database enabled web technology summary
play

Database-enabled web technology Summary Instructor: C a gr C - PowerPoint PPT Presentation

Sep 18, 2023 •244 likes •594 views

Database-enabled web technology Summary Instructor: C a gr C oltekin c.coltekin@rug.nl Information science/Informatiekunde Fall 2011/12 Previously in this course . . . Previous weeks W1: Quick introductions to PHP & git.

  1. Database-enabled web technology Summary Instructor: C ¸a˘ grı C ¸¨ oltekin c.coltekin@rug.nl Information science/Informatiekunde Fall 2011/12

  2. Previously in this course . . . Previous weeks W1: Quick introductions to PHP & git. W2: An overview of DB design and SQL. W3: Some background on server-side programming, HTTP. Interacting with users in PHP: HTML forms, and cookies. W4: DB Programming: stored procedures, programming with Pear DB, transactions, triggers... W5: Session management, and a bit of security. W6: Security... C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 1/24

  3. Previously in this course . . . Stored Procedures ◮ Stored procedures are database-side programs that are stored and run in a DBMS. ◮ Stored procedures add procedural-language support in relational (SQL) databases. ◮ Stored procedures are database objects, they are created and dropped the same way as the other database objects. ◮ Stored procedures run with the credentials of the user who creates them. As a result, one can run stored procedures without having access to any of the underlying tables. ◮ Stored procedures may reduce the network I/O, and may run faster in certain systems/cases. ◮ There is a relatively recent standard. However, the stored procedure language differ widely among different DBMSes. C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 2/24

  4. Previously in this course . . . SP in MySQL an example 1 drop procedure if exists confirm_order; 2 delimiter $$ 3 create procedure confirm_order(in cust_id int , out nitems int) 4 begin 5 declare isbn_tmp varchar (13) default null; 6 declare customer , quantity int; 7 declare more_rows bool default true; 8 declare cur cursor for 9 select cID , ISBN , qty from basket where cID = cust_id; 10 declare continue handler for not found set more_rows = false; 11 set nitems = 0; 12 open cur; 13 fetch cur into customer , isbn_tmp , quantity; 14 while more_rows do 15 set nitems = nitems + quantity; 16 insert into orders (cID , ISBN , qty , order_date , status) 17 values (customer , isbn_tmp , quantity , now(), ’N’); 18 fetch cur into customer , isbn_tmp , quantity; 19 end while; 20 end $$ 21 delimiter ; call confirm_order(10, @nbooks); select @nbooks; C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 3/24

  5. Previously in this course . . . PHP Pear DB library ◮ Pear DB library provides a unified way of connecting to multiple DBMS systems from PHP. ◮ In comparison to other methods of database access, e.g., PHP mysql_ functions, Pear DB provides a more portable approach. ◮ Independent of the DBMS or library in use, you should always validate the user input. ◮ Pear DB provides three functions: escapeSimple() , escapeSmart() and quoteIdentifier() to sanitize the input before using in an SQL statement. ◮ Pear DB also provides a prepare() / execute() interface (as well as the query() ). C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 4/24

  6. Previously in this course . . . Pear DB: a first example 1 <?php 2 require_once (’DB.php’); 3 require_once (’db -config.php’); 4 $conn = DB:: connect("mysql :// $user:$pass@$host/$db"); 5 6 $res = $conn ->query(’select * from book ’); 7 8 echo "<table border =\"1\">"; 9 echo "<tr ><th >ISBN </th ><th >title </th ></tr >"; 10 while ($row = $res ->fetchRow( DB_FETCHMODE_ASSOC )) { 11 echo "<tr ><td >${row[’ISBN ’]} </td >"; 12 echo "<td >${row[’title ’]} </td ></tr >"; 13 } 14 echo " </table >"; 15 $conn ->disconnect (); 16 ?> C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 5/24

  7. Previously in this course . . . DB Transactions ◮ The (SQL) statements in a transaction is treated as atomic: either all or none of them are run. ◮ The (SQL) statements in a transaction is treated as isolated: DBMS isolates statements in a transaction from possible effects of other tasks running in parallel. $db ->autoCommit(false ); $db ->query (...); ... if (some condition) { $db ->rollback () } else { $db ->commit (); } C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 6/24

  8. Previously in this course . . . Session management: a summary ◮ Unlike a conventional application, a web-based application needs ◮ a way to manage a user session for ensuring each execution of the process/script is originating from the same source, ◮ a way to keep state during the life time of the application. ◮ A session consist of two components: ◮ A session ID passed back-and-forth between the client an d the server. ◮ A server-side storage for session data. C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 7/24

  9. Previously in this course . . . PHP sessions: an example 1 <?php session_start (); ?> 2 <html > <body > 3 <?php 4 if (! isset($_SESSION[’page_seq ’])) { 5 $_SESSION[’page_seq ’] = 0; 6 } else { 7 $_SESSION[’page_seq ’] += 1; 8 } 9 echo "You are on page ${_SESSION[’page_seq ’]}."; 10 ?> 11 12 </body ></html > C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 8/24

  10. Previously in this course . . . Web, Databases & Security http://xkcd.com/327/ C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 9/24

  11. Previously in this course . . . OWASP 2010 top 10 web security risks 1. Injection 2. Cross-site scripting (XSS) 3. Broken authentication and session management 4. Insecure direct object references 5. Cross site request forgery (CSRF) 6. Security misconfiguration 7. Insecure cryptographic storage 8. Failure to restrict URL access 9. Insufficient transport layer protection 10. Unvalidated redirects and forwards C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 10/24

  12. Previously in this course . . . Sessions and Security Badly implemented session management systems may allow unauthorized access to data/application. Typically, ◮ An easy to guess session ID may be found by brute-force trial & error. ◮ An attacker may obtain the session ID by sniffing the network traffic. ◮ An attacker may steal the session ID/key physically. ◮ An attacker may trick someone to use a URL (e.g., sent via email), causing a particular session ID to be used (session fixation). C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 11/24

  13. Previously in this course . . . Injection attacks: they are real http://news.bbc.co.uk/2/hi/americas/8206305.stm (2009-09-18) C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 12/24

  14. Previously in this course . . . Injection attacks: they are real ◮ (SQL) injection attacks are prevalent, even in cases where people take security seriously. ◮ A simple mistake in the code can make large investments to computer security useless. ◮ Consequences of the vulnerability may differ. ◮ It is easy to prevent: never trust user input. http://news.bbc.co.uk/2/hi/americas/8206305.stm (2009-09-18) C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 12/24

  15. Previously in this course . . . Cross-site scripting (XSS) XSS attacks come in many shapes and sizes, but in it is essence: attacker tricks user/browser to run a script while viewing another site. A typical case: 1. Attacker plants the malicious script (e.g., using SQL injection) to a legitimate web site. 2. Victim visits the web-site, running the script in the context of the web site. 3. Script sends valuable (e.g., session credentials) to the attacker. C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 13/24

  16. Previously in this course . . . Solution to fix most security problems Sanitize your input (and output too). C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 14/24

  17. Previously in this course . . . Solution to fix most security problems Sanitize your input (and output too). If you are using PHP: SQL Use, for example, DB::escapeSimple() , or prepare() / execute() instead of query() . shell Use escapeshellarg() or escapeshellcmd() . HTML Use htmlspecialchars() while writing HTML code literally on a web page (particularly against XSS). others If you are implementing your own escape/validation routine, use white listing: explicitly say what you accept, instead of what you do not. C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 14/24

  18. Previously in this course . . . A few guidelines (before we start) ◮ Always check user input before using (e.g., in an SQL query). ◮ Do not store and transfer sensitive information unencrypted. ◮ Do not store or transfer sensitive information if you can avoid it. ◮ Sanitize your output (e.g., properly escape special characters if you are outputting HTML). ◮ Try to implement multiple levels/layers of security. C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 15/24

  19. Overview Today... ◮ An overall summary. ◮ A few notes on passwords. C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 16/24

  20. Authorization, passwords and encryption How (not) to store and use passwords ◮ Do not store passwords in clear. C ¸. C ¸¨ oltekin, Informatiekunde Databases & Web 17/24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Previous weeks Database-enabled web technology DB Programming Introductions on PHP

Previous weeks Database-enabled web technology DB Programming Introductions on PHP

Previously in this course . . . Previous weeks Database-enabled web technology DB Programming Introductions on PHP git Instructor: C a gr C oltekin A summary of DB design and SQL. c.coltekin@rug.nl An

345 views • 5 slides
Database-enabled web technology Security Instructor: C a gr C oltekin

Database-enabled web technology Security Instructor: C a gr C oltekin

Database-enabled web technology Security Instructor: C a gr C oltekin c.coltekin@rug.nl Information science/Informatiekunde Fall 2011/12 Security in Web applications Web, Databases &amp; Security http://xkcd.com/327/ C . C

952 views • 47 slides
13 th February 2017 Technology-Enabled Care (TEC) Programme Background (TEC) is the collective

13 th February 2017 Technology-Enabled Care (TEC) Programme Background (TEC) is the collective

Doreen Watson - Technology Enabled Care 13 th February 2017 Technology-Enabled Care (TEC) Programme Background (TEC) is the collective term for telecare, telehealth, telemedicine, mHealth, digital health and eHealth services. Tied to

133 views • 10 slides
21 st Century Office Showcase new ways of working enabled by technology

21 st Century Office Showcase new ways of working enabled by technology

new ways of working enabled by technology 21 st Century Office Showcase new ways of working enabled by technology www.publicsectornomads.com | www.digitalnomads.co new ways of working enabled by technology Some Key Stats Administration for

1.37k views • 114 slides
Introduction to Database Technology Elmasri/Navathe ch 1-2 Padron-McCarthy/Risch ch 1 Sobhan

Introduction to Database Technology Elmasri/Navathe ch 1-2 Padron-McCarthy/Risch ch 1 Sobhan

DATABASE DESIGN I - 1DL300 Spring 2013 An Introductory Course on Database Systems http://www.it.uu.se/edu/course/homepage/dbastekn/vt13/ Uppsala Database Laboratory Department of Information Technology, Uppsala University, Uppsala, Sweden

728 views • 58 slides
Introduction to Database Technology Elmasri/Navathe ch 1-2 Padron-McCarthy/Risch ch 1 Sobhan

Introduction to Database Technology Elmasri/Navathe ch 1-2 Padron-McCarthy/Risch ch 1 Sobhan

DATABASE DESIGN I - 1DL300 Autumn 2012 An Introductory Course on Database Systems http://www.it.uu.se/edu/course/homepage/dbastekn/ht12/ Uppsala Database Laboratory Department of Information Technology, Uppsala University, Uppsala, Sweden

569 views • 9 slides
5. Technology Applications 5.1 What is a Database? 5.2 Types of Databases 5.3 Choosing the

5. Technology Applications 5.1 What is a Database? 5.2 Types of Databases 5.3 Choosing the

5. Technology Applications 5.1 What is a Database? 5.2 Types of Databases 5.3 Choosing the Right Database 5.4 Database Programming Tools 5.5 How to Search Your Database 5.6 Data Warehousing and Mining 5.7 Enterprise-Wide Data Systems

1.14k views • 88 slides
About initial project reports Your initial report should describe what you are going to implement

About initial project reports Your initial report should describe what you are going to implement

Practical matters About initial project reports Your initial report should describe what you are going to implement well. It should include, Database-enabled web technology the requirements Web Programming your initial database design

228 views • 4 slides
Technology Enabled Clinical Endpoint Innovation Foundational Concepts and Pathway for

Technology Enabled Clinical Endpoint Innovation Foundational Concepts and Pathway for

Technology Enabled Clinical Endpoint Innovation Foundational Concepts and Pathway for Development Advances in Clinical Trial Technology: Impact on Methodology and Signal Detection ISCTM Autumn Meeting, Marina del Rey October 2018 Marc K

559 views • 22 slides
This book o ff ers a decoder for some of the new forms of poetry enabled by digital technology.

This book o ff ers a decoder for some of the new forms of poetry enabled by digital technology.

Writing with A.I. and Machine Learning David (Jhave) Johnston glia.ca This book o ff ers a decoder for some of the new forms of poetry enabled by digital technology. D i g i t a l p o e m s c a n b e a d s , conceptual art, interactive

1.15k views • 95 slides
Laser-Enabled Tests of Gravity: Recent Advances, Technology Demonstrations, and New Ideas Slava

Laser-Enabled Tests of Gravity: Recent Advances, Technology Demonstrations, and New Ideas Slava

Laser-Enabled Tests of Gravity: Recent Advances, Technology Demonstrations, and New Ideas Slava G. Turyshev, Michael Shao, James G. Williams, Dale H. Boggs Jet Propulsion Laboratory, California Institute of Technology 4800 Oak Grove Drive,

832 views • 45 slides
Depression (OIRD) in Medical Surgical Patients: From Near Miss to a Technology- Enabled

Depression (OIRD) in Medical Surgical Patients: From Near Miss to a Technology- Enabled

Preventing Opioid-Induced Respiratory Depression (OIRD) in Medical Surgical Patients: From Near Miss to a Technology- Enabled Interprofessional Process Leading to Improved Outcomes Thomas P. Cleary, BSN, RN Scott D. Alcott, MSN, RN April 17,

365 views • 20 slides
The Technology Enabled Nurse Pamela Cipriano Editor in Chief-- American Nurse Today University of

The Technology Enabled Nurse Pamela Cipriano Editor in Chief-- American Nurse Today University of

The Technology Enabled Nurse Pamela Cipriano Editor in Chief-- American Nurse Today University of Virginia Health System Medical Automation December 4, 2009 Leading Edge Technologies : Bringing Value to Nurses and Patients Technology makes

529 views • 26 slides
Introduction to Physical Database Design Elmasri/Navathe ch 16 and 17 Padron-McCarthy/Risch ch 21

Introduction to Physical Database Design Elmasri/Navathe ch 16 and 17 Padron-McCarthy/Risch ch 21

DATABASE DESIGN I - 1DL300 Fall 2010 An introductory course on database systems http://www.it.uu.se/edu/course/homepage/dbastekn/ht10/ Manivasakan Sabesan Uppsala Database Laboratory Department of Information Technology, Uppsala University,

372 views • 34 slides
Database APIs Elmasri/Navathe ch 12 Padron-McCarthy/Risch ch 20 Silvia Stefanova Department of

Database APIs Elmasri/Navathe ch 12 Padron-McCarthy/Risch ch 20 Silvia Stefanova Department of

DATABASE DESIGN I - 1DL300 Spring 2012 An Introductory Course on Database Systems http://www.it.uu.se/edu/course/homepage/dbastekn/vt12/ Erik Zeitler Uppsala Database Laboratory Department of Information Technology, Uppsala University,

515 views • 13 slides
STEPPING UP TECHNOLOGY ENABLED SELF-MONITORING FOR HIGH SCHOOL STUDENTS WITH DISABILITIES Howard

STEPPING UP TECHNOLOGY ENABLED SELF-MONITORING FOR HIGH SCHOOL STUDENTS WITH DISABILITIES Howard

STEPPING UP TECHNOLOGY ENABLED SELF-MONITORING FOR HIGH SCHOOL STUDENTS WITH DISABILITIES Howard Wills, Jay Buzhardt Juniper Gardens Childrens Project The University of Kansas *This document was produced under U.S. Department of Education,

301 views • 10 slides
PEAR: a Tool for Reasoning About Scenarios and Probabilities in Description Logics of Typicality

PEAR: a Tool for Reasoning About Scenarios and Probabilities in Description Logics of Typicality

Description Logics of Typicality DLs with Typicality and Probabilities PEAR Conclusions PEAR: a Tool for Reasoning About Scenarios and Probabilities in Description Logics of Typicality Gian Luca Pozzato and Gabriele Soriano 1 1 Dipartimento di

961 views • 59 slides
EE 200 Lecture 5: Arrays Steven Bell 18 September 2019 Indexing arrays int grape[10] 0 1 2 3

EE 200 Lecture 5: Arrays Steven Bell 18 September 2019 Indexing arrays int grape[10] 0 1 2 3

EE 200 Lecture 5: Arrays Steven Bell 18 September 2019 Indexing arrays int grape[10] 0 1 2 3 4 5 6 7 8 9 10 11 int* raisin = grape; grape[0] raisin[1] grape[10] int i = 1; *(grape + 1) i[grape]; *(raisin + 1) sizeof The quiz didn't

283 views • 12 slides
PEAR Session PHP Quebec Conference 2005 Welcome! Welcome to the PEAR Session! I hope you will

PEAR Session PHP Quebec Conference 2005 Welcome! Welcome to the PEAR Session! I hope you will

PEAR Session PHP Quebec Conference 2005 Welcome! Welcome to the PEAR Session! I hope you will have fun and see some interesting stuff. Tobias Schlitt - http://www.schlitt.info - tobias@schlitt.info PEAR Session PHP Quebec Conference 2005

579 views • 26 slides
CMSC201 Computer Science I for Majors Lecture 07 Strings and Lists Prof. Katherine Gibson

CMSC201 Computer Science I for Majors Lecture 07 Strings and Lists Prof. Katherine Gibson

CMSC201 Computer Science I for Majors Lecture 07 Strings and Lists Prof. Katherine Gibson Based on concepts from: http://mcsp.wartburg.edu/zelle/python/ppics2/code/ www.umbc.edu Last Class We Covered One-way, two-way, and multi-way

859 views • 52 slides
https://www.polleverywhere.com/free_text_polls/2ayeXXU8HibalP8 Impactful STEM Exhibits

https://www.polleverywhere.com/free_text_polls/2ayeXXU8HibalP8 Impactful STEM Exhibits

https://www.polleverywhere.com/free_text_polls/2ayeXXU8HibalP8 Impactful STEM Exhibits Collaborative Design! Advancing Informal STEM Learning RFP Due November 7, 2018 Awarded a $1,275,430 STEM Innovation grant from the National

394 views • 24 slides
Regional Evaluation Workshop PEARS PSE Reporting for FFY 2017 This material was produced by the

Regional Evaluation Workshop PEARS PSE Reporting for FFY 2017 This material was produced by the

Regional Evaluation Workshop PEARS PSE Reporting for FFY 2017 This material was produced by the University of California CalFresh Nutrition Education Program with funding from USDA SNAP, known in California as CalFresh (formerly food stamps).

438 views • 33 slides
Lecture 5: Strings (Sections 8.1, 8.2, 8.4, 8.5, 1 st paragraph of 8.9) CS 1110 Introduction to

Lecture 5: Strings (Sections 8.1, 8.2, 8.4, 8.5, 1 st paragraph of 8.9) CS 1110 Introduction to

http://www.cs.cornell.edu/courses/cs1110/2020sp Lecture 5: Strings (Sections 8.1, 8.2, 8.4, 8.5, 1 st paragraph of 8.9) CS 1110 Introduction to Computing Using Python [E. Andersen, A. Bracy, D. Fan, D. Gries, L. Lee, S. Marschner, C. Van Loan,

808 views • 24 slides
Teaching Unstructured Information Management: Theory and Applications to Computational

Teaching Unstructured Information Management: Theory and Applications to Computational

Teaching Unstructured Information Management: Theory and Applications to Computational Linguistics Students Iryna Gurevych, Christof Mller, Torsten Zesch Ubiquitous Knowledge Processing Group Telecooperation, Computer Science

138 views • 13 slides

More recommend