but we do it to satisfy our desire to address all potential concerns . Consider it to be just one
more part of the secure programming approach—cover all your bases. Second, these are the same
parameters that we are expecting to read from— OUT parameters. We want to assure that unless the
Oracle procedure puts a value in those parameters, there will be nothing there to read.
Oracle procedures can define their parameters as one of three types: IN (the default), OUT , and INOUT .
On occasion you will want to use a single INOUT parameter to both submit data to an Oracle procedure
and to read the results coming back. I find it can be more concise to use INOUT parameters, but it can also
be a bit confusing in the procedure code—deciding what value is currently being handled. So, for a more
security conscientious approach, we will avoid INOUT parameters.
Both when we register OUT parameters and when we set those parameters to null , we have to declare
the data type of the parameter. We refer to the types in the OracleTypes class, as in OracleTypes.RAW and
OracleTypes.NUMBER . We find OracleTypes in the oracle.jdbc package (from ojdbc6.jar ) and import it from
there. Earlier we mentioned this one inconsistency in the use of VARCHAR instead of VARCHAR2. It is in the
OracleTypes class, as you can see in Listing 5-16.
The last line of this section of code executes the Statement. That is, it calls the Oracle stored
procedure, passing the IN parameters, and retrieving the OUT parameters.
Handle Errors Reported by Oracle Database
We will build our Oracle procedures to send the error number and error message back in two of the OUT
parameters. This will be our standard approach for handling errors in processing—it places the
responsibility for dealing with errors into the hands of the application developer. This code from the
main() method, Listing 5-17, follows the execution of the Statement . First we read the errNo parameter. If
it is not equal to zero, some problem has occurred, and we print out the error message; otherwise, we
will continue.
 
Search WWH ::




Custom Search