I’d like to preface this post with the following: I know that multi-statements split by semi-colon is not the appropriate way to do this, and that the proper way would be to use things like executeBatch.
I’m trying to research this from a security perspective.
Currently I know the following:
- MySQL – Doesn’t support this by default, but a connection string parameter know as allowMultiQueries can be specified in order to anable this behaviour.
- MS SQL – I believe that this behavior is enabled out of the box for MS SQL, however multi resultsets cannot be extracted unless MARS (multiple active result sets) is action. I do believe that on jdbctemplate.execute() calls a batch of updates and deletes can be sent however multiple result sets will not be received without MARS.
- Oracle – Appear to not support semi-colon by default. I don’t know if this behavior can be enabled just like in MySQL.
From a framework perspective I believe that the behavior is as follows:
- execute – Multi statements as long as it’s supported by the driver and DBMS
- update or executeUpdate – Multi statements as long as it’s supported by the driver and DBMS
- query or executeQuery – Only one statement and resultset
Can anyone please advise?