University of Sydney · FACULTY OF COMPUTER SCIENCE

COMP9120 · Database Management Systems

- one subject, every graph, every model, every mark
Computer Science14 Chapters8-page Bible
Our own words - no uploaded lecturer files
Updated for this semester
Chapter 8 of 12 · COMP9120

Database Application Development

Database Application Development is the Week-7 topic of COMP9120 Database Management Systems at the University of Sydney, where SQL stops living in a terminal and starts running inside real Java or Python programs. You learn the call-level APIs (JDBC and the Python DB-API), why prepared statements defeat SQL injection, how stored procedures cut network round trips, and where indexes speed up the back end. It is the foundation for Assignment 2 (a 13% group project), and the lecturer flags it as out of scope for the final exam and the in-class quiz.

In this chapter

What this chapter covers

  • 01Why the impedance mismatch forces a call-level API between set-oriented SQL and record-oriented code
  • 02The four-step JDBC model: connect, create a Statement, execute, iterate the ResultSet cursor
  • 03The Python DB-API workflow with psycopg2: connection, cursor, execute, fetchone / fetchmany / fetchall
  • 04How SQL injection works and why string concatenation of user input is never safe
  • 05Prepared / parameterised statements: bind placeholders, reuse the query plan, block injection
  • 06Stored procedures in PL/pgSQL with IN / OUT / INOUT parameters, called via CallableStatement or callproc
  • 07How moving logic server-side reduces network round trips between client and database
  • 08Indexes as an access path: B+-tree vs hash, clustered vs unclustered, and when to add one
  • 09Error handling: SQLException state codes in Java and the psycopg2 exception hierarchy in Python
Worked example · free

Cutting network round trips with a stored procedure

Q [6 marks]. A campus food-order app confirms each order with three separate SQL statements sent from the client: (1) INSERT the order row, (2) UPDATE stock to decrement the item count, (3) INSERT a loyalty-points row. During a busy lunch hour it confirms 200 orders. (a) How many client-to-server round trips does the client-side version cost? (b) Rewrite the three statements as one stored procedure confirm_order(...) called once per order. How many round trips now, and how many are saved?
  • +1Client-side, each SQL statement is its own request/reply, so one order = 3 round trips.
  • +1Total client-side round trips = 3 statements x 200 orders = 600.
  • +1A stored procedure bundles the three statements into one server-side routine invoked with a single call.
  • +1With the procedure, one order = 1 round trip, so 200 orders = 200 round trips.
  • +1Round trips saved = 600 - 200 = 400.
  • +1That is a 400/600 = 66.7% reduction, so latency and network load fall (fewer round trips = faster).
Client-side costs 600 round trips (3 x 200); the stored procedure costs 200 (1 x 200), saving 400 round trips, a 66.7% reduction. The procedure also gives a cleaner abstraction and keeps the multi-statement update together on the server.
Sia tip — State the round-trip count per order first, then multiply by the number of orders. The direction is always fewer round trips = lower latency; if your saved figure is negative you have swapped the two totals.
Glossary

Key terms

Impedance mismatch
The gap between set-oriented SQL (which returns whole relations) and a record-oriented host language such as Java or Python; bridged with a call-level API and a cursor that walks results one row at a time.
JDBC
Java Database Connectivity: a DBMS-independent Java API. The workflow is acquire a Connection, create a Statement, execute a query, and iterate the ResultSet cursor, catching SQLException on error.
Python DB-API
Python's standard database interface (PEP 249), implemented per engine (psycopg2 for PostgreSQL). You open a connection, get a cursor, execute a query, then fetchone / fetchmany / fetchall the rows.
Prepared statement
A parameterised query whose plan is prepared once, then executed with bound host variables supplied through placeholders (? in JDBC, %s or %(name)s in the Python DB-API). It blocks SQL injection and allows plan reuse.
SQL injection
An attack where user input is concatenated into a query string so that supplied text (for example ' OR '1'='1) changes the query's meaning. Prepared statements prevent it by never treating parameter values as SQL.
Stored procedure
Application logic stored and run inside the DBMS, written in an SQL extension such as PostgreSQL's PL/pgSQL. Parameters may be IN, OUT or INOUT; it reduces network round trips and adds an abstraction layer.
CallableStatement / callproc
The mechanisms that invoke a stored procedure: JDBC's CallableStatement with prepareCall("{call proc(?,?)}") and registerOutParameter, or the Python cursor's callproc() method.
Index (clustered vs unclustered)
An access path mapping search-key values to records. A B+-tree serves equality and range; a hash serves equality only. A clustered index stores data in key order (cheap ranges); an unclustered one can cost about one I/O per matching row.
FAQ

Database Application Development FAQ

Is Database Application Development on the COMP9120 final exam?

No. The Week-7 lecturer states this material is not covered in the final exam or the in-class quiz; the quiz covers Weeks 1-9 except Week 7. It is assessed through Assignment 2, a 13% group project that builds a client interface plus an advanced back end with stored procedures and indexes. Confirm the exact scope and dates on Canvas for your offering.

Do I need Java or Python for Assignment 2?

Assignment 2 requires either Java (with JDBC) or Python (with the DB-API / psycopg2); you pick one and learn the language yourself. The database concepts are the same either way: connect, execute, iterate results, use prepared statements, and add stored procedures and indexes on the server side.

Can AI help me with database application development in COMP9120?

Yes, as a tutor rather than an answer service. Sia can explain, step by step, how a prepared statement defeats an injection string, why a stored procedure saves round trips, or how a B+-tree index differs from a hash index, and can walk through a small worked example. It will not write your Assignment 2 code for you or promise a specific grade; the point is to understand the API so you can build and debug your own submission.

Studying with AI? Sia — free AI data science tutor works through COMP9120 step by step.

Study strategy

Exam move

Treat this chapter as build-and-test, not memorise: set up PostgreSQL with pgAdmin early and get a tiny Java (JDBC) or Python (psycopg2) program to connect, run one SELECT, and loop over the results before you touch the assignment logic. Then practise the three security-critical moves in isolation: rewrite a concatenated query as a prepared statement, wrap a multi-statement update in a PL/pgSQL stored procedure and call it, and add an index to a column that appears in a WHERE or JOIN. Because this topic is assessed by Assignment 2 rather than the timed exam, the marks reward working, secure code and a sensible back end, so spend your effort making the program run correctly and handling errors gracefully rather than reciting definitions.

A+Everything unlocked
Unlocks this Bible + all 25 of your University of Sydney subjects - and 1,000+ Bibles across every Australian university.
Sia - your COMP9120 tutor, unlimited, worked the way the exam marks it
The full 8-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full COMP9120 Bible + 25 University of Sydney subjects解锁完整 COMP9120 Bible + University of Sydney 25 门科目
$25/mo