User management
Since Firebird 3, user management is done entirely through SQL commands.Users of previous versions are probably familiar with the gsec
utility for this task.It is still present, but deprecated, and it won’t be discussed here.
Server configuration and management
Since Firebird 3, user management is done entirely through SQL commands.Users of previous versions are probably familiar with the gsec
utility for this task.It is still present, but deprecated, and it won’t be discussed here.
SYSDBA
passwordOne Firebird account is created automatically as part of the installation process: SYSDBA
.This account has all the privileges on the server and cannot be deleted.Depending on version, OS, and architecture, the installation program will either
install the SYSDBA
user with the password masterkey
, or
ask you to enter a password during installation, or
generate a random password and store that in the file SYSDBA.password
within your Firebird installation directory.
If the password is masterkey
and your server is exposed to the Internet at all — or even to a local network, unless you trust every user with the SYSDBA
password — you should change it immediately.Fire up isql
or another Firebird client and connect to a database.In this example, the “employee” example database is used, because its alias is always present in a freshly installed Firebird setup:
connect localhost:employee user sysdba password masterkey;
If you do this in isql
, it should respond with:
Database: localhost:employee, User: SYSDBA
Now alter the sysdba password:
alter user sysdba set password 'Zis4_viZuna83YoYo';
Tip
|
Instead of |
If the command succeeds, you won’t get any feedback.Instead, isql
will just print the next “SQL>
”-prompt, thus indicating that all is well and your further input is awaited.
Please notice that unlike “regular” usernames, Firebird passwords are always case-sensitive.
Warning
|
Depending on the If you have enabled legacy authentication, you may want to delete the legacy |
Firebird allows the creation of many different user accounts.Each of them can own databases and also have various types of access to databases and database objects it doesn’t own.
Assuming you are connected to a database as SYSDBA
, you can add a user account as follows:
create user billyboy password 'TooLongFor8099Comfort';
The full range of user management commands is:
CREATE USER username <user_option> [<user_option> ...] [TAGS (<user_var> [, <user_var> ...]] [CREATE OR] ALTER {USER username | CURRENT USER} [SET] [<user_option> [<user_option> ...]] [TAGS (<user_var> [, <user_var> ...]] DROP USER username) [USING PLUGIN _plugin_name] <user_option> ::= PASSWORD 'password' | FIRSTNAME 'firstname' | MIDDLENAME 'middlename' | LASTNAME 'lastname' | {GRANT | REVOKE} ADMIN ROLE | {ACTIVE | INACTIVE} | USING PLUGIN plugin_name <user_var> ::= tag_name = 'tag_value' | DROP tag_name
Tags are optional key-value pairs that can be freely defined by the user.The key (tag name) must be a valid SQL identifier, the value a non-NULL
string of at most 255 bytes.
Only SYSDBA
and co-admins can use all these commands.Ordinary users can change their own parameters (such as password, name parts and tags, but not active/inactive) using ALTER USER name
or ALTER CURRENT USER
.It is not possible to change an account name.
Examples:
create user dubya password 'Xwha007_noma'
firstname 'GW' lastname 'Shrubbery';
create user lorna password 'Mayday_domaka'
tags (Street = 'Main Street', Number = '888');
alter user benny tags (shoesize = '8', hair = 'blond', drop weight);
alter current user set password 'SomethingEvenMoreSecretThanThis';
alter user dubya set inactive;
drop user ted;
For details on managing users through SQL, also see the Firebird 5.0 Language Reference, section SQL Statements for User Management.
Firebird user accounts are kept in a security database, which normally resides in the installation directory and is called security5.fdb
(alias: security.db
).Except in the case of so-called embedded connections (more about those later in this guide), connecting to a database always involves the security database, against which the user credentials are verified.Of course this is done transparently;the user doesn’t have to make an explicit connection to the security database.
However, in Firebird 5 this is not the end of the story.Firebird — since Firebird 3 — allows the use of multiple security databases on a system, each security database governing a specific set of databases.A database can even act as its own security database.
Showing how to set this up is outside the scope of this Quick Start Guide.You can find full details in the Firebird 3.0 Release Notes, chapter Security.But it is important to realise that if a system has multiple security databases, managing user accounts while connected to a database will always affect the accounts in the security database that governs that specific database.To be on the safe side, you may want to connect to the security database itself before issuing your user management commands.Connecting to the security database used to be forbidden in recent versions of Firebird, but is now once again possible, albeit by default only locally using embedded or — on Windows — XNET (which means that even the localhost
route is blocked).
Tip
|
What follows here is not essential knowledge for beginners.You can skip it if you like and go on to the [qsg5-config-security] section. |
In Firebird 2.5 and up, SYSDBA
(and others with administrator rights) can appoint co-administrators.This is done with the GRANT ADMIN ROLE
directive:
create user bigbill password 'bigsekrit7foryou' grant admin role;
alter user littlejohn grant admin role;
The first command creates user bigbill
as a Firebird administrator, who can add, alter and drop users.The second command grants administrator privileges to the existing user littlejohn
.
To revoke administrator privileges from an account, use ALTER USER … REVOKE ADMIN ROLE
.
Note
|
|
SYSDBA
Co-admins can create, alter and drop users, but contrary to SYSDBA
they have no automatic privileges in regular databases.
Unlike SYSDBA
, co-admins must specify the RDB$ADMIN
role explicitly if they want to exert their rights as system administrator:
connect security.db user bigbill password bigsekrit7foryou role rdb$admin
For reasons explained elsewhere in this guide, connecting to the security database like this may fail if a Superserver is running.On Windows, you may circumvent this by prepending xnet://
to the database path or alias, but on POSIX, you’re stuck.The only solution there is to connect to a regular database through the server, for example using localhost:employee
.(This must be a database that uses the security database in question.)
Since Firebird 4.0, a co-admin no longer needs to have the RDB$ADMIN
privileges in the regular database to be able to execute user management statements against the security database, their privileges in the security database are sufficient.
Note
|
Please remember
The
Of course, it is possible to grant a user the |
To grant a user admin rights in a regular database you can use the usual way that roles are granted:
grant rdb$admin to bigbill
Grantors can be the database owner, SYSDBA
, and every other user who has the RDB$ADMIN
role in that database and has specified it while connecting.Every RDB$ADMIN
member in a database can pass the role on to others, so again there is no WITH ADMINOPTION
.
Firebird 5 offers a number of security options, designed to make unauthorised access as difficult as possible.
It pays to familiarise yourself with Firebird’s security-related configuration parameters.You can significantly enhance your system’s security if you raise the protection level wherever possible.This is not only a matter of setting parameters, by the way: other measures involve tuning filesystem access permissions, an intelligent user accounts policy, etc.
Below are some guidelines for protecting your Firebird server and databases.
On Unix-like systems, Firebird already runs as user firebird
by default, not as root
.On Windows server platforms, you can also run the Firebird service under a designated user account (e.g. Firebird
).The default practice — running the service as the LocalSystem
user — poses a security risk if your system is connected to the Internet.Consult README.instsvc.txt
in the doc
directory to learn more about this.
SYSDBA
's passwordAs discussed before, if your Firebird server is reachable from the network and the system password is masterkey
, change it.
SYSDBA
is a very powerful account, with full (destructive) access rights to all your Firebird databases.Its password should be known to a few trusted database administrators only.Therefore, you shouldn’t use this super-account to create and populate regular databases.Instead, generate normal user accounts and grant them the CREATE DATABASE
privilege, and provide their account names and passwords to your users as needed.You can do this with the SQL user management commands as shown above, or with any decent third-party Firebird administration tool.
Anybody who has filesystem-level read access to a database file can copy it, install it on a system under their own control, and extract all data from it — including possibly sensitive information.Anybody who has filesystem-level write access to a database file can corrupt it or totally destroy it.
Also, anybody with filesystem-level access to a database can make an embedded connection to it posing as any Firebird user (including SYSDBA
) without having their credentials checked.This can be especially disastrous if it concerns the security database!
As a rule, only the Firebird server process should have access to the database files.Users don’t need, and should not have, access to the files — not even read-only.They query databases via the server, and the server makes sure that users only get the allowed type of access (if at all) to any objects within the database.
As a relaxation of this rule, most Firebird configurations allow users to create and use databases in their own filesystem space and make embedded connections to them.Since these are their files and their data, one may argue that unrestricted and possibly destructive access should be their own concern, not yours.
If you don’t want or need this relaxation, follow the instructions in the next item.
If you don’t want any type of direct access, you may disable embedded mode (= direct filesystem-level access) altogether by opening firebird.conf
and locating the Providers
entry.The default (which is probably commented out) is:
#Providers = Remote,Engine13,Loopback
Now, either remove the hash mark and the Engine13
provider (this is the one that makes the embedded connections), or — better — add an uncommented line:
Providers = Remote,Loopback
The Remote
provider takes care of remote connections;the Loopback
provider is responsible for TCP/IP connections via localhost
, as well as (on Windows) and XNET connections to databases on the local machine.All these connection types require full authentication and have the server process, not the user process, open the database file.
Please notice that you can also set the Providers
parameter on a per-database basis.You can set a default in firebird.conf
as shown above, and then override it for individual databases in databases.conf
like this:
bigbase = C:\Databases\Accounting\Biggus.fdb
{
Providers = Engine13,Loopback
}
The first line defines the alias (see next item), and everything between the curly brackets are parameters for that specific database.You’ll find databases.conf
in the same directory as firebird.conf
.Refer to the Release Notes, chapter Configuration Additions and Changes, section Per-database Configuration, for more information about the various parameters.
Database aliases hide physical database locations from the client.Using aliases, a client can — for example — connect to “frodo:zappa
” without having to know that the real location is frodo:/var/firebird/music/underground/mothers_of_invention.fdb
.Aliases also allow you to relocate databases while the clients keep using their existing connection strings.
Aliases are listed in the file databases.conf
, in this format on Windows machines:
poker = E:\Games\Data\PokerBase.fdb
blackjack.fdb = C:\Firebird\Databases\cardgames\blkjk_2.fdb
And on Linux:
books = /home/bookworm/database/books.fdb
zappa = /var/firebird/music/underground/mothers_of_invention.fdb
Giving the alias an .fdb
(or any other) extension is fully optional.Of course if you do include it, you must also specify it when you use the alias to connect to the database.
Aliases, once entered and saved, take effect immediately.There is no need to restart the server.
The DatabaseAccess
parameter in firebird.conf
can be set to Restrict
to limit access to explicitly listed filesystem trees, or even to None
to allow access to aliased databases only.Default is Full
, i.e. no restrictions.
Note that this is not the same thing as the filesystem-level access protection discussed earlier: when DatabaseAccess
is anything other than Full
, the server will refuse to open any databases outside the defined scope even if it has sufficient rights on the database files.
Firebird supports three authentication methods when connecting to databases:
Srp (Secure Remote Password): The user must identify themselves with a Firebird username and password, which the server checks against the security database.The maximum effective password length is around 20 bytes, although you may specify longer passwords up to 255 characters.Wire encryption is used.The server supports various Srp
authentication plugins, with Srp256
as the default (which uses SHA256 for the user proof).
Win_Sspi (Windows Security Support Provider Interface): The user is logged in automatically with their Windows account name.Wire encryption is used.
Legacy_Auth: Insecure method used in previous Firebird versions.Passwords have a maximum length of 8 bytes and are sent unencrypted across the wire.Avoid this method if possible.Wire encryption is not supported.
Two configuration parameters control Firebird’s authentication behaviour:
AuthServer
determines how a user can connect to the local server.It defaults to “Srp256
”, or — on Windows — “Srp256, Win_Sspi
”.In the latter case, the user will be authenticated with their Windows login if they fail to supply user credentials (causing the Srp256
method, which is tried first, to fail).
AuthClient
defines how the local client tries to authenticate the user when making a connection.It is usually “Srp256, Srp, Win_Sspi, Legacy_Auth
”, allowing the user to connect to pre-Firebird-3 servers on remote machines.
If Legacy_Auth
is allowed on the server side, you must also set the WireCrypt
parameter to Enabled
or Disabled
, but not Required
.
If Legacy_Auth
is enabled, you will also want to change the UserManager
setting to Srp, Legacy_UserManager
(or Legacy_UserManager, Srp
if you want to manage legacy accounts by default and/or through gsec).In user management statements, you can use the USING PLUGIN name
clause to specify the user manager to use (only user managers listed in UserManager
are allowed).
The AuthServer
, AuthClient
, WireCrypt
and UserManager
parameters are all set in firebird.conf
en can be overridden per database in databases.conf
.
Please notice: enabling Win_Sspi
on the server activates the plugin, but doesn’t grant Windows accounts any type of access to databases yet.Logging in to, say, the employee
database without credentials (and making sure no embedded connection is made) will result in this error message:
SQL> connect xnet://employee;
Statement failed, SQLSTATE = 28000
Missing security context for employee
In other words: “We know who you are (because the Win_Sspi
plugin identified you), but you can’tcome in.”
The solution is to create, as SYSDBA
or a co-admin, a global mapping that gives any Windows account access to databases — but no special privileges — under the same name.This is done with the following command:
create global mapping trusted_auth
using plugin win_sspi
from any user to user
Trusted_auth
is just a chosen name for the mapping.You may use another identifier.From any user
means that the mapping is valid for any user authenticated by the Win_Sspi
plugin.To user
indicates that every user will be made known under their own Windows account name in each database they connect to.If instead we had specified to user bob
, then every Windows user authenticated by the Win_Sspi
plugin would be bob
in every database.
With the mapping in effect, the “Windows trusted” connection succeeds:
SQL> connect xnet://employee;
Database: xnet://employee, User: SOFA\PAUL
SQL> select current_user from rdb$database;
USER
===============================
SOFA\PAUL
Note
|
With embedded connections, i.e. serverless connections handled by
|
SYSDBA
rightsIn Firebird 2.1, if the (now defunct) configuration parameter Authentication
was trusted or mixed, Windows administrators would automatically receive SYSDBA
privileges in all databases, including the security database.In Firebird 2.5 and later, this is no longer the case.This reduces the risk that administrators with little or no Firebird knowledge mess up databases or user accounts.
If you still want to apply the automatic SYSDBA
mapping as it was in Firebird 2.1, login as SYSDBA
and give the command:
create global mapping win_admin_sysdba
using plugin win_sspi
from predefined_group domain_any_rid_admins
to user sysdba
This grants all Windows administrators automatic SYSDBA
rights in every database (including the security database, so they can manage user accounts), provided that they are authenticated by the Win_Sspi
plugin.To achieve this, they must connect
without supplying any user credentials, and
making sure that the Engine13
provider doesn’t kick in.This is easily achieved with a connection string like xnet://local-path-or-alias
.
To give just one administrator — or indeed any user — full SYSDBA
power, use this command:
create global mapping frank_sysdba
using plugin win_sspi
from user "sofa\frank"
to user sysdba
The double quotes are necessary because of the backslash in the username.(Specifying just frank
will be accepted by Firebird, but won’t result in a working mapping on most, if not all, Windows systems.)
You can drop any mapping with the command:
DROP [GLOBAL] MAPPING mapping_name
E.g.:
drop global mapping win_admin_sysdba;
drop global mapping frank_sysdba;
The GLOBAL
keyword is necessary if it concerns a global mapping, and you’re not directly connected to the security database where the mapping is registered.
The Firebird kit does not come with a GUI admin tool.It does have a set of command-line tools — executable programs which are located in the bin
subdirectory of your Firebird installation (on Windows, they are in the installation directory itself).One of them, isql
, has already been introduced to you.
The range of excellent GUI tools available for use with a Windows client machine is too numerous to describe here.At least one of them, FlameRobin, is also available for Linux.
Explore the following sites for more options:
Note
|
Remember: you can use a Windows client to access a Linux server and vice-versa. |
In this part of the manual you will learn:
how to connect to an existing database,
how to create a database,
and some things you should know about Firebird SQL.
In as much as remote connections are involved, we will use the TCP/IP protocol.
If you want to connect to a database or create one you have to supply, amongst other things, a connection string to the client application (or, if you are a programmer, to the routines you are calling).A connection string uniquely identifies the location of the database on your computer, local network, or even the Internet.
An explicit local connection string consists of the path + filename specification in the native format of the filesystem used on the server machine, for example
on a Linux or other Unix-like server:
/opt/firebird/examples/empbuild/employee.fdb
on a Windows server:
C:\Biology\Data\Primates\Apes\populations.fdb
Many clients also allow relative path strings (e.g. “..\examples\empbuild\employee.fdb
”), but you should use these with caution, as it’s not always obvious how they will be expanded.Getting an error message is annoying enough, but applying changes to another database than you thought you were connected to may be disastrous.
Instead of a file path, the local connection string may also be a database alias that is defined in databases.conf
, as mentioned earlier.The format of the alias depends only on how it’s defined in the configuration file, not on the server filesystem.Examples are:
zappa
blackjack.fdb
poker
Upon receiving a local connection string, the Firebird client will first attempt to make a direct, embedded connection to the database file, bypassing authentication but respecting the SQL privileges and restrictions of the supplied user and/or role name.That is, if the Engine13
provider is enabled in firebird.conf
or databases.conf
— which it is by default.If the database file exists, but the connection fails because the client process doesn’t have the required access privileges to the file, a client-server connection is attempted (by the Loopback
provider), in this order:
On Windows: using XNET (shared memory) on the local machine;
Using TCP/IP via localhost
.
You can force Firebird to use a certain protocol (and skip the embedded connection attempt) by prepending the protocol in URL style:
inet://zappa
(TCP/IP connection using an alias on the local machine)
inet:///opt/firebird/examples/citylife.fdb
(TCP/IP connection using an absolute path on the local POSIX machine — notice the extra slash for the root dir)
inet://C:\Work\Databases\Drills.fdb
(TCP/IP connection using an absolute path on the local Windows machine)
xnet://security.db
(XNET connection using an alias on the local Windows machine)
xnet://C:\Programmas\Firebird\Firebird_3_0\security3.fdb
(XNET connection using the full path on the local Windows machine)
Tip
|
If your XNET connections fail, it may be because the local protocol isn’t working properly on your machine.If you’re running Windows with terminal services enabled, this can often be fixed by setting If setting |
Firebird has two forms of TCP/IP connection strings:
{inet|inet4|inet6}://[<host>[:<port>]/]<path-or-alias>
<host>[/port]:<path-or-alias>
With:
<host>
a server name or IP address (for IPv6 addresses, enclose them in [
and ]
)
<port>
port number or service name
<path-or-alias>
either the absolute path + filename on the server machine, or an alias defined on the server machine
Examples:
On Linux/Unix:
pongo:/opt/firebird/examples/empbuild/employee.fdb inet://pongo//opt/firebird/examples/empbuild/employee.fdb bongo/3052:fury inet://bongo:3052/fury 112.179.0.1:/var/Firebird/databases/butterflies.fdb inet://112.179.0.1//var/Firebird/databases/butterflies.fdb localhost:blackjack.fdb inet://localhost/blackjack.fdb
On Windows:
siamang:C:\Biology\Data\Primates\Apes\populations.fdb inet://siamang/C:\Biology\Data\Primates\Apes\populations.fdb sofa:D:\Misc\Friends\Rich\Lenders.fdb inet://sofa/D:\Misc\Friends\Rich\Lenders.fdb inca/fb_db:D:\Traffic\Roads.fdb inet://inca:fb_db/D:\Traffic\Roads.fdb 127.0.0.1:Borrowers inet://127.0.0.1/Borrowers
Notice how the aliased connection strings don’t give any clue about the server OS.And they don’t have to, either: you talk to a Linux Firebird server just like you talk to a Windows Firebird server.In fact, specifying an explicit database path is one of the rare occasions where you have to be aware of the difference.
The syntax for XNET URLs is:
xnet://<path-or-alias>
Since XNET is a purely local protocol, you can’t include a hostname or port.
Support for NetBEUI (named pipes, a.k.a. WNET) connections was removed in Firebird 5.
Please be aware that some third-party client programs may have different requirements for the composition of connection strings.Refer to their documentation or online help to find out.
A sample database named employee.fdb
is located in the examples/empbuild
subdirectory of your Firebird installation.It is also reachable under its alias employee
.You can use this database to “try your wings”.
If you move or copy the sample database, be sure to place it on a hard disk that is physically attached to your server machine.Shares, mapped drives or (on Unix) mounted SMB (Samba) file systems will not work.The same rule applies to any databases that you create or use.
Connecting to a Firebird database requires — implicit or explicit — authentication.To work with objects inside the database, such as tables, views and functions, you (i.e. the Firebird user you’re logged in as) need explicit permissions on those objects, unless you own them (you own an object if you have created it) or if you’re connected as user SYSDBA
or with the role RDB$ADMIN
.In the example database employee.fdb
, sufficient permissions have been granted to PUBLIC
(i.e. any authenticated user) to enable you to view and modify data to your heart’s content.
For simplicity here, we will look at authenticating as SYSDBA
using the password masterkey
.Also, to keep the lines in the examples from running off the right edge, we will work with local databases and use aliases wherever possible.Of course, everything you’ll learn in these sections can also be applied to remote databases, simply by supplying a TCP/IP connection string.
isql
Firebird ships with a text-mode client named isql (Interactive SQL utility).You can use it in several ways to connect to a database.One of them, shown below, is to start it in interactive mode.Go to the directory where the Firebird tools reside (see [qsg5-disk-locations] if necessary) and type isql
(Windows) or ./isql
(Linux) at the command prompt.
Note
|
In the following examples, [chevron circle left] means “hit kbd:[Enter]” |
C:\Programmas\Firebird\Firebird_3_0>isql[chevron circle left] Use CONNECT or CREATE DATABASE to specify a database SQL>connect xnet://employee user sysdba password masterkey;[chevron circle left]
Important
|
|
Note
|
You can optionally enclose the path, the username and/or the password in single ( |
At this point, isql
will inform you that you are connected:
Database: xnet://employee, User: SYSDBA SQL>
You can now continue to play about with the employee
database.With isql
you can query data, get information about the metadata, create database objects, run data definition scripts and much more.
To get back to the OS command prompt, type:
SQL>quit;[chevron circle left]
You can also type EXIT
instead of QUIT
, the difference being that EXIT
will first commit any open transactions, making your modifications permanent.
Some GUI client tools take charge of composing the CONNECT
string for you, using server, path (or alias), username and password information that you type into prompting fields.Supply the various elements as described in the preceding topic.
Note
|
|
isql
There is more than one way to create a database with isql
.Here, we will look at one simple way to create a database interactively — although, for your serious database definition work, you should create and maintain your metadata objects using data definition scripts.
isql
To create a database interactively using the isql
command shell, type isql
(Windows) or ./isql
(Linux) at the command prompt in the directory where the Firebird tools are.
Note
|
In the following examples, [chevron circle left] means “hit kbd:[Enter]” |
C:\Programmas\Firebird\Firebird_3_0>isql[chevron circle left]
Use CONNECT or CREATE DATABASE to specify a database
Now you can create your new database interactively.Let’s suppose that you want to create a database named test.fdb
and store it in a directory named data
on your D
drive:
SQL>create database 'D:\data\test.fdb' page_size 8192[chevron circle left] CON>user 'sysdba' password 'masterkey';[chevron circle left]
Important
|
|
The database will be created and, after a few moments, the SQL prompt will reappear.You are now connected to the new database and can proceed to create some test objects in it.
To verify that there really is a database there, let’s first type in this query:
SQL>select * from rdb$relations;[chevron circle left]
Although you haven’t created any tables yet, the screen will fill up with a large amount of data!This query selects all rows in the system table RDB$RELATIONS
, where Firebird stores the metadata for tables.An “empty” database is not really empty: it contains a number of system tables and other objects.The system tables will grow as you add more user objects to your database.
To get back to the command prompt type QUIT
or EXIT
, as explained in the section on connecting.
In Firebird 5, if you try to create a database other than in embedded mode as someone who is not a Firebird admin (i.e. SYSDBA
or an account with equal rights), you may be in for a surprise:
SQL>create database 'xnet://D:\data\mydb.fdb' user 'john' password 'lennon';[chevron circle left]
Statement failed, SQLSTATE = 28000
no permission for CREATE access to DATABASE D:\DATA\MYDB.FDB
Non-admin users must explicitly be granted the right to create databases by a Firebird admin:
SQL>grant create database to user john;[chevron circle left]
After that, they can create databases.
Notice that with a serverless connection, i.e. without specifying a host name or protocol before the database name (and Engine13
enabled!), Firebird won’t deny any CREATE DATABASE
statement.It will only fail if the client process doesn’t have sufficient rights in the directory where the database is to be created.
Every database management system has its own idiosyncrasies in the ways it implements SQL.Firebird adheres to the SQL standard more rigorously than most other RDBMSes.Developers migrating from products that are less standards-compliant often wrongly suppose that Firebird is quirky, whereas many of its apparent quirks are not quirky at all.
Firebird accords with the SQL standard by truncating the result (quotient) of an integer/integer calculation to the next lower integer.This can have bizarre results unless you are aware of it.
For example, this calculation is correct in SQL:
1 / 3 = 0
If you are upgrading from an RDBMS which resolves integer/integer division to a float quotient, you will need to alter any affected expressions to use a float or scaled numeric type for either dividend, divisor, or both.
For example, the calculation above could be modified thus to produce a non-zero result:
1.000 / 3 = 0.333
Strings in Firebird are delimited by a pair of single quote (apostrophe) symbols: 'I am a string'
(ASCII code 39, not 96).If you used earlier versions of Firebird’s relative, InterBase®, you might recall that double and single quotes were interchangeable as string delimiters.Double quotes cannot be used as string delimiters in Firebird SQL statements.
If you need to use an apostrophe inside a Firebird string, you can “escape” the apostrophe character by preceding it with another apostrophe.
For example, this string will give an error:
'Joe's Emporium'
because the parser encounters the apostrophe and interprets the string as 'Joe'
followed by some unknown keywords.To make it a legal string, double the apostrophe character:
'Joe''s Emporium'
Notice that this is two single quotes, not one double-quote.
You can also use the alternative quote string literal, allowing you to embed the quote without escaping:
q'{Joe's Emporium}'
The concatenation symbol in SQL is two “pipe” symbols (“||
”, or a pair of ASCII 124 without space between).In SQL, the “+” symbol is an arithmetic operator, and it will cause an error if you attempt to use it for concatenating strings.The following expression prefixes a character column value with the string “Reported by:
”:
'Reported by: ' || LastName
Firebird will raise an error if the result of a string concatenation exceeds the maximum (var)char size of 32 Kb.If only the potential result — based on variable or field size — is too long you’ll get a warning, but the operation will be completed successfully.(In pre-2.0 Firebird, this too would cause an error and halt execution.)
See also the section below, [qsg5-nulls], about concatenating in expressions involving NULL
.
Before the SQL-92 standard, it was not legal to have object names (identifiers) in a database that duplicated keywords in the language, were case-sensitive or contained spaces or special characters[1].SQL-92 introduced a new syntax to make any of them legal, provided that the identifiers are defined within pairs of double-quote symbols (ASCII 34) and were always referred to using double-quote delimiters (so called quoted or delimited identifiers).
The purpose of this “gift” was to make it easier to migrate metadata from non-standard RDBMSes to standards-compliant ones.The downside is that, if you choose to define an identifier in double quotes, its case-sensitivity and the enforced double-quoting will remain mandatory.
Firebird does permit a slight relaxation under a very limited set of conditions.If the identifier which was defined in double-quotes:
is defined as all upper-case,
is not a keyword, and
conforms to the other rules of regular identifiers[1],
...then it can be used in SQL unquoted and case-insensitively.(But as soon as you put double-quotes around it, you must match the case again!)
Warning
|
Don’t get too smart with this!For instance, if you have tables “ SQL>select * from TestTable; ...you will get the records from “ |
Unless you have a compelling reason to define quoted identifiers, it is recommended that you avoid them.Firebird happily accepts a mix of quoted and unquoted identifiers — so there is no problem including that keyword which you inherited from a legacy database, if you need to.
Tip
|
Some database admin tools enforce double-quoting of all identifiers by default.Try to choose a tool which makes double-quoting optional. |
a
-z
, A
-Z
, 0
-9
and _
are allowed in regular identifiers, Firebird also allows $
, and the first character must be a
-z
or A
-Z
NULL
In SQL, NULL
is not a value.It is a condition, or state, of a data item, in which its value is unknown.Because it is unknown, NULL
cannot behave like a value.When you try to perform arithmetic on NULL
, or involve it with values in other expressions, the result of the operation will almost always be NULL
.It is not zero or blank or an “empty string”, and it does not behave like any of these values.
Below are some examples of the types of surprises you will get if you try to perform calculations and comparisons with NULL
.
The following expressions all return NULL
:
1 + 2 + 3 + NULL
not (NULL)
'Home ' || 'sweet ' || NULL
You might have expected 6 from the first expression and “Home sweet
” from the third, but as we just said, NULL
is not like the number 0 or an empty string — it’s far more destructive!
The following expression:
FirstName || ' ' || LastName
will return NULL
if either FirstName
or LastName
is NULL
.Otherwise, it will nicely concatenate the two names with a space in between — even if any one of the variables is an empty string.
Tip
|
Think of |
Now let’s examine some PSQL (Procedural SQL) examples with if
-constructs:
Equals (‘=
’)
if (a = b) then
MyVariable = 'Equal';
else
MyVariable = 'Not equal';
After executing this code, MyVariable
will be 'Not equal'
if both a
and b
are NULL
.The reason is that a = b
yields NULL
if at least one of them is NULL
.If the test expression of an “if
” statement is NULL
, it behaves like false
: the ‘then
’ block is skipped, and the ‘else
’ block executed.
Warning
|
Although the expression may behave like |
Not equals (‘<>
’)
if (a <> b) then
MyVariable = 'Not equal';
else
MyVariable = 'Equal';
Here, MyVariable
will be 'Equal'
if a
is NULL
and b
isn’t, or vice versa.The explanation is analogous to that of the previous example.
DISTINCT
keyword comes to the rescue!Firebird 2 and above implement IS [NOT] DISTINCT
allowing you to perform (in)equality tests that take NULL
into account.The semantics are as follows:
Two expressions are DISTINCT
if they have different values or if one is NULL
and the other isn’t;
They are NOT DISTINCT
if they have the same value or if they are both NULL
.
Notice that if neither operand is NULL
, IS DISTINCT
works exactly like the “<>
” operator, and IS NOT DISTINCT
like the “=
” operator.
IS DISTINCT
and IS NOT DISTINCT
always return true
or false
, never NULL
.
Using DISTINCT
, you can rewrite the first PSQL example as follows:
if (a is not distinct from b) then
MyVariable = 'Equal';
else
MyVariable = 'Not equal';
And the second as:
if (a is distinct from b) then
MyVariable = 'Not equal';
else
MyVariable = 'Equal';
These versions will give you the results that a normal (i.e. not SQL-brainwashed) human being would expect, whether there are NULL
s involved or not.
NULL
sA lot more information about NULL
behaviour can be found in the Firebird Null Guide, at these locations:
Firebird comes with two utilities for backing up and restoring your databases: gbak and nbackup.Both can be found in the Firebird installation directory (Windows) or its bin
subdirectory (Linux).Firebird databases can be backed up while users are connected to the system and going about their normal work.The backup will be taken from a snapshot of the database at the time the backup began.
Regular backups and occasional restores should be a scheduled part of your database management activity.
Warning
|
Except in nbackup’s lock mode, do not use external proprietary backup utilities or file-copying tools such as WinZip, |
Important
|
Study the warnings in the next section about database activity during restores! |
More information about gbak
can be found here (HTML and PDF version, same content):
https://www.firebirdsql.org/file/documentation/html/en/firebirddocs/gbak/firebird-gbak.html
https://www.firebirdsql.org/file/documentation/pdf/en/firebirddocs/gbak/firebird-gbak.pdf
The nbackup
manual is here (again same content in HTML and PDF):
The following sections constitute a summary of things not to do if you want to keep your Firebird databases in good health.
Firebird is installed with forced writes (synchronous writes) enabled by default.Modifications are written to disk immediately upon posting.
It is possible to configure a database to use asynchronous data writes — whereby modified or new data are held in the memory cache for periodic flushing to disk by the operating system’s I/O subsystem.The common term for this configuration is forced writes off (or disabled).It is sometimes resorted to in an attempt to improve performance during large batch operations.
The big warning here is: do not disable forced writes on a Windows server.It has been observed that the Windows server platforms do not flush the write cache until the Firebird service is shut down.Apart from power interruptions, there is just too much that can go wrong on a Windows server.If it should hang, the I/O system goes out of reach and your users' work will be lost in the process of rebooting.
Linux servers are safer for running an operation with forced writes disabled temporarily.Still, do not leave it disabled once your large batch task is completed, unless you have a very robust fall-back power system.
One of the restore options in the gbak
utility (gbak -rep[lace_database]
) allows you to restore a gbak file over an existing database.It is possible for this style of restore to proceed without warning while users are logged in to the database.Database corruption is almost certain to be the result.
Note
|
Notice that the shortest form of this command is These changes have been made because many users thought that the |
Warning
|
Be aware that you will need to design your admin tools and procedures to prevent any possibility for any user (including |
If is practicable to do so, it is recommended to restore to spare disk space using the gbak -c
option and test the restored database using isql
or your preferred admin tool.If the restored database is good, shut down the old database (you can use the gfix
command-line tool for this;see Firebird Database Housekeeping Utility (HTML) or Firebird Database Housekeeping Utility (PDF)).Make a filesystem copy of the old database just in case and then copy the restored database file(s) over their existing counterparts.
If you do not block access to users while performing a restore using gbak -rep
then users may be able to log in and attempt to do operations on data.Corrupted structures will result.
The community of willing helpers around Firebird goes a long way back, to many years before the source code for its ancestor, InterBase® 6, was made open source.Collectively, the Firebird community does have all the answers!It even includes some people who have been involved with it since it was a design on a drawing board in a bathroom in Boston.
Visit the official Firebird Project site at https://www.firebirdsql.org and join the user support lists, in particular firebird-support
.Look at https://www.firebirdsql.org/en/mailing-lists/ for instructions.
Use the Firebird documentation index at https://www.firebirdsql.org/en/documentation/.
Visit the Firebird knowledge site at https://www.ibphoenix.com to look up a vast collection of information about developing with and using Firebird.IBPhoenix also sells a Developer CD with the Firebird binaries and lots of documentation.
Order the official three-volume Firebird Book, Second Edition at https://www.ibphoenix.com/products/books/firebird_book, for more than 1200 pages jam-packed with Firebird information.(Notice: at the time of this writing, the Firebird Book is not yet up-to-date with Firebird 3 and higher.)
Read the Release Notes for your Firebird version!
Firebird exists, and continues to be improved, thanks to a community of volunteers who donate their time and skills to bring you this wonderful piece of software.But volunteer work alone is not enough to keep an enterprise-level RDBMS such as Firebird up-to-date.The Firebird Foundation supports Firebird development financially by issuing grants to designers and developers.If Firebird is useful to you, and you’d like to give something back, please visit the Foundation’s pages and consider making a donation or becoming a member or sponsor.