Advances in Programming Languages

Similar documents
Advances in Programming Languages

Advances in Programming Languages

Informatics 1: Data & Analysis

Informatics 1: Data & Analysis

Advances in Programming Languages

CSC System Development with Java. Database Connection. Department of Statistics and Computer Science. Budditha Hettige

SQL: Programming. Announcements (September 25) Motivation. CPS 116 Introduction to Database Systems. Pros and cons of SQL.

JAVA AND DATABASES. Summer 2018

Wentworth Institute of Technology COMP570 Database Applications Fall 2014 Derbinsky. SQL Programming. Lecture 8. SQL Programming

Outline. Lecture 10: Database Connectivity -JDBC. Java Persistence. Persistence via Database

INTRODUCTION TO JDBC - Revised spring

INTRODUCTION TO JDBC - Revised Spring

Programming in Java

Why use a database? You can query the data (run searches) You can integrate with other business systems that use the same database You can store huge

SQL: Programming Midterm in class next Thursday (October 5)

COMP102: Introduction to Databases, 23

Web basics: HTTP cookies

BUSINESS INTELLIGENCE LABORATORY. Data Access: Relational Data Bases. Business Informatics Degree

Advanced Programming Techniques. Database Systems. Christopher Moretti

ERwin and JDBC. Mar. 6, 2007 Myoung Ho Kim

DATABASE DESIGN I - 1DL300

PERSİSTENCE OBJECT RELATİON MAPPİNG

Web Application Security. Philippe Bogaerts

Cyrus Shahabi Computer Science Department University of Southern California C. Shahabi

Application Programming for Relational Databases

CS 161 Computer Security

Discuss setting up JDBC connectivity. Demonstrate a JDBC program Discuss and demonstrate methods associated with JDBC connectivity

Database Application Programs PL/SQL, Java and the Web

SQL DML and DB Applications, JDBC

Database Programming. Week 9. *Some of the slides in this lecture are created by Prof. Ian Horrocks from University of Oxford

The Object-Oriented Paradigm. Employee Application Object. The Reality of DBMS. Employee Database Table. From Database to Application.

This lecture. Databases - JDBC I. Application Programs. Database Access End Users

Informatics 1: Data & Analysis

Lecture 9&10 JDBC. Mechanism. Some Warnings. Notes. Style. Introductory Databases SSC Introduction to DataBases 1.

JDBC MOCK TEST JDBC MOCK TEST IV

Accessing databases in Java using JDBC

COMP9321 Web Application Engineering

Database Systems: Design, Implementation, and Management Tenth Edition. Chapter 14 Database Connectivity and Web Technologies

MANTHLY TEST SEPTEMBER 2017 QUESTION BANK CLASS: XII SUBJECT: INFORMATICS PRACTICES (065)

Visit for more.

DEC Computer Technology LESSON 6: DATABASES AND WEB SEARCH ENGINES

Database Application Development

Web Security: Vulnerabilities & Attacks

Database Application Development

Advanced Web Technology 10) XSS, CSRF and SQL Injection

COMP9321 Web Application Engineering

JDBC, Transactions. Niklas Fors JDBC 1 / 38

Application Design and Development: October 30

Types of Databases. Types of Databases. Types of Databases. Databases and Web. Databases and Web. Relational databases may also have indexes

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Unit 3 - Java Data Base Connectivity

Tutorial: Using Java/JSP to Write a Web API

Persistency Patterns. Repository and DAO

Non-interactive SQL. EECS Introduction to Database Management Systems

Web basics: HTTP cookies

Databases and JDBC. by Vlad Costel Ungureanu for Learn Stuff

Database Application Development

CS50 Quiz Review. November 13, 2017

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Database Programming Overview. COSC 304 Introduction to Database Systems. Database Programming. JDBC Interfaces. JDBC Overview

Databases 2012 Embedded SQL

Databases/JQuery AUGUST 1, 2018

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering

The Design of JDBC The Structured Query Language Basic JDBC Programming Concepts Query Execution Scrollable and Updatable Result Sets

Enterprise Java Unit 1- Chapter 6 Prof. Sujata Rizal

COMP9321 Web Application Engineering

JDBC 3.0. Java Database Connectivity. 1 Java

Introduction JDBC 4.1. Bok, Jong Soon

Information Security CS 526 Topic 8

Database Applications. SQL/PSM Embedded SQL JDBC

Top 50 JDBC Interview Questions and Answers

INSTITUTE OF AERONAUTICAL ENGINEERING (Autonomous) Dundigal, Hyderabad

Copyright

Calling SQL from a host language (Java and Python) Kathleen Durant CS 3200

The Web Application Developer s. Red Hat Database. View. October 30, Webcast. Patrick Macdonald, Fernando Nasser. Red Hat Database Engineering

3) execute() Usage: when you cannot determine whether SQL is an update or query return true if row is returned, use getresultset() to get the

Part I: Stored Procedures. Introduction to SQL Programming Techniques. CSC 375, Fall 2017

Java Database Connectivity

CIS 4360 Secure Computer Systems XSS

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Database Applications

CSE 308. Database Issues. Goals. Separate the application code from the database

Database connectivity (II)

JDBC. Sun Microsystems has included JDBC API as a part of J2SDK to develop Java applications that can communicate with databases.

/ Cloud Computing. Recitation 7 October 10, 2017

Kyle Brown Knowledge Systems Corporation by Kyle Brown and Knowledge Systems Corporation

SQL Stored Programs. You Can Not Do Everything in SQL SQL/PSM Cursors Recursion Triggers. Niklas Fors Stored Programs 1 / 21

SQL in a Server Environment

MySQL, Postgres, SQLite, Oracle, Sybase, DB2, each column is an "attribute" common to all rows

Informatics 1: Data & Analysis

/ Cloud Computing. Recitation 6 October 2 nd, 2018

Informatics 1: Data & Analysis

10/18/2017. Announcements. NoSQL Motivation. NoSQL. Serverless Architecture. What is the Problem? Database Systems CSE 414

Java Database Connectivity (JDBC) 25.1 What is JDBC?

Database Application Development

Introduction to JDBC. JDBC: Java Database Connectivity. Why Access a Database with Java? Compilation. Six Steps. Packages to Import

Database systems in 21 minutes

CMPT 354 Database Systems I

DataBase Lab JAVA-DATABASE CONNECTION. Eng. Haneen El-masry

Transcription:

Advances in Programming Languages Lecture 7: Using SQL from Java Ian Stark School of Informatics The University of Edinburgh Tuesday 7 October 2014 Semester 1 Week 4 http://blog.inf.ed.ac.uk/apl14

Topic: Domain-Specific vs. General-Purpose Languages This is the first of three lectures on integrating domain-specific languages with general-purpose programming languages. In particular, SQL for database queries. Using SQL from Java Bridging Query and Programming Languages Heterogeneous Metaprogramming

Topic: Domain-Specific vs. General-Purpose Languages This is the first of three lectures on integrating domain-specific languages with general-purpose programming languages. In particular, SQL for database queries. Using SQL from Java Bridging Query and Programming Languages Heterogeneous Metaprogramming

Homework! CPU features that make concurrency even trickier Find out the meaning of the following words, in the context of CPU architecture and execution. Superscalar Pipelining Pipeline hazard Out-of-order execution Speculative execution Branch prediction

Homework! CPU features that make concurrency even trickier Find out the meaning of the following words, in the context of CPU architecture and execution. Superscalar Pipelining Pipeline hazard How to make database queries from Java Find out what the initialism JDBC stands for. Out-of-order execution Speculative execution Branch prediction Find a tutorial about JDBC, and post a link to the mailing list.

Homework! CPU features that make concurrency even trickier Find out the meaning of the following words, in the context of CPU architecture and execution. Superscalar Pipelining Pipeline hazard How to make database queries from Java Find out what the initialism JDBC stands for. Out-of-order execution Speculative execution Branch prediction Find a tutorial about JDBC, and post a link to the mailing list. Responses so far http://infolab.stanford.edu/ ullman/fcdb/oracle/or-jdbc.html

Preview SQL as a domain-specific language Injection of HTML, Javascript and SQL Frameworks for generating SQL code

SQL SQL is a programming language, with a declarative part: select isbn, title, price from books where price > 100.00 order by title and an imperative part: update books set price = 10.00 where price < 10.00 drop table sales as well as numerous extensions, such as procedures and transactions. SQL is a domain-specific language, rather than a general-purpose programming language.

Who Writes SQL? SQL is one of the world s most widely used programming languages, but programs in SQL come from many sources. For example: Hand-written by a programmer Generated by some interactive visual tool Generated by an application to fetch an answer for a user Generated by one program to request information from another Most SQL is written by programs, not directly by programmers. The same is true of HTML, another domain-specific language. Also XML, Postscript,...

SkyServer Demonstration http://skyserver.sdss.org/dr7/en/ http://skyserver.sdss.org/dr7/en/sdss/telescope/telescope.asp http://skyserver.sdss.org/dr7/en/tools/search/ http://skyserver.sdss.org/dr7/en/tools/search/sql.asp

Sample Queries Find some stars near a certain spot in the sky SELECT top 10 p.objid, p.run, p.rerun, p.camcol, p.field, p.obj, p.type, p.ra, p.dec FROM PhotoTag p, fgetnearbyobjeq(40.433,0.449,3) n WHERE n.objid=p.objid and p.type=3

Sample Queries Make these a table with click through links SELECT TOP 10 <a target="info" href= + "http://skyserver.sdss.org/dr7/en/tools/chart/ + navi.asp?ra= + cast(p.ra as varchar(30)) + &dec= + cast(p.dec as varchar(30)) + "> + cast(p.objid as varchar(30)) + </a> as objid, p.run, p.rerun, p.camcol, p.field, p.obj, p.type, p.ra, p.dec FROM PhotoTag p, fgetnearbyobjeq(40.433,0.449,3) n WHERE n.objid=p.objid and p.type=3

Sample Queries Count those stars select count( ) from star p Planetary query select Pluto&#39; FROM Disney<br><span style="color:white;"><i + mg src="http://ianstark.net/pluto.jpg">

HTML Injection The Pluto page is an example of HTML injection. The SkyServer website is serving a page not under the host s control. This is used in phishing attacks, and other fraud, where a web server can be cajoled into presenting novel material as its own. For example, a suitably crafted URL may cause a bank s web server to present a page that requests account details and then sends them to an attacker s own site. Similarly, a comment on a blog may contain code that when read in a web browser causes it to take some unexpected action. This opportunity to inject HTML or Javascript can arise whenever a web site takes user input and uses that to generate pages. This is known loosely as cross-site scripting or XSS.

Twitter Javascript injection 2010-09-21 10am UK time

Twitter Javascript injection 2010-09-21 10am UK time Masato Kinugawa creates Rainbow Twitter demonstration.

Twitter Javascript injection 2010-09-21 10am UK time Masato Kinugawa creates Rainbow Twitter demonstration. Magnus Holm creates self-tweeting tweet.

Twitter Javascript injection 2010-09-21 10am UK time Masato Kinugawa creates Rainbow Twitter demonstration. Magnus Holm creates self-tweeting tweet. Requires user to mouse over; limits replication to around 60 copies/second, reaching only a few hundred thousand twitter users.

Twitter Javascript injection 2010-09-21 10am UK time Masato Kinugawa creates Rainbow Twitter demonstration. Magnus Holm creates self-tweeting tweet. Requires user to mouse over; limits replication to around 60 copies/second, reaching only a few hundred thousand twitter users. Further worms require no mouse-over, insert further tweets, draw arbitrarily on page, redirect browser...

Twitter Javascript injection 2010-09-21 10am UK time Masato Kinugawa creates Rainbow Twitter demonstration. Magnus Holm creates self-tweeting tweet. Requires user to mouse over; limits replication to around 60 copies/second, reaching only a few hundred thousand twitter users. Further worms require no mouse-over, insert further tweets, draw arbitrarily on page, redirect browser... 2010-09-21 3pm UK time Twitter patch vulnerability (7am their time)

Twitter Javascript injection 2010-09-21 10am UK time Masato Kinugawa creates Rainbow Twitter demonstration. Magnus Holm creates self-tweeting tweet. Requires user to mouse over; limits replication to around 60 copies/second, reaching only a few hundred thousand twitter users. Further worms require no mouse-over, insert further tweets, draw arbitrarily on page, redirect browser... 2010-09-21 3pm UK time Twitter patch vulnerability (7am their time) http://www.guardian.co.uk/technology/blog/2010/sep/21/twitter-hack-explained-xss-javascript http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html

SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database.

SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = <insert name here>

SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = bob@example.com

SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = bob@example.com we might supply the unusual email address x or 1=1 --

SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = bob@example.com we might supply the unusual email address x or 1=1 -- to get select id, email, password from users where email = x or 1=1 which will return a complete list of users.

SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = bob@example.com we might supply the perverse email address x ; update users set email= bob@example.com where email= admin@server --

SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = bob@example.com we might supply the perverse email address x ; update users set email= bob@example.com where email= admin@server -- to get select id, email, password from users where email = x ; update users set email = bob@example.com where email = admin@server which will redirect all the administrator s email to Bob.

Dubious Licence Plate

Working with Query Languages How then do we write programs to generate and manipulate queries? A common approach is to use some standard framework or application programming interface (API). ODBC, the Open Database Connectivity specification, is a well-known framework for managed database access: At the back, an ODBC driver contains code for a specific database management system (DB2, Oracle, SQL Server,... ). At the front, the programmer connects to a fixed procedural API In between, ODBC libraries translate between API and driver. Particular programming languages and environments may place further layers on top of ODBC, or use similar mechanisms. For example: JDBC for Java and ADO.NET for the Microsoft.NET framework.

JDBC: Java Database Connectivity JDBC is a Java library, in the java.sql. and javax.sql. packages, which provides access to read, write and modify tabular data. Relational databases, with access via SQL, is the most common application; but JDBC can also operate on other data sources. The connection to the database itself may be via a driver that bridges through ODBC, speaks a proprietary database protocol, or connects to some further networking component or application.

JDBC Bootup import java.sql. ; // Obtain the relevant classes // Install a suitable driver Class.forName("org.apache.derby.jdbc.EmbeddedDriver"); // Identify the database String url = "jdbc:derby:users"; // Prepare login information String user = "bob" String password = "secret" // Open connection to database Connection con = DriverManager.getConnection(url, user, password);

Sample JDBC Statement stmt = con.createstatement(); ResultSet rs = stmt.executequery("select name, id, score FROM Users"); while (rs.next()) // Loop through each row returned by the query { String n = rs.getstring("name"); int i = rs.getint("id"); float s = rs.getfloat("score"); System.out.println(n+i+s); }

JDBC String Mangling float findscoreforuser(connection con, String name) { Statement stmt = con.createstatement(); String query = "SELECT id, score FROM Users WHERE name=" + name; ResultSet rs = stmt.executequery(query); float s = rs.getfloat("score"); return s; }

JDBC Prepared Strings String findusersinrange(connection con, float low, float high) { String prequery = "SELECT id, name FROM Users WHERE? < score AND score <?"; PreparedStatement stmt = con.preparestatement(prequery); stmt.setfloat(1,low); stmt.setfloat(2,high); // Fill in the two // missing values rs = stmt.executequery(query); // Now run the completed query String answer = ""; // Start building our answer while (rs.next()) // Cycle through the query responses { answer = answer + rs.getint("id") + ":" + rs.getstring("name") + "\n"; } return answer; }

That seems like hard work These examples use the full generality of the ODBC framework: Arbitrary drivers...... possibly to proprietary data sources...... across the network...... with authentication and authorization...... ensuring consistency under multiple transactions. Appropriate wrappers and frameworks can make things more straightforward in simpler situations. However, the basic scheme of building queries as strings is ubiquitous.

Can I use something else instead? There are several other approaches to database access: Frameworks like Java Hibernate preserve objects over time. Object Relational Mapping (ORM) translates between programming-language object structures and persistent database storage. An Object-Oriented Database Management System (OODBMS) works with objects instead of relations, tables and rows. Other systems like CouchDB, BigTable, and Riak store a variety of structured data for shared access. These are sometimes known collectively as NoSQL architectures. In general, these offer a different mix of features and performance to conventional relational database management systems (RDBMS).

So why would I want to use SQL anyway? Sometimes, SQL is inevitable for non-technical reasons: External databases Legacy databases Existing code Often, though, it s because of genuine advantages of relational databases: Complex queries joining multiple large datasets Efficient query optimization and execution Transactional consistency SQL or not, though, any scheme which involves handing over complex queries to a specialized engine will encounter the issue of using one language from another.

Summary SQL is a domain-specific language for programming queries over relational databases. Queries may be complex, with declarative and imperative components, and are often constructed by other programs rather than by hand. Websites are vulnerable to cross-site scripting or XSS whenever they take user input and use it to generate pages. The analogous problem of SQL injection arises where free text input is used to construct structured queries. Programs generating SQL code use frameworks like JDBC or ADO.NET; and these do construct queries using unstructured string manipulation. Using prepared strings begins to add back some structure. SQL queries are programs in a structured high-level language, but we treat them as unstructured text.

Homework! There is no lecture this Friday. However, you are due to submit the preliminary report on your coursework assignment. Preliminary Report When: How: What: 3pm Friday 10 October submit apl 1 choice.pdf Read http://blog.inf.ed.ac.uk/apl14/coursework to find out

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback