Database Reference
In-Depth Information
going to pass. We also register parameters 3, 4, and 5 as
OUT
parameters that we will be able to read later.
If we fail to register the parameters that way, we may be surprised when we go to read them later—they
won't be available.
Listing 5-16.
An OracleCallableStatement for Client/Server Encryption
OracleCallableStatement stmt =
( OracleCallableStatement )conn.prepareCall(
"CALL p_get_rsa_crypt_sysdate(?,?,?,?,?)" );
stmt.registerOutParameter( 3, OracleTypes.RAW );
stmt.registerOutParameter( 4, OracleTypes.NUMBER );
stmt.registerOutParameter( 5, OracleTypes.VARCHAR );
stmt.setString( 1, clientPubModulus );
stmt.setString( 2, clientPubExponent );
stmt.setNull( 3, OracleTypes.RAW );
stmt.setInt( 4, 0 );
stmt.setNull( 5, OracleTypes.VARCHAR );
stmt.executeUpdate();
After preparing the
Statement
, we set the input parameters. The only parameters we have to pass to
the procedure are our RSA public key modulus and exponent. We call
stmt.setString()
for each of those
parameters.
Notice, however, that we set the remainder of the parameters to
null
using the
stmt.setNull()
method, or to 0 in the case of the
int
. There are two things to mention about setting these to null: first, it
may not be necessary because we don't read or test the values of those parameters in the Oracle
procedure, but we do it to satisfy our desire to
address all potential concerns
. Consider it to be just one
more part of the secure programming approach—cover all your bases. Second, these are the same
parameters that we are expecting to read from—
OUT
parameters. We want to assure that unless the
Oracle procedure puts a value in those parameters, there will be nothing there to read.
Oracle procedures can define their parameters as one of three types:
IN
(the default),
OUT
, and
INOUT
.
On occasion you will want to use a single
INOUT
parameter to both submit data to an Oracle procedure
and to read the results coming back. I find it can be more concise to use
INOUT
parameters, but it can also
be a bit confusing in the procedure code—deciding what value is currently being handled. So, for a more
security conscientious approach, we will avoid
INOUT
parameters.
Both when we register
OUT
parameters and when we set those parameters to
null
, we have to declare
the data type of the parameter. We refer to the types in the
OracleTypes
class, as in
OracleTypes.RAW
and
OracleTypes.NUMBER
. We find
OracleTypes
in the
oracle.jdbc
package (from
ojdbc6.jar
) and import it from
there. Earlier we mentioned this one inconsistency in the use of
VARCHAR
instead of
VARCHAR2.
It is in the
OracleTypes
class, as you can see in Listing 5-16.
The last line of this section of code executes the Statement. That is, it calls the Oracle stored
procedure, passing the IN parameters, and retrieving the OUT parameters.
Handle Errors Reported by Oracle Database
We will build our Oracle procedures to send the error number and error message back in two of the
OUT
parameters. This will be our standard approach for handling errors in processing—it places the
responsibility for dealing with errors into the hands of the application developer. This code from the
main()
method, Listing 5-17, follows the execution of the
Statement
. First we read the
errNo
parameter. If
it is not equal to zero, some problem has occurred, and we print out the error message; otherwise, we
will continue.