FirebirdSQL logo
  • Anglaiskeyboard_arrow_down

Appointing co-administrators

Tip

What follows here is not essential knowledge for beginners.You can skip it if you like and go on to the [qsg5-config-security] section.

In Firebird 2.5 and up, SYSDBA (and others with administrator rights) can appoint co-administrators.This is done with the GRANT ADMIN ROLE directive:

create user bigbill password 'bigsekrit7foryou' grant admin role;
alter user littlejohn grant admin role;

The first command creates user bigbill as a Firebird administrator, who can add, alter and drop users.The second command grants administrator privileges to the existing user littlejohn.

To revoke administrator privileges from an account, use ALTER USER …​ REVOKE ADMIN ROLE.

Note

  • GRANT ADMIN ROLE and REVOKE ADMIN ROLE are not GRANT and REVOKE statements, although they look that way.They are clauses of the CREATE and ALTER USER statements.The actual role name involved here is RDB$ADMIN.This role also exists in regular databases;more about that in a minute.

  • Every user who has received administrator rights can pass them on to others.Therefore, there is no explicit WITH ADMIN OPTION.

  • Just for completeness, administrators can also grant admin rights to an existing user by connecting to the security database and issuing a regular GRANT statement:

    grant rdb$admin to littlejohn
Differences between co-administrators and SYSDBA

  • Co-admins can create, alter and drop users, but contrary to SYSDBA they have no automatic privileges in regular databases.

  • Unlike SYSDBA, co-admins must specify the RDB$ADMIN role explicitly if they want to exert their rights as system administrator:

    connect security.db user bigbill password bigsekrit7foryou role rdb$admin

    For reasons explained elsewhere in this guide, connecting to the security database like this may fail if a Superserver is running.On Windows, you may circumvent this by prepending xnet:// to the database path or alias, but on POSIX, you’re stuck.The only solution there is to connect to a regular database through the server, for example using localhost:employee.(This must be a database that uses the security database in question.)

    Since Firebird 4.0, a co-admin no longer needs to have the RDB$ADMIN privileges in the regular database to be able to execute user management statements against the security database, their privileges in the security database are sufficient.

    Note
    Please remember

    The RDB$ADMIN role in a database gives the grantee SYSDBA rights in that database only!

    • If it is the security database, the grantee can manage user accounts, but has no special privileges in other databases.

    • If it is a regular database, the grantee can control that database like they are SYSDBA, but again they have no special privileges in other databases, and have no user administration privileges.

    Of course, it is possible to grant a user the RDB$ADMIN role in several databases, including the security database.

  • To grant a user admin rights in a regular database you can use the usual way that roles are granted:

    grant rdb$admin to bigbill

    Grantors can be the database owner, SYSDBA, and every other user who has the RDB$ADMIN role in that database and has specified it while connecting.Every RDB$ADMIN member in a database can pass the role on to others, so again there is no WITH ADMINOPTION.

docnext count = 36

Security

Firebird 5 offers a number of security options, designed to make unauthorised access as difficult as possible.

It pays to familiarise yourself with Firebird’s security-related configuration parameters.You can significantly enhance your system’s security if you raise the protection level wherever possible.This is not only a matter of setting parameters, by the way: other measures involve tuning filesystem access permissions, an intelligent user accounts policy, etc.

Below are some guidelines for protecting your Firebird server and databases.

Run Firebird as non-system user

On Unix-like systems, Firebird already runs as user firebird by default, not as root.On Windows server platforms, you can also run the Firebird service under a designated user account (e.g. Firebird).The default practice — running the service as the LocalSystem user — poses a security risk if your system is connected to the Internet.Consult README.instsvc.txt in the doc directory to learn more about this.

Change SYSDBA's password

As discussed before, if your Firebird server is reachable from the network and the system password is masterkey, change it.

Don’t create user databases as SYSDBA

SYSDBA is a very powerful account, with full (destructive) access rights to all your Firebird databases.Its password should be known to a few trusted database administrators only.Therefore, you shouldn’t use this super-account to create and populate regular databases.Instead, generate normal user accounts and grant them the CREATE DATABASE privilege, and provide their account names and passwords to your users as needed.You can do this with the SQL user management commands as shown above, or with any decent third-party Firebird administration tool.

Protect databases on the filesystem level

Anybody who has filesystem-level read access to a database file can copy it, install it on a system under their own control, and extract all data from it — including possibly sensitive information.Anybody who has filesystem-level write access to a database file can corrupt it or totally destroy it.

Also, anybody with filesystem-level access to a database can make an embedded connection to it posing as any Firebird user (including SYSDBA) without having their credentials checked.This can be especially disastrous if it concerns the security database!

As a rule, only the Firebird server process should have access to the database files.Users don’t need, and should not have, access to the files — not even read-only.They query databases via the server, and the server makes sure that users only get the allowed type of access (if at all) to any objects within the database.

As a relaxation of this rule, most Firebird configurations allow users to create and use databases in their own filesystem space and make embedded connections to them.Since these are their files and their data, one may argue that unrestricted and possibly destructive access should be their own concern, not yours.

If you don’t want or need this relaxation, follow the instructions in the next item.

Disable embedded connections

If you don’t want any type of direct access, you may disable embedded mode (= direct filesystem-level access) altogether by opening firebird.conf and locating the Providers entry.The default (which is probably commented out) is:

#Providers = Remote,Engine13,Loopback

Now, either remove the hash mark and the Engine13 provider (this is the one that makes the embedded connections), or — better — add an uncommented line:

Providers = Remote,Loopback

The Remote provider takes care of remote connections;the Loopback provider is responsible for TCP/IP connections via localhost, as well as (on Windows) and XNET connections to databases on the local machine.All these connection types require full authentication and have the server process, not the user process, open the database file.

Please notice that you can also set the Providers parameter on a per-database basis.You can set a default in firebird.conf as shown above, and then override it for individual databases in databases.conf like this:

bigbase = C:\Databases\Accounting\Biggus.fdb
{
  Providers = Engine13,Loopback
}

The first line defines the alias (see next item), and everything between the curly brackets are parameters for that specific database.You’ll find databases.conf in the same directory as firebird.conf.Refer to the Release Notes, chapter Configuration Additions and Changes, section Per-database Configuration, for more information about the various parameters.

Use database aliases

Database aliases hide physical database locations from the client.Using aliases, a client can — for example — connect to “frodo:zappa” without having to know that the real location is frodo:/var/firebird/music/underground/mothers_of_invention.fdb.Aliases also allow you to relocate databases while the clients keep using their existing connection strings.

Aliases are listed in the file databases.conf, in this format on Windows machines:

poker = E:\Games\Data\PokerBase.fdb
blackjack.fdb = C:\Firebird\Databases\cardgames\blkjk_2.fdb

And on Linux:

books = /home/bookworm/database/books.fdb
zappa = /var/firebird/music/underground/mothers_of_invention.fdb

Giving the alias an .fdb (or any other) extension is fully optional.Of course if you do include it, you must also specify it when you use the alias to connect to the database.

Aliases, once entered and saved, take effect immediately.There is no need to restart the server.

Restrict database access

The DatabaseAccess parameter in firebird.conf can be set to Restrict to limit access to explicitly listed filesystem trees, or even to None to allow access to aliased databases only.Default is Full, i.e. no restrictions.

Note that this is not the same thing as the filesystem-level access protection discussed earlier: when DatabaseAccess is anything other than Full, the server will refuse to open any databases outside the defined scope even if it has sufficient rights on the database files.

Choose your authentication method(s)

Firebird supports three authentication methods when connecting to databases:

  1. Srp (Secure Remote Password): The user must identify themselves with a Firebird username and password, which the server checks against the security database.The maximum effective password length is around 20 bytes, although you may specify longer passwords up to 255 characters.Wire encryption is used.The server supports various Srp authentication plugins, with Srp256 as the default (which uses SHA256 for the user proof).

  2. Win_Sspi (Windows Security Support Provider Interface): The user is logged in automatically with their Windows account name.Wire encryption is used.

  3. Legacy_Auth: Insecure method used in previous Firebird versions.Passwords have a maximum length of 8 bytes and are sent unencrypted across the wire.Avoid this method if possible.Wire encryption is not supported.

Two configuration parameters control Firebird’s authentication behaviour:

  • AuthServer determines how a user can connect to the local server.It defaults to “Srp256”, or — on Windows — “Srp256, Win_Sspi”.In the latter case, the user will be authenticated with their Windows login if they fail to supply user credentials (causing the Srp256 method, which is tried first, to fail).

  • AuthClient defines how the local client tries to authenticate the user when making a connection.It is usually “Srp256, Srp, Win_Sspi, Legacy_Auth”, allowing the user to connect to pre-Firebird-3 servers on remote machines.

If Legacy_Auth is allowed on the server side, you must also set the WireCrypt parameter to Enabled or Disabled, but not Required.

If Legacy_Auth is enabled, you will also want to change the UserManager setting to Srp, Legacy_UserManager (or Legacy_UserManager, Srp if you want to manage legacy accounts by default and/or through gsec).In user management statements, you can use the USING PLUGIN name clause to specify the user manager to use (only user managers listed in UserManager are allowed).

The AuthServer, AuthClient, WireCrypt and UserManager parameters are all set in firebird.conf en can be overridden per database in databases.conf.

Please notice: enabling Win_Sspi on the server activates the plugin, but doesn’t grant Windows accounts any type of access to databases yet.Logging in to, say, the employee database without credentials (and making sure no embedded connection is made) will result in this error message:

SQL> connect xnet://employee;
Statement failed, SQLSTATE = 28000
Missing security context for employee

In other words: “We know who you are (because the Win_Sspi plugin identified you), but you can’tcome in.”

The solution is to create, as SYSDBA or a co-admin, a global mapping that gives any Windows account access to databases — but no special privileges — under the same name.This is done with the following command:

create global mapping trusted_auth
using plugin win_sspi
from any user to user

Trusted_auth is just a chosen name for the mapping.You may use another identifier.From any user means that the mapping is valid for any user authenticated by the Win_Sspi plugin.To user indicates that every user will be made known under their own Windows account name in each database they connect to.If instead we had specified to user bob, then every Windows user authenticated by the Win_Sspi plugin would be bob in every database.

With the mapping in effect, the “Windows trusted” connection succeeds:

SQL> connect xnet://employee;
Database: xnet://employee, User: SOFA\PAUL
SQL> select current_user from rdb$database;

USER
===============================
SOFA\PAUL
Note

With embedded connections, i.e. serverless connections handled by Engine13, where the client process directly opens the database file, the user is also logged in under their Windows account name if they don’t provide a username when connecting.However, this doesn’t require Win_Sspi to be enabled, nor does it need any explicit mapping:

SQL> connect employee;
Database: employee, User: PAUL
SQL> select current_user from rdb$database;

USER
===============================
PAUL
Consider whether Windows administrators should have SYSDBA rights

In Firebird 2.1, if the (now defunct) configuration parameter Authentication was trusted or mixed, Windows administrators would automatically receive SYSDBA privileges in all databases, including the security database.In Firebird 2.5 and later, this is no longer the case.This reduces the risk that administrators with little or no Firebird knowledge mess up databases or user accounts.

If you still want to apply the automatic SYSDBA mapping as it was in Firebird 2.1, login as SYSDBA and give the command:

create global mapping win_admin_sysdba
using plugin win_sspi
from predefined_group domain_any_rid_admins
to user sysdba

This grants all Windows administrators automatic SYSDBA rights in every database (including the security database, so they can manage user accounts), provided that they are authenticated by the Win_Sspi plugin.To achieve this, they must connect

  • without supplying any user credentials, and

  • making sure that the Engine13 provider doesn’t kick in.This is easily achieved with a connection string like xnet://local-path-or-alias.

To give just one administrator — or indeed any user — full SYSDBA power, use this command:

create global mapping frank_sysdba
using plugin win_sspi
from user "sofa\frank"
to user sysdba

The double quotes are necessary because of the backslash in the username.(Specifying just frank will be accepted by Firebird, but won’t result in a working mapping on most, if not all, Windows systems.)

You can drop any mapping with the command:

DROP [GLOBAL] MAPPING mapping_name

E.g.:

drop global mapping win_admin_sysdba;
drop global mapping frank_sysdba;

The GLOBAL keyword is necessary if it concerns a global mapping, and you’re not directly connected to the security database where the mapping is registered.

Administration tools

The Firebird kit does not come with a GUI admin tool.It does have a set of command-line tools — executable programs which are located in the bin subdirectory of your Firebird installation (on Windows, they are in the installation directory itself).One of them, isql, has already been introduced to you.

The range of excellent GUI tools available for use with a Windows client machine is too numerous to describe here.At least one of them, FlameRobin, is also available for Linux.

Explore the following sites for more options:

Note

Remember: you can use a Windows client to access a Linux server and vice-versa.

Working with databases

In this part of the manual you will learn:

  • how to connect to an existing database,

  • how to create a database,

  • and some things you should know about Firebird SQL.

In as much as remote connections are involved, we will use the TCP/IP protocol.

Connection strings

If you want to connect to a database or create one you have to supply, amongst other things, a connection string to the client application (or, if you are a programmer, to the routines you are calling).A connection string uniquely identifies the location of the database on your computer, local network, or even the Internet.

Local connection strings

An explicit local connection string consists of the path + filename specification in the native format of the filesystem used on the server machine, for example

  • on a Linux or other Unix-like server:

    /opt/firebird/examples/empbuild/employee.fdb

  • on a Windows server:

    C:\Biology\Data\Primates\Apes\populations.fdb

Many clients also allow relative path strings (e.g. “..\examples\empbuild\employee.fdb”), but you should use these with caution, as it’s not always obvious how they will be expanded.Getting an error message is annoying enough, but applying changes to another database than you thought you were connected to may be disastrous.

Instead of a file path, the local connection string may also be a database alias that is defined in databases.conf, as mentioned earlier.The format of the alias depends only on how it’s defined in the configuration file, not on the server filesystem.Examples are:

  • zappa

  • blackjack.fdb

  • poker

Upon receiving a local connection string, the Firebird client will first attempt to make a direct, embedded connection to the database file, bypassing authentication but respecting the SQL privileges and restrictions of the supplied user and/or role name.That is, if the Engine13 provider is enabled in firebird.conf or databases.conf — which it is by default.If the database file exists, but the connection fails because the client process doesn’t have the required access privileges to the file, a client-server connection is attempted (by the Loopback provider), in this order:

  1. On Windows: using XNET (shared memory) on the local machine;

  2. Using TCP/IP via localhost.

You can force Firebird to use a certain protocol (and skip the embedded connection attempt) by prepending the protocol in URL style:

  • inet://zappa (TCP/IP connection using an alias on the local machine)

  • inet:///opt/firebird/examples/citylife.fdb (TCP/IP connection using an absolute path on the local POSIX machine — notice the extra slash for the root dir)

  • inet://C:\Work\Databases\Drills.fdb (TCP/IP connection using an absolute path on the local Windows machine)

  • xnet://security.db (XNET connection using an alias on the local Windows machine)

  • xnet://C:\Programmas\Firebird\Firebird_3_0\security3.fdb (XNET connection using the full path on the local Windows machine)

Tip

If your XNET connections fail, it may be because the local protocol isn’t working properly on your machine.If you’re running Windows with terminal services enabled, this can often be fixed by setting IpcName to Global\FIREBIRD in the configuration file firebird.conf (don’t forget to uncomment the parameter and restart the server).

If setting IpcName doesn’t help, and you can’t get the local protocol enabled, you can usually work around the problem by using inet://, or putting “localhost:” before your database paths or aliases, thus turning them into TCP/IP connection strings (discussed below).

TCP/IP connection strings

Firebird has two forms of TCP/IP connection strings:

  1. {inet|inet4|inet6}://[<host>[:<port>]/]<path-or-alias>

  2. <host>[/port]:<path-or-alias>

With:

<host>

a server name or IP address (for IPv6 addresses, enclose them in [ and ])

<port>

port number or service name

<path-or-alias>

either the absolute path + filename on the server machine, or an alias defined on the server machine

Examples:

  • On Linux/Unix:

    pongo:/opt/firebird/examples/empbuild/employee.fdb
inet://pongo//opt/firebird/examples/empbuild/employee.fdb
bongo/3052:fury
inet://bongo:3052/fury
112.179.0.1:/var/Firebird/databases/butterflies.fdb
inet://112.179.0.1//var/Firebird/databases/butterflies.fdb
localhost:blackjack.fdb
inet://localhost/blackjack.fdb

  • On Windows:

    siamang:C:\Biology\Data\Primates\Apes\populations.fdb
inet://siamang/C:\Biology\Data\Primates\Apes\populations.fdb
sofa:D:\Misc\Friends\Rich\Lenders.fdb
inet://sofa/D:\Misc\Friends\Rich\Lenders.fdb
inca/fb_db:D:\Traffic\Roads.fdb
inet://inca:fb_db/D:\Traffic\Roads.fdb
127.0.0.1:Borrowers
inet://127.0.0.1/Borrowers

Notice how the aliased connection strings don’t give any clue about the server OS.And they don’t have to, either: you talk to a Linux Firebird server just like you talk to a Windows Firebird server.In fact, specifying an explicit database path is one of the rare occasions where you have to be aware of the difference.

XNET connection strings

The syntax for XNET URLs is:

xnet://<path-or-alias>

Since XNET is a purely local protocol, you can’t include a hostname or port.

NetBEUI connection strings

Support for NetBEUI (named pipes, a.k.a. WNET) connections was removed in Firebird 5.

Third-party programs

Please be aware that some third-party client programs may have different requirements for the composition of connection strings.Refer to their documentation or online help to find out.

Connecting to an existing database

A sample database named employee.fdb is located in the examples/empbuild subdirectory of your Firebird installation.It is also reachable under its alias employee.You can use this database to “try your wings”.

If you move or copy the sample database, be sure to place it on a hard disk that is physically attached to your server machine.Shares, mapped drives or (on Unix) mounted SMB (Samba) file systems will not work.The same rule applies to any databases that you create or use.

Connecting to a Firebird database requires — implicit or explicit — authentication.To work with objects inside the database, such as tables, views and functions, you (i.e. the Firebird user you’re logged in as) need explicit permissions on those objects, unless you own them (you own an object if you have created it) or if you’re connected as user SYSDBA or with the role RDB$ADMIN.In the example database employee.fdb, sufficient permissions have been granted to PUBLIC (i.e. any authenticated user) to enable you to view and modify data to your heart’s content.

For simplicity here, we will look at authenticating as SYSDBA using the password masterkey.Also, to keep the lines in the examples from running off the right edge, we will work with local databases and use aliases wherever possible.Of course, everything you’ll learn in these sections can also be applied to remote databases, simply by supplying a TCP/IP connection string.

Connecting with isql

Firebird ships with a text-mode client named isql (Interactive SQL utility).You can use it in several ways to connect to a database.One of them, shown below, is to start it in interactive mode.Go to the directory where the Firebird tools reside (see [qsg5-disk-locations] if necessary) and type isql (Windows) or ./isql (Linux) at the command prompt.

Note

In the following examples, [chevron circle left] means “hit kbd:[Enter]”

 

C:\Programmas\Firebird\Firebird_3_0>isql[chevron circle left]
Use CONNECT or CREATE DATABASE to specify a database
SQL>connect xnet://employee user sysdba password masterkey;[chevron circle left]
Important

  • In isql, every SQL statement must end with a semicolon.If you hit kbd:[Enter] and the line doesn’t end with a semicolon, isql assumes that the statement continues on the next line and the prompt will change from SQL> to CON>.This enables you to split long statements over multiple lines.If you hit kbd:[Enter] after your statement, and you’ve forgotten the semicolon, just type it after the CON> prompt on the next line and press kbd:[Enter] again.

  • If the connection string doesn’t start with a host or protocol name, a direct serverless connection to the database is attempted.This may fail if your OS login doesn’t have sufficient access rights to the database file.In that case, connect to localhost:path-or-alias or specify a protocol like xnet:// (Windows only) or inet://.Then the server process (usually running as user firebird on POSIX or LocalSystem on Windows) will open the file.On the other hand, network-style connections may fail if a user created the database in direct-access mode and the server doesn’t have enough access rights.
Note

You can optionally enclose the path, the username and/or the password in single (') or double (") quotes.If the path contains spaces, quoting is mandatory.Case-sensitive usernames (created like this: create user "Jantje" password …​) and usernames with spaces, international characters or other "`funny stuff`" also need to be double-quoted.

At this point, isql will inform you that you are connected:

Database: xnet://employee, User: SYSDBA
SQL>

You can now continue to play about with the employee database.With isql you can query data, get information about the metadata, create database objects, run data definition scripts and much more.

To get back to the OS command prompt, type:

SQL>quit;[chevron circle left]

You can also type EXIT instead of QUIT, the difference being that EXIT will first commit any open transactions, making your modifications permanent.

Connecting with a GUI client

Some GUI client tools take charge of composing the CONNECT string for you, using server, path (or alias), username and password information that you type into prompting fields.Supply the various elements as described in the preceding topic.

Note

  • It is also quite common for such tools to expect the entire server + path/alias as a single connection string — just like isql does.

  • Remember that file names and commands on Linux and other Unix-like platforms are case-sensitive.

Creating a database using isql

There is more than one way to create a database with isql.Here, we will look at one simple way to create a database interactively — although, for your serious database definition work, you should create and maintain your metadata objects using data definition scripts.

Starting isql

To create a database interactively using the isql command shell, type isql (Windows) or ./isql (Linux) at the command prompt in the directory where the Firebird tools are.

Note

In the following examples, [chevron circle left] means “hit kbd:[Enter]”

 
C:\Programmas\Firebird\Firebird_3_0>isql[chevron circle left]
Use CONNECT or CREATE DATABASE to specify a database

The CREATE DATABASE statement

Now you can create your new database interactively.Let’s suppose that you want to create a database named test.fdb and store it in a directory named data on your D drive:

SQL>create database 'D:\data\test.fdb' page_size 8192[chevron circle left]
CON>user 'sysdba' password 'masterkey';[chevron circle left]
Important

  • In the CREATE DATABASE statement it is mandatory to place quote characters (single or double) around path and password.This is different from the CONNECT statement.Quoting the username is optional, unless it is case-sensitive or contains spaces, international characters or any other character that is not allowed in a regular (unquoted) identifier.

  • If the connection string doesn’t start with a host or protocol name, creation of the database file is attempted with your OS login as the owner.This may or may not be what you want (think of access rights if you want others to be able to connect).If you prepend localhost: or a protocol to the path or alias, the server process will create and own the file.

The database will be created and, after a few moments, the SQL prompt will reappear.You are now connected to the new database and can proceed to create some test objects in it.

To verify that there really is a database there, let’s first type in this query:

SQL>select * from rdb$relations;[chevron circle left]

Although you haven’t created any tables yet, the screen will fill up with a large amount of data!This query selects all rows in the system table RDB$RELATIONS, where Firebird stores the metadata for tables.An “empty” database is not really empty: it contains a number of system tables and other objects.The system tables will grow as you add more user objects to your database.

To get back to the command prompt type QUIT or EXIT, as explained in the section on connecting.

Creating a database as a non-privileged user

In Firebird 5, if you try to create a database other than in embedded mode as someone who is not a Firebird admin (i.e. SYSDBA or an account with equal rights), you may be in for a surprise:

SQL>create database 'xnet://D:\data\mydb.fdb' user 'john' password 'lennon';[chevron circle left]
Statement failed, SQLSTATE = 28000
no permission for CREATE access to DATABASE D:\DATA\MYDB.FDB

Non-admin users must explicitly be granted the right to create databases by a Firebird admin:

SQL>grant create database to user john;[chevron circle left]

After that, they can create databases.

Notice that with a serverless connection, i.e. without specifying a host name or protocol before the database name (and Engine13 enabled!), Firebird won’t deny any CREATE DATABASE statement.It will only fail if the client process doesn’t have sufficient rights in the directory where the database is to be created.

Firebird SQL

Every database management system has its own idiosyncrasies in the ways it implements SQL.Firebird adheres to the SQL standard more rigorously than most other RDBMSes.Developers migrating from products that are less standards-compliant often wrongly suppose that Firebird is quirky, whereas many of its apparent quirks are not quirky at all.

Division of an integer by an integer

Firebird accords with the SQL standard by truncating the result (quotient) of an integer/integer calculation to the next lower integer.This can have bizarre results unless you are aware of it.

For example, this calculation is correct in SQL:

1 / 3 = 0

If you are upgrading from an RDBMS which resolves integer/integer division to a float quotient, you will need to alter any affected expressions to use a float or scaled numeric type for either dividend, divisor, or both.

For example, the calculation above could be modified thus to produce a non-zero result:

1.000 / 3 = 0.333

Things to know about strings

String delimiter symbol

Strings in Firebird are delimited by a pair of single quote (apostrophe) symbols: 'I am a string' (ASCII code 39, not 96).If you used earlier versions of Firebird’s relative, InterBase®, you might recall that double and single quotes were interchangeable as string delimiters.Double quotes cannot be used as string delimiters in Firebird SQL statements.

Apostrophes in strings

If you need to use an apostrophe inside a Firebird string, you can “escape” the apostrophe character by preceding it with another apostrophe.

For example, this string will give an error:

'Joe's Emporium'

because the parser encounters the apostrophe and interprets the string as 'Joe' followed by some unknown keywords.To make it a legal string, double the apostrophe character:

'Joe''s Emporium'

Notice that this is two single quotes, not one double-quote.

You can also use the alternative quote string literal, allowing you to embed the quote without escaping:

q'{Joe's Emporium}'
Concatenation of strings

The concatenation symbol in SQL is two “pipe” symbols (“||”, or a pair of ASCII 124 without space between).In SQL, the “+” symbol is an arithmetic operator, and it will cause an error if you attempt to use it for concatenating strings.The following expression prefixes a character column value with the string “Reported by:”:

'Reported by: ' || LastName

Firebird will raise an error if the result of a string concatenation exceeds the maximum (var)char size of 32 Kb.If only the potential result — based on variable or field size — is too long you’ll get a warning, but the operation will be completed successfully.(In pre-2.0 Firebird, this too would cause an error and halt execution.)

See also the section below, [qsg5-nulls], about concatenating in expressions involving NULL.

Double-quoted identifiers

Before the SQL-92 standard, it was not legal to have object names (identifiers) in a database that duplicated keywords in the language, were case-sensitive or contained spaces or special characters[1].SQL-92 introduced a new syntax to make any of them legal, provided that the identifiers are defined within pairs of double-quote symbols (ASCII 34) and were always referred to using double-quote delimiters (so called quoted or delimited identifiers).

The purpose of this “gift” was to make it easier to migrate metadata from non-standard RDBMSes to standards-compliant ones.The downside is that, if you choose to define an identifier in double quotes, its case-sensitivity and the enforced double-quoting will remain mandatory.

Firebird does permit a slight relaxation under a very limited set of conditions.If the identifier which was defined in double-quotes:

  1. is defined as all upper-case,

  2. is not a keyword, and

  3. conforms to the other rules of regular identifiers[1],

...then it can be used in SQL unquoted and case-insensitively.(But as soon as you put double-quotes around it, you must match the case again!)

Warning

Don’t get too smart with this!For instance, if you have tables “TESTTABLE” and “TestTable”, both defined within double-quotes, and you issue the command:

SQL>select * from TestTable;

...you will get the records from “TESTTABLE”, not “TestTable”!

Unless you have a compelling reason to define quoted identifiers, it is recommended that you avoid them.Firebird happily accepts a mix of quoted and unquoted identifiers — so there is no problem including that keyword which you inherited from a legacy database, if you need to.

Tip

Some database admin tools enforce double-quoting of all identifiers by default.Try to choose a tool which makes double-quoting optional.
1. Only a-z, A-Z, 0-9 and _ are allowed in regular identifiers, Firebird also allows $, and the first character must be a-z or A-Z

Expressions involving NULL

In SQL, NULL is not a value.It is a condition, or state, of a data item, in which its value is unknown.Because it is unknown, NULL cannot behave like a value.When you try to perform arithmetic on NULL, or involve it with values in other expressions, the result of the operation will almost always be NULL.It is not zero or blank or an “empty string”, and it does not behave like any of these values.

Below are some examples of the types of surprises you will get if you try to perform calculations and comparisons with NULL.

The following expressions all return NULL:

  • 1 + 2 + 3 + NULL

  • not (NULL)

  • 'Home ' || 'sweet ' || NULL

You might have expected 6 from the first expression and “Home sweet” from the third, but as we just said, NULL is not like the number 0 or an empty string — it’s far more destructive!

The following expression:

FirstName || ' ' || LastName

will return NULL if either FirstName or LastName is NULL.Otherwise, it will nicely concatenate the two names with a space in between — even if any one of the variables is an empty string.

Tip

Think of NULL as UNKNOWN and these strange results suddenly start to make sense!If the value of Number is unknown, the outcome of ‘1 + 2 + 3 + Number’ is also unknown (and therefore NULL).If the content of MyString is unknown, then so is ‘MyString || YourString’ (even if YourString is non-NULL).Et cetera.

Now let’s examine some PSQL (Procedural SQL) examples with if-constructs:

  • Equals (‘=’)

    if (a = b) then
  MyVariable = 'Equal';
else
  MyVariable = 'Not equal';

    After executing this code, MyVariable will be 'Not equal' if both a and b are NULL.The reason is that a = b yields NULL if at least one of them is NULL.If the test expression of an “if” statement is NULL, it behaves like false: the ‘then’ block is skipped, and the ‘else’ block executed.

    Warning

    Although the expression may behave like false in this case, it’s still NULL.If you try to invert it using not(), what you get is another NULL — not “true”.

  • Not equals (‘<>’)

    if (a <> b) then
  MyVariable = 'Not equal';
else
  MyVariable = 'Equal';

    Here, MyVariable will be 'Equal' if a is NULL and b isn’t, or vice versa.The explanation is analogous to that of the previous example.

The DISTINCT keyword comes to the rescue!

Firebird 2 and above implement IS [NOT] DISTINCT allowing you to perform (in)equality tests that take NULL into account.The semantics are as follows:

  • Two expressions are DISTINCT if they have different values or if one is NULL and the other isn’t;

  • They are NOT DISTINCT if they have the same value or if they are both NULL.

Notice that if neither operand is NULL, IS DISTINCT works exactly like the “<>” operator, and IS NOT DISTINCT like the “=” operator.

IS DISTINCT and IS NOT DISTINCT always return true or false, never NULL.

Using DISTINCT, you can rewrite the first PSQL example as follows:

if (a is not distinct from b) then
  MyVariable = 'Equal';
else
  MyVariable = 'Not equal';

And the second as:

if (a is distinct from b) then
  MyVariable = 'Not equal';
else
  MyVariable = 'Equal';

These versions will give you the results that a normal (i.e. not SQL-brainwashed) human being would expect, whether there are NULLs involved or not.

More about NULLs

A lot more information about NULL behaviour can be found in the Firebird Null Guide, at these locations:

https://www.firebirdsql.org/file/documentation/html/en/firebirddocs/nullguide/firebird-null-guide.html (HTML)
https://www.firebirdsql.org/file/documentation/pdf/en/firebirddocs/nullguide/firebird-null-guide.pdf (PDF)

Protecting your data

Backup

Firebird comes with two utilities for backing up and restoring your databases: gbak and nbackup.Both can be found in the Firebird installation directory (Windows) or its bin subdirectory (Linux).Firebird databases can be backed up while users are connected to the system and going about their normal work.The backup will be taken from a snapshot of the database at the time the backup began.

Regular backups and occasional restores should be a scheduled part of your database management activity.

Warning

Except in nbackup’s lock mode, do not use external proprietary backup utilities or file-copying tools such as WinZip, tar, copy, xcopy, etc., on a database which is running.Not only will the backup be unreliable, but the disk-level blocking used by these tools can corrupt a running database.
Important

Study the warnings in the next section about database activity during restores!

More information about gbak can be found here (HTML and PDF version, same content):

https://www.firebirdsql.org/file/documentation/html/en/firebirddocs/gbak/firebird-gbak.html
https://www.firebirdsql.org/file/documentation/pdf/en/firebirddocs/gbak/firebird-gbak.pdf

The nbackup manual is here (again same content in HTML and PDF):

https://www.firebirdsql.org/file/documentation/html/en/firebirddocs/nbackup/firebird-nbackup.html
https://www.firebirdsql.org/file/documentation/pdf/en/firebirddocs/nbackup/firebird-nbackup.pdf

How to corrupt a database

The following sections constitute a summary of things not to do if you want to keep your Firebird databases in good health.

Disabling forced writes

Firebird is installed with forced writes (synchronous writes) enabled by default.Modifications are written to disk immediately upon posting.

It is possible to configure a database to use asynchronous data writes — whereby modified or new data are held in the memory cache for periodic flushing to disk by the operating system’s I/O subsystem.The common term for this configuration is forced writes off (or disabled).It is sometimes resorted to in an attempt to improve performance during large batch operations.

Disabling forced writes on Windows

The big warning here is: do not disable forced writes on a Windows server.It has been observed that the Windows server platforms do not flush the write cache until the Firebird service is shut down.Apart from power interruptions, there is just too much that can go wrong on a Windows server.If it should hang, the I/O system goes out of reach and your users' work will be lost in the process of rebooting.

Disabling forced writes on Linux

Linux servers are safer for running an operation with forced writes disabled temporarily.Still, do not leave it disabled once your large batch task is completed, unless you have a very robust fall-back power system.

Restoring a backup to a running database

One of the restore options in the gbak utility (gbak -rep[lace_database]) allows you to restore a gbak file over an existing database.It is possible for this style of restore to proceed without warning while users are logged in to the database.Database corruption is almost certain to be the result.

Note

Notice that the shortest form of this command is gbak -rep, not gbak -r as it used to be in older Firebird versions.What happened to gbak -r?It is now short for gbak -recreate_database, which functions the same as gbak -c[reate] and throws an error if the specified database already exists.You can force overwriting of the existing database by adding the o[verwrite] flag though.This flag is only supported with gbak -r, not with gbak -c.

These changes have been made because many users thought that the -r switch meant restore instead of replace — and only found out otherwise when it was too late.
Warning

Be aware that you will need to design your admin tools and procedures to prevent any possibility for any user (including SYSDBA) to restore to your active database if any users are logged in.

If is practicable to do so, it is recommended to restore to spare disk space using the gbak -c option and test the restored database using isql or your preferred admin tool.If the restored database is good, shut down the old database (you can use the gfix command-line tool for this;see Firebird Database Housekeeping Utility (HTML) or Firebird Database Housekeeping Utility (PDF)).Make a filesystem copy of the old database just in case and then copy the restored database file(s) over their existing counterparts.

Allowing users to log in during a restore

If you do not block access to users while performing a restore using gbak -rep then users may be able to log in and attempt to do operations on data.Corrupted structures will result.

How to get help

The community of willing helpers around Firebird goes a long way back, to many years before the source code for its ancestor, InterBase® 6, was made open source.Collectively, the Firebird community does have all the answers!It even includes some people who have been involved with it since it was a design on a drawing board in a bathroom in Boston.

How to give help

Firebird exists, and continues to be improved, thanks to a community of volunteers who donate their time and skills to bring you this wonderful piece of software.But volunteer work alone is not enough to keep an enterprise-level RDBMS such as Firebird up-to-date.The Firebird Foundation supports Firebird development financially by issuing grants to designers and developers.If Firebird is useful to you, and you’d like to give something back, please visit the Foundation’s pages and consider making a donation or becoming a member or sponsor.