|
Published Articles >> Table of Contents >> Abstract
26th International Conference on Software Engineering (ICSE'04)
pp. 645-654
Static Checking of Dynamically Generated Queries in Database Applications
Carl Gould, University of California at Davis
Zhendong Su, University of California at Davis
Premkumar Devanbu, University of California at Davis
Full Article Text:
  
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ICSE.2004.1317486
Send link to a friend
| Abstract |
|
Many data-intensive applications dynamically construct
queries in response to client requests and execute them.
Java servlets, e.g., can create string representations of
SQL queries and then send the queries, using JDBC, to a
database server for execution. The servlet programmer enjoys
static checking via Java’s strong type system. However,
the Java type system does little to check for possible errors
in the dynamically generated SQL query strings. Thus,
a type error in a generated selection query (e.g., comparing
a string attribute with an integer) can result in an SQL
runtime exception. Currently, such defects must be rooted
out through careful testing, or (worse) might be found by
customers at runtime. In this paper, we present a sound,
static, program analysis technique to verify the correctness
of dynamically generated query strings. We describe our
analysis technique and provide soundness results for our
static analysis algorithm. We also describe the details of a
prototype tool based on the algorithm and present several
illustrative defects found in senior software-engineering
student-team projects, online tutorial examples, and a real-world
purchase order system written by one of the authors.
|
 Additional Information
|
Citation:
Carl Gould, Zhendong Su, Premkumar Devanbu,
"Static Checking of Dynamically Generated Queries in Database Applications,"
icse,
pp. 645-654,
26th International Conference on Software Engineering (ICSE'04),
2004
|
|
