advances in programming languages
play

Advances in Programming Languages APL17: Using SQL from Java Ian - PowerPoint PPT Presentation

Jun 14, 2023 •201 likes •511 views

Advances in Programming Languages APL17: Using SQL from Java Ian Stark School of Informatics The University of Edinburgh Monday 8 March 2010 Semester 2 Week 9 N I V E U R S E I H T T Y O H F G R E

  1. Advances in Programming Languages APL17: Using SQL from Java Ian Stark School of Informatics The University of Edinburgh Monday 8 March 2010 Semester 2 Week 9 N I V E U R S E I H T T Y O H F G R E http://www.inf.ed.ac.uk/teaching/courses/apl U D I B N

  2. Topic: Domain-Specific vs. General-Purpose Languages This is the first of four lectures on integrating domain-specific languages with general-purpose programming languages. In particular, SQL for database queries. Using SQL from Java LINQ: .NET Language Integrated Query Language integration in F# Type-checking for SQLizeability Ian Stark APL17 2010-03-08

  3. Topic: Domain-Specific vs. General-Purpose Languages This is the first of four lectures on integrating domain-specific languages with general-purpose programming languages. In particular, SQL for database queries. Using SQL from Java LINQ: .NET Language Integrated Query Language integration in F# Type-checking for SQLizeability Ian Stark APL17 2010-03-08

  4. SQL SQL is a programming language, with a declarative part: select isbn, title , price from books where price > 100.00 order by title and an imperative part: update books set price = 10.00 where price < 10.00 drop table sales as well as numerous extensions, such as procedures and transactions. SQL is a domain-specific language , rather than a general-purpose programming language. Ian Stark APL17 2010-03-08

  5. Who Writes SQL? SQL is one of the world’s most widely used programming languages, but programs in SQL come from many sources. For example: Hand-written by a programmer Generated by some interactive visual tool Generated by an application to fetch an answer for a user Generated by one program as a way to communicate with another Most SQL is written by programs, not directly by programmers. The same is true of HTML, another domain-specific language. Also XML, Postscript,. . . Ian Stark APL17 2010-03-08

  6. SkyServer Demonstration http://cas.sdss.org/dr7/en/ http://cas.sdss.org/dr7/en/sdss/telescope/telescope.asp http://cas.sdss.org/dr7/en/tools/search/ Ian Stark APL17 2010-03-08

  7. HTML Injection The Pluto page is an example of HTML injection . The SkyServer website appears to be serving an incorrect image. This is used in phishing attacks, and other fraud, where a web server can be cajoled into presenting novel material as its own. For example, a suitably crafted URL may cause a bank’s own web server to present a page that requests account details and then sends them to an attacker’s own site. The opportunity to inject HTML and even Javascript can arise whenever a web site takes user input and uses that to generate pages. It is even possible to use web search engines to locate vulnerable sites. Ian Stark APL17 2010-03-08

  8. Google Buzz XSS Hack 2010-02-09 Google Buzz social communication tool launched Ian Stark APL17 2010-03-08

  9. Google Buzz XSS Hack 2010-02-09 Google Buzz social communication tool launched 2010-02-16 Cross-site scripting injection attack publicly demonstrated Ian Stark APL17 2010-03-08

  10. Google Buzz XSS Hack 2010-02-09 Google Buzz social communication tool launched 2010-02-16 Cross-site scripting injection attack publicly demonstrated 2010-02-17 Google patch bug Ian Stark APL17 2010-03-08

  11. Google Buzz XSS Hack 2010-02-09 Google Buzz social communication tool launched 2010-02-16 Cross-site scripting injection attack publicly demonstrated 2010-02-17 Google patch bug http://www.theregister.co.uk/2010/02/16/google_buzz_security_bug/ http://ha.ckers.org/blog/20100216/google-buzz-security-flaw/ Ian Stark APL17 2010-03-08

  12. SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. Ian Stark APL17 2010-03-08

  13. SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = ’bob@example.com’ Ian Stark APL17 2010-03-08

  14. SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = ’bob@example.com’ we might supply the unusual email address “x’ or 1=1 --” Ian Stark APL17 2010-03-08

  15. SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = ’bob@example.com’ we might supply the unusual email address “x’ or 1=1 --” to get select id, email, password from users where email = ’x’ or 1=1 −− ’ which will return a complete list of users. Ian Stark APL17 2010-03-08

  16. SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = ’bob@example.com’ we might supply the perverse email address “x’; update users set email=’bob@example.com’ where email=’admin@server’ --” Ian Stark APL17 2010-03-08

  17. SQL Injection HTML injection causes a server to deliver a surprising web page. SQL injection can cause a database server to carry out unexpected actions on the database. For example, where a server contains code like this: select id, email, password from users where email = ’bob@example.com’ we might supply the perverse email address “x’; update users set email=’bob@example.com’ where email=’admin@server’ --” to get select id, email, password from users where email = ’x’; update users set email = ’bob@example.com’ where email = ’admin@server’ −− ’ which will redirect all the administrator’s email to Bob. Ian Stark APL17 2010-03-08

  18. XKCD on SQL Injection http://xkcd.com/327 Ian Stark APL17 2010-03-08

  19. XKCD on SQL Injection http://xkcd.com/327 Ian Stark APL17 2010-03-08

  20. XKCD on SQL Injection http://xkcd.com/327 Ian Stark APL17 2010-03-08

  21. XKCD on SQL Injection http://xkcd.com/327 Ian Stark APL17 2010-03-08

  22. Dubious Licence Plate Ian Stark APL17 2010-03-08

  23. Working with Query Languages How then do we write programs to generate and manipulate queries? A common approach is to use some standard framework or application programming interface (API). ODBC, the Open Database Connectivity specification, is a well-known framework for managed database access: At the back, an ODBC driver contains code for a specific database management system (DB2, Oracle, SQL Server, . . . ). At the front, the programmer connects to a fixed procedural API In between, core ODBC libraries translate between the API and the driver. Particular programming languages and environments may place further layers on top of ODBC, or have alternative similar mechanisms. For example: JDBC for Java and ADO.NET for the Microsoft .NET framework. Ian Stark APL17 2010-03-08

  24. JDBC: Java Database Connectivity JDBC is a Java library, in the java.sql. ∗ and javax.sql. ∗ packages, which provides access to read, write and modify tabular data. Relational databases, with access via SQL, is the most common application; but JDBC can also operate on other data sources. The connection to the database itself may be via a driver that bridges through ODBC, speaks a proprietary database protocol, or connects to some further networking component or application. Ian Stark APL17 2010-03-08

  25. JDBC Bootup import java.sql. ∗ ; // Obtain the relevant classes // Install a suitable driver Class.forName("org.apache.derby.jdbc.EmbeddedDriver"); // Identify the database String url = "jdbc:derby:Users"; // Prepare login information String user = "bob" String password = "secret" // Open connection to database Connection con = DriverManager.getConnection(url, user, password); Ian Stark APL17 2010-03-08

  26. Sample JDBC Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery("SELECT name, id, score FROM Users"); while (rs.next()) // Loop through each row returned by the query { String n = rs.getString("name"); int i = rs.getInt("id"); float s = rs.getFloat("score"); System.out.println(n+i+s); } Ian Stark APL17 2010-03-08

  27. JDBC String Fiddling float findScoreForUser(Connection con, String name) { Statement stmt = con.createStatement(); String query = "SELECT id, score FROM Users WHERE name=" + name; ResultSet rs = stmt.executeQuery(query); float s = rs.getFloat("score"); return s; } Ian Stark APL17 2010-03-08

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advances in Programming Languages APL10: Bridging Query and Programming Languages Ian Stark

Advances in Programming Languages APL10: Bridging Query and Programming Languages Ian Stark

Advances in Programming Languages APL10: Bridging Query and Programming Languages Ian Stark School of Informatics The University of Edinburgh Friday 29 October 2010 Semester 1 Week 6 N I V E U R S E I H T T Y O H F G R E

758 views • 42 slides
Advances in Programming Languages APL18: Bridging Query and Programming Languages Ian Stark

Advances in Programming Languages APL18: Bridging Query and Programming Languages Ian Stark

Advances in Programming Languages APL18: Bridging Query and Programming Languages Ian Stark School of Informatics The University of Edinburgh Thursday 11 March 2010 Semester 2 Week 9 N I V E U R S E I H T T Y O H F G R E

881 views • 29 slides
Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of

Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of

Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of Informatics The University of Edinburgh Monday 17 March 2008 Semester 2 Week 11 Coursework Statistics Total of 30 submissions, with all topics

554 views • 23 slides
Advances in Programming Languages APL11: Heterogeneous Metaprogramming in F# Ian Stark School of

Advances in Programming Languages APL11: Heterogeneous Metaprogramming in F# Ian Stark School of

Advances in Programming Languages APL11: Heterogeneous Metaprogramming in F# Ian Stark School of Informatics The University of Edinburgh Thursday 21 February 2008 Semester 2 Week 7 Topic: Domain-Specific vs. General-Purpose Languages This is

535 views • 38 slides
Advances in Programming Languages APL15: Bidirectional Programming David Aspinall School of

Advances in Programming Languages APL15: Bidirectional Programming David Aspinall School of

Advances in Programming Languages APL15: Bidirectional Programming David Aspinall School of Informatics The University of Edinburgh Friday 19 November 2010 Semester 1 Week 9 N I V E U R S E I H T T Y O H F G R E

949 views • 47 slides
Advances in Programming Languages APL14: Polyphonic C# Ian Stark School of Informatics The

Advances in Programming Languages APL14: Polyphonic C# Ian Stark School of Informatics The

Advances in Programming Languages APL14: Polyphonic C# Ian Stark School of Informatics The University of Edinburgh Monday 3 March 2008 Semester 2 Week 9 Programming-Language Techniques for Concurrency This is the second of three lectures

488 views • 22 slides
Advances in Programming Languages APL7: Polymorphism from Types to Kinds and Beyond Ian Stark

Advances in Programming Languages APL7: Polymorphism from Types to Kinds and Beyond Ian Stark

Advances in Programming Languages APL7: Polymorphism from Types to Kinds and Beyond Ian Stark School of Informatics The University of Edinburgh Tuesday 12 October Semester 1 Week 4 N I V E U R S E I H T T Y O H F G R E

667 views • 30 slides
Advances in Programming Languages APL19: Heterogeneous Metaprogramming in F# Ian Stark School of

Advances in Programming Languages APL19: Heterogeneous Metaprogramming in F# Ian Stark School of

Advances in Programming Languages APL19: Heterogeneous Metaprogramming in F# Ian Stark School of Informatics The University of Edinburgh Monday 15 March 2010 Semester 2 Week 10 N I V E U R S E I H T T Y O H F G R E

747 views • 45 slides
Advances in Programming Languages APL11: Heterogeneous Metaprogramming in F# Ian Stark School of

Advances in Programming Languages APL11: Heterogeneous Metaprogramming in F# Ian Stark School of

Advances in Programming Languages APL11: Heterogeneous Metaprogramming in F# Ian Stark School of Informatics The University of Edinburgh Tuesday 2 November 2010 Semester 1 Week 7 N I V E U R S E I H T T Y O H F G R E

848 views • 50 slides
Advances in Programming Languages APL17: XML processing with CDuce David Aspinall (see final

Advances in Programming Languages APL17: XML processing with CDuce David Aspinall (see final

Advances in Programming Languages APL17: XML processing with CDuce David Aspinall (see final slide for the credits and pointers to sources) School of Informatics The University of Edinburgh Friday 26th November 2010 Semester 1 Week 10 N I

822 views • 41 slides
Advances in Programming Languages APL4: JML The Java Modeling Language David Aspinall

Advances in Programming Languages APL4: JML The Java Modeling Language David Aspinall

Advances in Programming Languages APL4: JML The Java Modeling Language David Aspinall (slides originally by Ian Stark) School of Informatics The University of Edinburgh Thursday 21 January 2010 Semester 2 Week 2 N I V E U R S E I

1.17k views • 21 slides
Advances in Programming Languages APL16: Further language concurrency mechanisms David Aspinall

Advances in Programming Languages APL16: Further language concurrency mechanisms David Aspinall

Advances in Programming Languages APL16: Further language concurrency mechanisms David Aspinall (including slides by Ian Stark) School of Informatics The University of Edinburgh Thursday 5 March 2009 Semester 2 Week 8 N I V E U R S E

541 views • 24 slides
Advances in Programming Languages APL5: Further language concurrency mechanisms David Aspinall

Advances in Programming Languages APL5: Further language concurrency mechanisms David Aspinall

Advances in Programming Languages APL5: Further language concurrency mechanisms David Aspinall (including slides by Ian Stark) School of Informatics The University of Edinburgh Tuesday 5th October 2010 Semester 1 Week 3 N I V E U R S

290 views • 27 slides
Advances in Programming Languages APL1: Whats so important about language? Ian Stark and David

Advances in Programming Languages APL1: Whats so important about language? Ian Stark and David

Advances in Programming Languages APL1: Whats so important about language? Ian Stark and David Aspinall School of Informatics The University of Edinburgh Tuesady 21 September 2010 Semester 1 Week 1 N I V E U R S E I H T T Y O

503 views • 39 slides
Advances in Programming Languages APL11: Concurrency David Aspinall (including slides by Ian

Advances in Programming Languages APL11: Concurrency David Aspinall (including slides by Ian

Advances in Programming Languages APL11: Concurrency David Aspinall (including slides by Ian Stark) School of Informatics The University of Edinburgh Monday 15 February 2010 Semester 2 Week 6 N I V E U R S E I H T T Y O H F G

770 views • 27 slides
Advances in Programming Languages APL4: Row variables in OCaml Structural typing for objects

Advances in Programming Languages APL4: Row variables in OCaml Structural typing for objects

Advances in Programming Languages APL4: Row variables in OCaml Structural typing for objects Ian Stark School of Informatics The University of Edinburgh Thursday 22 January 2009 Semester 2 Week 2 I V N E U R S E I H T T Y O

602 views • 30 slides
Outline Embedded SQL. CS 235: Call-Level Interface (CLI). Java Database

Outline Embedded SQL. CS 235: Call-Level Interface (CLI). Java Database

Outline Embedded SQL. CS 235: Call-Level Interface (CLI). Java Database Connectivity (JDBC). Introduction to Databases Svetlozar Nestorov Lecture Notes #18 Embedded SQL Shared Variables Standard for combining SQL with a

857 views • 6 slides
System Aspects of SQL (Chapter 9: Four more ways to make SQL calls CS411 from outside the DBMS)

System Aspects of SQL (Chapter 9: Four more ways to make SQL calls CS411 from outside the DBMS)

System Aspects of SQL (Chapter 9: Four more ways to make SQL calls CS411 from outside the DBMS) Database Systems Call-Level Interface PHP 07: SQL System Aspects Java Database Connectivity Kazuhiro Minami Stored procedures Embedded SQL 2

263 views • 8 slides
ADVANCED DATABASE SYSTEMS Networking @ Andy_Pavlo // 15- 721 // Spring 2019 CMU 15-721

ADVANCED DATABASE SYSTEMS Networking @ Andy_Pavlo // 15- 721 // Spring 2019 CMU 15-721

Lect ure # 13 ADVANCED DATABASE SYSTEMS Networking @ Andy_Pavlo // 15- 721 // Spring 2019 CMU 15-721 (Spring 2019) 2 ADM INISTRIVIA Feb 27: Project #1 is due Feb 27: Project #2 will be released Mar 4: Extra Credit assignment will be

734 views • 49 slides
Lect ure # 14 ADVANCED DATABASE SYSTEMS Networking @ Andy_Pavlo // 15- 721 // Spring 2018 2

Lect ure # 14 ADVANCED DATABASE SYSTEMS Networking @ Andy_Pavlo // 15- 721 // Spring 2018 2

Lect ure # 14 ADVANCED DATABASE SYSTEMS Networking @ Andy_Pavlo // 15- 721 // Spring 2018 2 CO URSE AN N O UN CEM EN TS Mid-Term: Wednesday March 7 th @ 3:00pm Project #2: Monday March 12 th @ 11:59pm Project #3 Proposal: Monday March 19 th

765 views • 49 slides
How to program applications Using existing languages: CS 2550 / Spring 2006 Embed SQL

How to program applications Using existing languages: CS 2550 / Spring 2006 Embed SQL

How to program applications Using existing languages: CS 2550 / Spring 2006 Embed SQL into Host language ESQL, SQLJ Principles of Database Systems Use a library of functions JDBC 05 SQL Programming

314 views • 6 slides
Database API:s (Elmasri/Navathe ch. 9) ( Padron-McCarthy/Risch ch 20) Kjell Orsborn Department

Database API:s (Elmasri/Navathe ch. 9) ( Padron-McCarthy/Risch ch 20) Kjell Orsborn Department

UU - IT - UDBL 1 DATABASE DESIGN I - 1DL300 Summer 2008 An introductury course on database systems http://user.it.uu.se/~udbl/dbt-sommar08/ alt. http://www.it.uu.se/edu/course/homepage/dbastekn/st08/ Kjell Orsborn Uppsala Database Laboratory

252 views • 11 slides
Database Applications JDBC SQL Injection Course Objectives Design Construction Applications

Database Applications JDBC SQL Injection Course Objectives Design Construction Applications

Database Applications JDBC SQL Injection Course Objectives Design Construction Applications Usage JDBC JDBC = Java DataBase Connectivity JDBC is Javas call-level interface to SQL DBMSs. A library with operations that

444 views • 30 slides
175 Why use a database? You can query the data (run searches) You can integrate with other

175 Why use a database? You can query the data (run searches) You can integrate with other

175 Why use a database? You can query the data (run searches) You can integrate with other business systems that use the same database You can store huge numbers of records without the risk of corruption You can access data quickly

686 views • 50 slides

More recommend