1. Slide 1 Lecture 5: Security, PhP Getting started in UNIX Overview of PHP and HTML PHP Basics PHP and Databases –Postgres and MySQL –Database Abstractions –Connecting via Java or Perl Security References CS3/586 Some slides copied from Kim Howard, with permission. 5/17/2015 Lecture 5 Security and Authorization –Discretionary Access Control Grant, Revoke, Authorization Graph, Views –Mandatory Access Control –Internet-oriented Security –Statistical Database Security

2. Slide 2 Learning Objectives LO5.1 Identify the active privileges after a sequence of GRANT and REVOKE commands on tables and/or views LO5.2 Derive information in a database despite statistical security measures. Be able to write a web application using a back end database

3. Slide 3 Security and Authorization, Chapter 21 Objectives: –Secrecy: Users should not be able to see things they are not supposed to see. E.g., A student can’t see other students’ grades. –Integrity: Users should not be able to modify things they are not supposed to modify. E.g., Only instructors can assign grades. –Availability: Users should be able to see and modify things they are allowed to see and modify. OS, Network security issues also relevant –Only database issues discussed here

4. Slide 4 Access Controls A security policy specifies who is authorized to do what. A security mechanism allows us to enforce a chosen security policy. Two main mechanisms at the DBMS level: – Discretionary access control – Mandatory access control

5. Slide 5 Discretionary Access Control Based on the concept of access rights or privileges for objects (tables and views), and mechanisms for giving users privileges (and revoking privileges). Creator of a table automatically gets all privileges on it. – DMBS keeps track of who subsequently gains and loses privileges, and ensures that only requests from users who have the necessary privileges (at the time the request is issued) are allowed.

6. Slide 6 GRANT Command* The following privileges can be specified:  SELECT: Can read all columns (including those added later via ALTER TABLE command).  SELECT(col-name(s)) means can read these columns.  INSERT : Can insert tuples.  INSERT(col-name(s)) means can insert non-null values into these columns.  DELETE: Can delete tuples.  REFERENCES (col-name): Can define foreign keys (in other tables) that refer to this column.  Auth is a group of users. If a user has a privilege with the GRANT OPTION, can pass privilege on to other users (with or without passing on the GRANT OPTION ). Only owner can execute CREATE, ALTER, and DROP. GRANT privileges ON object TO auth [WITH GRANT OPTION]

7. Slide 7 REVOKE Command Must be issued by a user who granted “privileges” on “object” to “auth”. CASCADE: –abandon anyone granted this privilege by auth, and so on recursively. –“abandon”: If an auth’s privilege is abandoned and this is the last possible abandonment, then revoke auth’s privilege –“and so on recursively”: Abandon anyone granted the privilege by the auth just abandoned. RESTRICT: If CASCADE would cause anyone to be abandoned, then cancel the command. REVOKE privileges ON object FROM auth [RESTRICT|CASCADE]

8. Slide 8 Examples of Grant, Revoke Suppose Len has created the author table, then these commands are executed in this order –Len: GRANT UPDATE, SELECT ON author TO Yingjin –Len: GRANT UPDATE ON author TO Parisa WITH GRANT OPTION –Parisa: GRANT UPDATE ON author TO Yingjin –Len: REVOKE UPDATE ON author FROM Parisa CASCADE –Len: REVOKE SELECT ON author FROM Yingjin CASCADE What privileges does Parisa have on author? What privileges does Yingjin have on author? Can Yingjin issue UPDATE author A SET A.age=25? Can Yingjin issue UPDATE author A SET A.age=A.age+1?

9. Slide 9 REVOKE more precisely In some cases we need a more precise definition of REVOKE. Steps to be taken after “REVOKE P ON O FROM A” –First consider the case CASCADE 1.Draw an authorization graph of current state (cf. next page) 2.Delete the arc corresponding to “GRANT P ON O TO A” 3.Also delete any arc not accessible from SYSTEM via grants of the privilege P on O 4.If an auth has no incoming arcs granting P on O, then auth loses the privilege P on O. –RESTRICT is the same as before: If CASCADE would cause any arc other than “GRANT ON P TO A” to be deleted, then abort the command.

10. Slide 10 Authorization Graph SystemJoeCalArtBob ( * on Sailors,Yes) (Select on Sailors,Yes) 1 2 3 4 5 (Revoke, Cascade) 6

11. Slide 11 GRANT/REVOKE on Views The creator of a view only has a privilege on the view if s/he has it on every component of the view. –In particular, must have SELECT on all components to create the view –If the creator of a view loses the SELECT privilege on an underlying table, the view is dropped! If the creator of a view loses a privilege held with the grant option on an underlying table, (s)he loses the privilege on the view as well; so do users who were granted that privilege on the view!

12. Slide 12 View Example Len is the creator of author. Suppose these statements are executed. –Len: GRANT SELECT ON author TO Vijay WITH GRANT OPTION –Len: GRANT SELECT ON author TO Pratibha WITH GRANT OPTION –Pratibha: GRANT SELECT ON author TO Vijay WITH GRANT OPTION –Vijay: CREATE VIEW ta AS SELECT * FROM AUTHOR A WHERE A.age < 30 –Len: REVOKE SELECT ON author FROM Vijay CASCADE –Len: REVOKE SELECT ON author FROM Pratibha RESTRICT What privileges does Vijay have on author, ta? What privileges does Pratibha have on author, ta?

13. Slide 13 Role-Based Authorization In SQL-92, privileges are actually assigned to authorization ids, which can denote a single user or a group of users. In SQL:1999 privileges are assigned to roles. – Roles can then be granted to users and to other roles. – Reflects how real organizations work. – Illustrates how standards often catch up with “de facto” standards embodied in popular systems.

14. Slide 14 Security to the Level of a Field! Can create a view that only returns one field of one tuple. (How?) Then grant access to that view accordingly. Allows for arbitrary granularity of control, but: – Clumsy to specify, though this can be hidden under a good UI – Performance is unacceptable if we need to define field- granularity access frequently. (Too many view creations and look-ups.)

15. Slide 15 Mandatory Access Control Based on system-wide policies that cannot be changed by individual users. – Each DB object is assigned a security class. – Each subject (user or user program) is assigned a clearance for a security class. – Rules based on security classes and clearances govern who can read/write which objects. Most commercial systems do not support mandatory access control. Versions of some DBMSs do support it; used for specialized (e.g., military) applications.

16. Slide 16 Why Mandatory Control? Discretionary control has some flaws, e.g., the Trojan horse problem: – Justin has access to secret information that Dick wants to know. – Dick creates a table called Secret and gives INSERT privileges to Justin (who doesn’t know about this). – Dick modifes the code of a database application program used by Justin to additionally write some secret data to table Secret. This requires hacking the OS security system a bit. – Now, Dick can see the secret data. The modification of the code is beyond the DBMSs control, but it can try and prevent the use of the database as a channel for secret information.

17. Slide 17 Bell-LaPadula Model Objects (e.g., tables, views, tuples) Subjects (e.g., users, user programs) Security classes: – Top secret (TS), secret (S), confidential (C), unclassified (U): TS > S> C > U Each object and subject is assigned a class. – Subject S can read object O only if class(S) >= class(O) (Simple Security Property) – Subject S can write object O only if class(S) <= class(O) (*- Property)

18. Slide 18 Intuition I dea is to ensure that information can never flow from a higher to a lower security level. E.g., If Dick is cleared for security class C, Justin for class S, and the secret information has class S: – Dick’s table, Secret, has Dick’s clearance, C. – Justin’s application has his clearance, S. – So, the database application cannot write into table Secret. The mandatory access control rules are applied in addition to any discretionary controls that are in effect.

19. Slide 19 Multilevel Relations Users with S and TS clearance will see both rows; a user with C will only see the 2 nd row; a user with U will see no rows. If user with C tries to insert : – Allowing insertion violates key constraint – Disallowing insertion tells user that there is another object with key 101 that has a class > C! – Problem resolved by treating class field as part of key. CBrownPinto102 SRedSalsa101 classcolorbnamebid

20. Slide 20 Polyinstantiation Consider previous table with inserted. What is the color of boat with bid=101? –Only the highest visible security level exists. –Both exist –The proper policy is chosen according to the semantics of the application Notice that the answer to the question depends on your clearances. This is called polyinstantiation.

21. Slide 21 Internet-Oriented Security Key Issues: User authentication and trust. –When DB must be accessed from a secure location, password- based schemes are usually adequate. For access over an external network, trust is hard to achieve. –If someone with Sam’s credit card wants to buy from you, how can you be sure it is not someone who stole his card? –How can Sam be sure that the screen for entering his credit card information is indeed yours, and not some rogue site spoofing you (to steal such information)? How can he be sure that sensitive information is not “sniffed” while it is being sent over the network to you? Encryption is a technique used to address these issues.

22. Slide 22 Encryption “Masks” data for secure transmission or storage –Encrypt(data, encryption key) = encrypted data – Decrypt(encrypted data, decryption key) = original data –Without decryption key, the encrypted data is meaningless gibberish Symmetric Encryption: –Encryption key = decryption key; all authorized users know decryption key (a weakness). –DES, used since 1977, has 56-bit key; AES has 128-bit (optionally, 192-bit or 256-bit) key Public-Key Encryption: Each user has two keys: –User’s public encryption key: Known to all –Decryption key: Known only to this user –Used in RSA scheme (Turing Award!)

23. Slide 23 Certifying Servers If Amazon distributes their public key, Sam’s browser will encrypt his credit card information using it. –So, only Amazon can decipher the credit card information, since no one else has Amazon’s private key. But how can Sam (or his browser) know that the public key for Amazon is genuine? –Amazon contracts with, say, Verisign, to issue a certificate –This certificate is stored in encrypted form, encrypted with Verisign’s private key, known only to Verisign. –Verisign’s public key is known to all browsers, which can therefore decrypt the certificate and obtain Amazon’s public key, and be confident that it is genuine. –Your browser then generates a temporary session key, encodes it using Amazon’s public key, and sends it to Amazon. –All subsequent msgs between the browser and Amazon are encoded using symmetric encryption (e.g., DES), which is more efficient than public-key encryption. This solves the problem of you trusting Amazon, but not the problem of Amazon trusting you.

24. Slide 24 Statistical DB Security Statistical DB: Contains information about individuals, but allows only aggregate queries (e.g., average age, rather than Joe’s age). New problem: It may be possible to infer some secret information! – E.g., If I know Joe is the oldest sailor, I can ask “How many sailors are older than X?” for different values of X until I get the answer 1; this allows me to infer Joe’s age. Idea: Insist that each query must involve at least N rows, for some N. Will this work?

25. Slide 25 Challenge Question You can ask queries which aggregate data (no GROUP BY) from at least 6 tuples. Find the age of Len with as few queries as possible. Your answer should work for any instance of the table with more than 6 entries. NameAge Len61 Dave45 Xavier25 Kyu20 Olgay19 Vachara22 Tabor24

26. Slide 26 Creating your UNIX Workspace Login to your CS UNIX account –mkdir ~/public_html –chmod 755 public_html Place all web files in public_html All files must be world readable –chmod 644 index.html If you enter this address to a browser –http://www.cs.pdx.edu/~usernamehttp://www.cs.pdx.edu/~username The browswer will display a default index file if one exists –index.html, index.php, index.cgi

27. Slide 27 What is PHP? Recursive acronym for “PHP: Hypertext Preprocessor” Widely used Open Source general-purpose scripting language –Scripting language: programing language that controls software applications. Specially suited for Web development Can be embedded into HTML There may well be better scripting languages, but I think PHP is the easiest to learn.

28. Slide 28 Some Advantages of PHP Runs on all major OS’s: MS Windows, Solaris, major UNIX and Linux variants, Mac OS’s Runs on all major web servers: Apache, MS IIS, iPlanet, … Has support for all major DBMSs: My SQL, Postgres, Oracle, SQL Server, DB2, … Simple to learn basics, especially for those knowing other languages like C/C++ Lots of advanced features for professional programmers Also available for command line scripting and gui applications (PHP-GTK)

29. Slide 29 HTML HTML - Hyper Text Markup Language Way to explain document structure (not presentation!) –Structure is title, paragraph, section –Use CSS for presentation, e.g., font size, bold, bullets, margins Tries to be device independent Outside the scope of this lecture HTML Tutorials: http://w3.org/MarkUp/#tutorialshttp://w3.org/MarkUp/#tutorials A Caveman's Introduction to HTML and Related Tools: http://www.cat.pdx.edu/~johnj/talks/show.php/introHTML http://www.cat.pdx.edu/~johnj/talks/show.php/introHTML

30. Slide 30 HTML Requests Client sends HTTP request from browser to web server Server locates pages and transmit back to client Browser renders webpage from html

31. Slide 31 PHP Requests PHP executed by server and HTML sent back to server

32. Slide 32 PHP is a Server-Side Language PHP code is surrounded by start and end tags Preprocessing jumps in and out of PHP “mode” –Replaces ALL PHP with HTML Finally, HTML is sent back to browser

33. Slide 33 Example of Server Side Processing If your HTML/PHP file contains: Then the PHP processor sends this HTML text back to your browser (see it with “view source”): Hello World Try it, and remember –The HTML/PHP file must end in.php, e.g., test.php It is just a text file, edit it with pico, vi, emacs, etc. –The file must reside in public_html,e.g., public_html/test.php –The file must have world-readable permission –Address it from any browser with http://www.cs.pdx.edu/~username/test.php http://www.cs.pdx.edu/~username/test.php

34. Slide 34 My First PHP Page PHP Version 4.4.0 SystemSunOS scalpel.cat.pdx.edu 5.9 Generic_117171-07 sun4u Build DateAug 22 2005 08:43:09 Configure Command'…omitted… Server APIApache Virtual Directory Supportdisabled Configuration File (php.ini) Path/pkgs/webservers/apache-1.3.33/etc …truncated…

35. Slide 35 PHP Language Basics Tutorial: http://us2.php.net/tut.php Language Reference: http://us2.php.net/manual/en/langref.php

36. Slide 36 Language Basics Type decided at runtime by PHP depending on the context in which that variable is used null, boolean, integer, float, string, array, object

37. Slide 37 Basic Data Types Numbers (integers and real), Strings \n"; ?> Output: 1234 511 255 1.25 Output: Hi Rasmus $last

38. Slide 38 More Basic Data Types, Dynamic Typing Booleans Output: Hi Carl Dynamic Typing –Don't have to declare types –Automatic conversion done Output: 1006.5

39. Slide 39 Arrays Useful for many things besides an array: list (vector), hashtable, dictionary, collection, stack, queue, and more Useful array functions built-in array_push, array_pop, array_rand, array_shift, array_search, sort,...

40. Slide 40 Predefined Variables* $_SERVER : array containing information such as headers, paths, and script locations $_GET : associative array of variables passed to the current script via the HTTP GET method $_POST : associative array of variables passed to the current script via the HTTP POST method \n"; echo "user-agent: $_SERVER[HTTP_USER_AGENT] \n"; ?> Output script: /~len/test.php user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1;.NET CLR 2.0.50727;.NET CLR 1.1.4322)

41. Slide 41 C-like syntax 0) { echo "+"; } echo "$loop \n"; } while(--$loop) { switch($loop % 2) { case 0: echo "Even \n"; break; case 1: echo "Odd \n"; break; } } do { echo "$loop "; } while (++$loop Output: -3 -2 -1 0 1 2 Even Odd 0 1 2 3 4

42. Slide 42 Syntax and Switching Modes <? if(strstr($_SERVER['HTTP_USER_AGENT'],"MSIE")) { ?> You are using Internet Explorer <? } else { ?> You are not using Internet Explorer

43. Slide 43 A useful print function: print_r 'apple', 'b' => 'banana', 'c' => array ('x', 'y', 'z')); echo " ". print_r($arr). " "; ?> Output Array ( [a] => apple [b] => banana [c] => Array ( [0] => x [1] => y [2] => z )

44. Slide 44 Object Oriented Programming Classes contents = $contents; } function get_inside() { return $this->contents; } } $mybox = new Box("Stuff"); echo $mybox->get_inside(); ?> Output: Stuff

45. Slide 45 More OO Programming contents = $contents; $this->wrap_color = $wrap_color; } function get_color() { return $this->wrap_color; } } $mybox = new Present("iPod Shuffle", "lime green"); echo $mybox->get_inside(). " : ". $mybox->get_color(); ?> Output: iPod Shuffle : lime green

46. Slide 46 HTML Forms " method="POST"> Your name: <input type="text" name="name"> Your age: Output (what appears on the browser): Your name: Your age: Submit

47. Slide 47 How to Manage Forms Hi. You are years old.

48. Slide 48 PHP and Databases: Overview Open a connection to the database - PHP returns a "connection resource" Run a query - PHP returns a query "result resource" Do something with the result - display output to user or do some other actions Close the connection resource - tell database and PHP we don't need it any more

49. Slide 49 Connecting to a Database PHP Postgresql Functions: http://www.php.net/manual/en/ref.pgsql.php http://www.php.net/manual/en/ref.pgsql.php pg_connect() returns a connection resource that is needed by other PostgreSQL functions.

50. Slide 50 Connection Errors Error Message Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL: Password authentication failed for user “cs386" in./display.php(433) : eval()'d code on line 7 Could not connect

51. Slide 51 Executing a Query on a Connection: pg_query <?php // assuming we already connected with code from previous slide... $query = " SELECT DISTINCT N.candname, N.party FROM candcl N; "; $result = pg_query($connection, $query) or die("Query error: ". pg_last_error()); ?>

52. Slide 52 Query Result Errors If we had said SELECT DISTINCT foobar We would have seen the error message Warning: pg_query(): Query failed: ERROR: column "foobar" does not exist in./display.php(433) : eval()'d code on line 20 Query error: ERROR: column "foobar" does not exist Note: Postgresql automatically folds all identifiers (e.g. table/column names) to lower case values. To get it to recognize upper case values, you must wrap the identifier in quotes

53. Slide 53 Retrieving tuples: pg_fetch_row pg_fetch_row returns each row as an enumerated array \n"; echo “Party: $row[1] \n"; } ?> Output 4 rows returned Name: MCCAIN, JOHN S. Party: REP …

54. Slide 54 Fetching rows as objects '; for($count=0; $count \n"); printf(" %s \n",$data->candname); printf(" %s \n",$data->party); printf(" \n"); } echo " \n"; ?> Output: MCAIN JOHN S.REP OBAMA, BARACKDEM SMITH, GORDONREP MERKLEY, JEFFREYDEM

55. Slide 55 Fetching rows as arrays Calling pg_fetch_array() will return an enumerated and an associative array <?php $array = pg_fetch_array($result); echo "Name: $array[“candname"] \n"; echo “Party: $array[“party"] \n"; echo "Name: $array[0] \n"; echo “Party: $array[1] \n"; ?> Output: Name: MCCAIN, JOHN S. Party: REP Name: OBAMA, BARACK Party: DEM

56. Slide 56 \n"; echo “Party: $row[1] \n"; } mysql_close($connection); ?> Example for MySQL

57. Slide 57 DB Application Development Planning! –Target audience and platform: Web? Native App? –Server OS, Webserver, Language –Database differences –Specifications –Schema! Split up the work –Presentation versus application code –Designers versus programmers Smarty: http://smarty.php.nethttp://smarty.php.net –Template/Presentation Framework

58. Slide 58 Database Abstractions Database-independent software interfaces Allows developers to deal with different DBMSs without altering code Why is it needed? Implementations of SQL differ in many ways, e.g. –Data formats, such as dates –Null values can be represented differently –New features, such as TOP N vs. LIMIT Many of these abstractions are based on ODBC. Comparison of PHP abstractions: http://phplens.com/lens/adodb/

59. Slide 59 Connecting to PostgreSQL with Java PostgreSQL JDBC Driver: http://jdbc.postgresql.org/http://jdbc.postgresql.org/ On Unix add /pkgs/pgsql/pgsql-7.4.6/share/java/postgresql.jar to your $CLASSPATH or use jar file from the site /* sample that connects to cs386 and gets two columns from the candcl table */ import java.sql.*; public class connectPostgreSQL { public static void main(java.lang.String[] args) { try { // Here we load the JDBC driver. Class.forName("org.postgresql.Driver"); } catch (Exception e) { System.out.println(“Driver error:“ + e.getMessage()); return; } try { Connection pSQL = DriverManager.getConnection( "jdbc:postgresql://db.cecs.pdx.edu/cs386", “cs386","introdb");

60. Slide 60 /* This is where we create a Statement object * and execute a SQL query using it. */ Statement query = pSQL.createStatement(); ResultSet cands = query.executeQuery( "SELECT * FROM candcl;"); /* Here we'll loop through the ResultSet, * printing out results by column names, * candname and party */ System.out.println(“NAME%tPARTY"); while (cands.next()) { System.out.println( cands.getString(“candname") + “\t%" + cands.getString(“party")); } // Close all of our JDBC resources. cands.close(); query.close(); pSQL.close(); } catch (SQLException se) { // Give feedback for any SQL errors. System.out.println("SQL Exception: " + se.getMessage()); se.printStackTrace(System.out); } } } Connecting to PostgreSQL with Java, ctd.

61. Slide 61 #!/usr/bin/perl use DBI; $username = “cs386"; $password = "introdb"; $databasename = “cs386"; $hostname = "db.cecs.pdx.edu"; $conn_type = "postgres"; $dbh = DBI->connect(dbi:Pg:dbname=$databasename;host=$hostname", "$username","$password"); if ($dbh) { print "Content-type:text/html\n\n"; $query = "SELECT * from subject"; $sth = $dbh->prepare($query); if (!defined($sth)) { print "Cannot prepare $DBI::errstr\n"; } if (!$sth->execute) { print "Cannot execute $DBI::errstr\n"; } print " \n"; while (@vetor = $sth->fetchrow) { print " \n"; foreach $field (@vetor) { print " $field \n"; } print " \n"; } print " \n"; $sth->finish; $dbh->disconnect(); } else { print "Cannot connect to Postgres server: $DBI::errstr\n"; } Connecting to PostreSQL with Perl

62. Slide 62 Web Security: SQL Injection Validate all incoming data, don't trust the web Be careful when executing system commands, database queries from user supplied data SQL injection –What happens if $_GET['email'] is "%" ? –SELECT * FROM sometable WHERE field = '%'; –What happens if $_GET['email'] is "foo@bar'; DROP 'sometable" ? –SELECT * FROM sometable WHERE field = 'foo@bar'; DROP 'sometable';

63. Slide 63 Avoiding SQL Injection Connect to database as user with limited powers, such as read only access Check that input has the correct datataype: use input validating functions or regular expressions Escape string input: mysql_real_escape_string() or addslashes() Don't print out information about the schema PHP on SQL Injection (can be applied to other languages): http://www.php.net/manual/en/security.database.sql-injection.php http://www.php.net/manual/en/security.database.sql-injection.php

64. Slide 64 Reading a File Output: Sun Microsystems Inc. SunOS 5.9 Generic May 2002 ======= Unauthorized access to this system is prohibited. Systems to identify unauthorized users may also monitor authorized users. ======= *** Read "msgs" for system bulletins.

65. Slide 65 C-Like File Functions Reading from a file "; } ?> Reading from a URL Writing to a file

66. Slide 66 Web References PHP Website, Manual: http://www.php.nethttp://www.php.net PHP Beginning Tutorial: http://www.php.net/tut.phphttp://www.php.net/tut.php Zend Website: http://www.zend.com/developers.phphttp://www.zend.com/developers.php Zend Beginning PHP Articles: http://www.zend.com/php/beginners/index.php http://www.zend.com/php/beginners/index.php PHP Presentations: http://talks.php.net/http://talks.php.net/ More PHP Related Links http://www.php.net/links.phphttp://www.php.net/links.php Practical PostgreSQL Book: http://www.commandprompt.com/ppbook/book1 http://www.commandprompt.com/ppbook/book1 PostgreSQL JDBC Driver: http://jdbc.postgresql.org/http://jdbc.postgresql.org/

67. Slide 67 Book References PHP and PostgreSQL 8 Programming PHP Advanced PHP Programming Web Database Applications with PHP & MySQL Learning PHP 5 Practical Postgresql (also available online, see previous page)

68. Slide 68 Misc. References and Tools Connecting to Databases with Perl: http://dbi.perl.org/http://dbi.perl.org/ PHP Auto Documenter: http://www.phpdoc.org/http://www.phpdoc.org/ Zend IDE (Windows, Linux, Unix, Mac OSX) and Debugger: http://www.zend.com/store/products/zend- studio.phphttp://www.zend.com/store/products/zend- studio.php DBDesigner4 (Windows and Linux): http://www.fabforce.net/dbdesigner4/ http://www.fabforce.net/dbdesigner4/ HTML and MarkUp Validator http://validator.w3.org/http://validator.w3.org/ MySQL: http://dev.mysql.com/http://dev.mysql.com/ PostgreSQL http://www.postgresql.org/http://www.postgresql.org/