Posts Tagged ‘SQL’
Tuesday, October 20th, 2009
The world of data storage is up for a massive shift. A whole new breed of scalable data stores is gaining popularity & that too the pace is too fast for traditional databases to recoil & grapple with. I am afraid to say, but they are starting to look like a thing of past. The whole data tier is being shaken up as Memcached appears right next to MySQL. While some might see it as a move away from MySQL and PostgreSQL, the traditional open source relational data stores, it’s actually a higher-level change. Much of this change is the result of a few revelations.
A relational database isn’t always the model or system for every piece of data. They are tricky to scale (especially if you start with a single monolithic configuration–they aren’t distributed by design), when it comes to performance normalization hurts.
The new data stores vary quite a bit in their specific features, but in general they draw from a similar set of high-level characteristics. Not all of them meet all of these, of course, but just looking at the list gives you a sense of what they’re trying to accomplish.
- de-normalized, often schema-free, document storage
- key/value based, supporting lookups by key
- horizontal scaling
- built in replication
- HTTP/REST or easy to program APIs
- support for MapReduce style programming
- Eventually Consistent
And I could probably list another half a dozen qualities that many of them share too. But to me, the first two are the biggest departure form the traditional RDBMS. Of course, you can stick with MySQL and go non-relational.
The movement to these distributed schema-free data stores has begun to use the name NoSQL. You can find the overview of some of the implementations by GeekTantra here.
Tags: Cross-platform software, Database, Database management systems, Databases, Memcached, MySQL, NoSQL, PostgreSQL, RDBMS, Relational database, SQL, Technology/Internet
Posted in Database | 5 Comments »
Sunday, October 18th, 2009
SQL injection a technique by which some code is injected to exploit the security vulnerability found in the application layer of the database. This is a common attack in login based website. This mostly occurs when the user input is incorrectly filtered or due to incorrect type handling.
» Incorrectly filtered user input
This attack is possible when user input is not checked for escape characters and passed into SQL statement. The statement therefore results in a complex statement to what the programmer had planned to, thereby revealing much more data or allowing access to the parts of the database which were not supposed to be exposed.
Eg: The following line of code takes user input as (username and password) check the entry and then do some query execution.
1
| SELECT * from `users` WHERE `username`="+username+" AND `password`= "+password "; |
However this query can be vulnerable to SQL injection by setting the username variable as (a’ or ‘a’='a ) and password variable as (a’ or ‘a’='a).
This query allows the access because ‘a’ = ‘a’ part makes the statement always true.
While most SQL server implementations allow multiple statements to be executed with one call, some SQL APIs such as php’s mysql_query do not allow this for security reasons. This prevents hackers from injecting entirely separate queries, but doesn’t stop them from modifying queries.
Eg: The previous query can me modified and made more dangerous by changing it to
1
| a';DROP TABLE users; SELECT * FROM data WHERE 'a' = 'a |
» Incorrect type handling
This server is vulnerable to this kind of attack when the user given input field is not strongly type checked.
Eg: In the statement
1
| "SELECT * FROM data WHERE id = " + a_variable + ";" |
a_variable can be replaced by 1;DROP TABLE users there by deletion of the table.
» Preventing SQL injection
- Use Double Quotes: Replace all the single quotes that your users’ input contains with double quotes. This simple precaution will go a long way towards warding off SQL-injection attacks. Single quotes often terminate SQL expressions and give the input more power than is necessary. Replacing the single quotes with double quotes will cause many SQL-injection attacks to fail.
- Validate All Input: Before using user input data in the SQL query validate all the user input data i.e. numbers should be validated for numbers strings for strings character etc.This prevents the user from entering codes to database.
- Never Connect with the Administrator Account: The user which connects to the database in the script should have least privileges so that he should not be able to access all the functionalities of the database.
- Use of latest versions: Always use of the latest versions of your interpreters and softwares like PHP 5 and .NET 2 or 3(aspx), most SQL injection do not work because all single quotes and double quotes, which are given as the input by user are replaced by an escape characters followed by the quote ( i.e ‘ is replaced by \’ and ” is replaced by \”) preventing the SQL injection. However ASP and older version of PHP and JDBC API are vulnerable to it.
- Use parametrized platforms: Parametrized statements can be used that work in various platforms
- In JDBC:
1
2
3
| APIPreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE USERNAME=? AND PASSWORD=?");
prep.setString(1, username);
prep.setString(2, password); |
- In C#:
1
2
3
4
5
6
7
8
| (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1', @password)", myConnection))
{
myCommand.Parameters.AddWithValue("@username", user);
myCommand.Parameters.AddWithValue("@password", pass);
myConnection.Open();
SqlDataReader myReader = myCommand.ExecuteReader());
.....................
} |
- In PHP version 5 and above:
1
2
3
4
5
| $db = new PDO('pgsql:dbname=database');
$stmt = $db->prepare("SELECT priv FROM testUsers WHERE username=:username AND password=:password");
$stmt->bindParam(':username', $user);
$stmt->bindParam(':password', $pass);
$stmt->execute(); |
- In ColdFusion:
1
2
3
4
5
| <cfquery name="Recordset1" datasource="cafetownsend">
SELECT *
FROM COMMENTS
WHERE COMMENT_ID =<cfqueryparam value="#URL.COMMENT_ID#" cfsqltype="cf_sql_numeric"></cfqueryparam>
</cfquery> |
- Enforcements at the coding level: Using object-relational mapping (ORMs) libraries avoids the need to write SQL code. The ORM library in effect will generate parametrized SQL statements from object-oriented code.
Tags: Best Practices, Code injection, Computer security, Data management, Databases, Microsoft SQL Server, php, Query languages, SQL, SQL injection, Technology/Internet
Posted in Database | 10 Comments »
Thursday, October 8th, 2009
For most of us database is synonymous to tables, tuples, SQL, RDBMS, or normalization, but is that what databases actually mean or is it beyond just the relational data-model? Relational data-model although the most popular and the most accepted data-model is not apt for all problems. And how far can we go by mapping all our problems on to the relational data-model. After certain table size eventually the database starts slowing down so we move towards replications via multiple configurations which obviously increases the operating expenses. Now when this is not enough we employ some expensive sys-admins to configure sharding for our database for which we require still more resources or pay a fortune worth of money to the “Big Guys” like Oracle and Microsoft to tweak our databases for performance. But is this the future of databases? I guess not. Let us have a look at what other database options which are not based on the RDM and are free from SQL:
- MongoDB: It is a very high performance open source, schema-free document-oriented database.It provides a JSON like data-store mechanism which can free the software architects from the limitations of the RDBMS. It also supports full indexing including inner objects and arrays, dynamic queries, query profiling, efficient storage of binary data including blob data, replication and fail-over, auto-sharding for extreme loads and we thought MySQL was ultimate for databases?
- CouchDB: It is a free and open source document-oriented database written in the Erlang programming language which is a functional language. It is well suited for local replications and vertical scaling. It again has a JSON data-store as documents which need not share a schema, but retain query abilities via views. Views are a combination of aggregate functions and filters and are computed in parallel, much like MapReduce. With bindings for many languages this is sure to become one of the most popular databases in the future.
- Mnesia: It is a distributed database system written in Erlang. The data-store of Mnesia can be considered Relational but isn’t what someone familiar with SQL might expect. A database contains tables. Relationships between them are modeled as other tables. A key feature of Mnesia’s is tables can be reconfigured within a schema and relocated between nodes, not only while the database is still running but even while write operations are still going on which make both the read and write operations extremely fast and fault tolerant.
- Cassandra: It is an open-source distributed database management system with a five dimensional Key value hash. It was developed by facebook and open sourced in July 2008. It provides a structured key-value store with eventual consistency. The major components of a Cassandra data-model are Columns, SuperColumns, ColumnFamily and KeySpace. It is considered as a Hybrid of the BigTable and Amazon Dynamo Key Value store. It is currently used by facebook, twitter and Digg.
- HyperTable: It is an open-source database based on Google’s BigTable. It used HDFS (Hadoop Distributed File System) as a storage file system and is distributed.
- Amazon Dynamo Key-Value Store: It is a proprietary high availability Key-Value data-store which has properties of both Databases and distributed hash tables. It powers parts of Amazon Web services.
So seeing these I am sure Relational Databases are soon to loose their share of importance when concerns like high scalability of databases arise.
Tags: Amazon.com Inc., BigTable, CouchDB, Data modeling, Database, database management system, Database management systems, Database theory, Databases, Document-oriented database, Dynamo Key-Value Store, Erlang, Google Inc., HDFS, HDFS ( Hadoop Distributed File System ), JSON, Key-Value Store, Mnesia, Oracle Database, RDBMS, Relational database, Relational model, software architects, SQL, store of Mnesia, Technology/Internet, Web services
Posted in Database | 11 Comments »
|
