Saxon SQL Extension

The Saxon distribution includes a set of XSLT extension instructions providing access to SQL databases. These are not intended as being necessarily a production-quality piece of software (there are many limitations in the design), but more as an illustration of how extension instructions can be used to enhance the capability of the processor.

To use the SQL extension in a stylesheet, you need to define a namespace prefix (for example sql) in the extension-element-prefixes attribute of the xsl:stylesheet element, and to map this prefix to a namespace URI, conventionally http://saxon.sf.net/sql. This namespace must be bound in the Configuration to the implementation class net.sf.saxon.option.sql.SQLElementFactory. This binding can be done either by calling ProfessionalConfiguration.setExtensionElementNamespace(), or by means of an entry in the configuration file.

This changed in Saxon 9.2. In Saxon 9.1 and earlier releases it was necessary to use a namespace ending in "/net.sf.saxon.sql.SQLElementFactory". It is still possible to use the same namespace, but it must now be bound explicitly.

This extension defines eight new stylesheet elements described in the following sections:

• sql:connect

• sql:query

• sql:insert

• sql:update

• sql:column

• sql:delete

• sql:close

• sql:execute

• Example

See the Example for an example of the use of these SQL extension elements.

A Warning about Side-Effects

XSLT does not guarantee the order of execution of instructions. In principle, the sql:close instruction could be evaluated before the sql:query instruction, which would obviously be disastrous.

In practice, Saxon's order of execution for XSLT instructions is reasonably predictable unless you use variables, or unless you invoke stylesheet functions from within an XPath expression. Using the SQL extension instructions within templates that are directly invoked is thus fairly safe, but it is not a good idea to invoke them as a side-effect of computing a variable or invoking a function. The exceptions are sql:connect and sql:query: if you use these instructions to evaluate the content of a variable, then they will of course be executed before any instruction that uses the value of the variable.

A Warning about Security (SQL injection)

The instructions in the SQL extension make no attempt to verify that the SQL being executed is correct and benign. No checks are made against injection attacks; indeed the sql:execute instruction explicitly allows any SQL statement to be executed.

Therefore, the extension should be enabled only if (a) the stylesheet itself is trusted, and (b) any text inserted into the stylesheet to construct dynamic SQL statements is also trusted.