Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Database Connectivity Rose-Hulman Institute of Technology Curt Clifton."— Presentation transcript:

1 Database Connectivity Rose-Hulman Institute of Technology Curt Clifton

2 Recall Multi-Tier Architectures DBMS Server Web Server Web Browser Custom Client (e.g., Java, C#)

3 Why use stored procedures?  Could just send individual SQL commands from UI  Use stored procedures to: Optimize performance Keep SQL code on the server Improve security by preventing casual table browsing and modifications More easily create atomic transactions (more next week) Prevent SQL injection attacks

4 Another Problem: Injection Attacks  Consider: Interface presents form prompting for username String username = userNameField.getText(); Interface builds query to get user’s custom picture from database "SELECT IDPicture FROM Users WHERE Username = '" + username + "'" Interface sends query to backend database  So what’s the problem?

5 Another Problem: Injection Attacks  Consider: Interface presents form prompting for username String username = userNameField.getText(); Interface builds query to get user’s custom picture from database "SELECT IDPicture FROM Users WHERE Username = '" + username + "'" Interface sends query to backend database  User enters: smith'; DELETE FROM Users WHERE true OR Username ='

6 Guidelines  Do not build queries using concatenation  Do not use a highly privileged SQL account for access from the application  Encrypt the DB connection string  Cache static information in the application  Always explicitly define the table columns you wish to fetch  Use parameter validation at all layers

Download ppt "Database Connectivity Rose-Hulman Institute of Technology Curt Clifton."

Similar presentations

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
Multiple Tiers in Action

Multiple Tiers in Action
Notes on Stored Procedures CSSE333 Intro to Database Systems--Winter 2005-2006.

Notes on Stored Procedures CSSE333 Intro to Database Systems--Winter
Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.

Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.
Lecture 4: Introduction to PHP 3 PHP & MySQL

Lecture 4: Introduction to PHP 3 PHP & MySQL
Complaint Desk Team 8. Introduction A web based system that records grievances. A web based system that records grievances. Users can report their grievances.

Complaint Desk Team 8. Introduction A web based system that records grievances. A web based system that records grievances. Users can report their grievances.
1 1. SQL SERVER OVERVIEW zWhat Is SQL Server? zInterfaces To Use SQL Server zSQL Server Services zTypes Of Databases zSQL Server Security.

1 1. SQL SERVER OVERVIEW zWhat Is SQL Server? zInterfaces To Use SQL Server zSQL Server Services zTypes Of Databases zSQL Server Security.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Sql Server Advanced Features MIS 424 Professor Sandvig.

Sql Server Advanced Features MIS 424 Professor Sandvig.
SEMESTER 1, 2013/2014 DB2 APPLICATION DEVELOPMENT OVERVIEW.

SEMESTER 1, 2013/2014 DB2 APPLICATION DEVELOPMENT OVERVIEW.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
1 INTRO TO BUSINESS COMPONENTS FOR JAVA (BC4J) Matt Fierst Computer Resource Team OracleWorld 2003 - Session 36321.

1 INTRO TO BUSINESS COMPONENTS FOR JAVA (BC4J) Matt Fierst Computer Resource Team OracleWorld Session
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Database System Concepts and Architecture Lecture # 3 22 June 2012 National University of Computer and Emerging Sciences.

Database System Concepts and Architecture Lecture # 3 22 June 2012 National University of Computer and Emerging Sciences.

Similar presentations

Ads by Google