Concurrency Control

R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Example Husband/Wife joint account with $1000 balance. Transactions: –Husband: Withdraw 800 –Wife: Withdraw 100 Processing: –Read Balance, Calculate New Balance, Write New Balance

Husband:ReadBalanceCalNewBalanceWriteNewBalance (In memory)(On disk) 1000New= Wife:ReadBalanceCalNewBalance WriteNewBalance 1000New=

Locking Locking is the most widely used approach to ensure serializability of concurrent transactions. Shared lock: read only access Exclusive lock: for both read and write access.

Lock Granularity The size of data items protected by a lock. –Entire database –Entire table –A page –A record –A Field The coarser the data item size, the lower the degree of concurrency permitted.

Dead Lock Two transactions wait for locks on items held by the other. T1T2 DataItem 1 DataItem 2 Lock Wait For Lock

Transaction An unit of work on database that is either completed in its entirety or is not performed at all.

Transaction Commands Begin Transaction Update commands Commit RollBack End Transaction

DefiningTransaction in An Application Truck Rental System: –Vehicle Table:VID, VType, VStatus » V1PickUp Available » V2TowTruck Booked –VReservation:RID, VID, Date » R1V21/2/04

Transaction Example (Pseudo Code) Sub Rent(RID, VID, RDate) Begin Transaction Insert (RID, VID, RDate) into VReservation table If No Error Then Update Vehicle Status If No Error Then Commit Transaction Else Roll Back End if Else Roll Back End if End Sub

Transaction ACID Properties Atomic –Transaction cannot be subdivided –All or nothing Consistent –Constraints don’t change from before transaction to after transaction –A transaction transforms a database from one consistent state to another consistent state. Isolated –Transactions execute independently of one another. –Database changes not revealed to users until after transaction has completed Durable –Database changes are permanent and must not be lost.

Log File (Journal) A file that contains all information about all updates to the database. It may contain the following data: –Transaction records: Transaction ID Type of action: –Begin, Insert,Delete, Modify, Commit, Rollback, End Before-image After-image –Checkpoint records The point of synchronization between the database and the transaction log file.

To Recover In the event of a failure, examine the log starting from the most recent checkpoint record. Any transaction with Transaction Start and Transaction Commit records should be redone: –Perform all the writes to the database using the after-image log records in the order in which they were written to the log.

Database Security

Threats to Data Security Accidental losses attributable to: –People Users: using another person’s means of access, viewing unauthorized data, introduction of viruses Programmers/Operators Database administrator: Inadequate security policy –Software failure DBMS: security mechanism, privilege Application software: program alteration –Hardware failure Theft and fraud Improper data access: –Loss of privacy (personal data) –Loss of confidentiality (corporate data) Loss of data integrity Loss of availability (through, e.g. sabotage)

Countermeasures to Threats Authorization –Authentication Access controls: privileges Database views BackUp and Recovery Enforcing integrity rules Encryption –Symmetric encryption: use same key for encryption and decryption –Asymmetric encryption: Public key: for encryption Private key: decryption RAID

Authorization Rules Controls incorporated in the data management system  Restrict: –access to data –actions that people can take on data  Authorization matrix for: –Subjects –Objects –Actions –Constraints

Figure 12-5 Authorization matrix

SQL Injection "SQL Injection" is an unverified/unsanitized user input vulnerability, and the idea is to convince the application to run SQL code that was not intended. Exploits applications that use external input for database commands.

SQL Injection Demo On a web page that takes customer ID entered in a textbox as input, then displays the customer’s data. 1. Retrieve all records:In the textbox, enter: ‘ OR 1=1 OR CID = ‘ 2. Guess table name or field name: ‘ AND 1=(SELECT COUNT(*) FROM Orders) AND CID=‘ 3. Finding some users: ' or cname like 'S%' or cid=‘ SQLInjectionDemo

Demo Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\salesDB.mdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select * from customer where cid = '" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) Try objConn.Open() Dim objDataReader As OleDbDataReader objDataReader = objComm.ExecuteReader() GridView1.DataSource = objDataReader GridView1.DataBind() Catch except As SystemException Response.Write(except.Message) End Try End Sub

Introduction to XML ISYS 464

XML John Smith Peter Chen David Chao $45.00 This is a grerat book Adam Smith $25.00 This is a second great book

XML Schema Definition of an XML Document Namespaces: Allow element names to be qualified to avoid name collisions. Complex and simple types: –Elements that contains other elements are complex type. Cardinality: –minOccurs: 0 for optional element. –maxOccurs: specified number or unbounded Compositor: –Sequence: defines an ordered sequence of subelements. –Choice: defines a choice between several possible elements. Constraints: –Uniqueness contraint

Relational to XML Example: –Access File/Export File/Get External data/Import