CS242 SQL

What is SQL? SQL:  stands for Structured Query Language  allows you to access a database  is an ANSI standard computer language  can execute queries against a database  can retrieve data from a database  can insert new records in a database  can delete records from a database  can update records in a database  is easy to learn

SQL SQL works with database programs like MS Access, DB2, Informix, MS SQL Server, Oracle, Sybase,

Relational Database  Comprised of “tables”  Tables comprised of “rows” or records  Rows contain columns or fields of data  Columns have types associated with them  Data is accessed with queries

Relational Database  Multiple tables  Reduces redundancy  Require few assumptions about how data is related  Adaptive

Adaptive Legal values for a given field can grow City Name column 1) create a table for the city name 2) change the city name column to index into table 3) as new city names appear in interface, add them to the table

Flat File Database  Simple database scheme  Single table  “spreadsheet”

SQL DDL (data definition language)  CREATE table  ALTER table  DROP table

CREATE TABLE Column definitions: Column name, data type, required data, default value CREATE TABLE persons (lastName char(50), firstName char(50), Address char(50), City char(50), State char(2))

SQL Data Types AccessSQL-ServerOracleMySQLPostgreSQL booleanYes/NoBitByteN/ABoolean integer Number (integer) IntNumber Int Integer (synonyms) Integer Int float Number (single) Float Real NumberFloatNumeric currencyCurrencyMoneyN/AN/AMoney string (fixed) N/ACharCharCharChar string (variable) Text (<256) Memo (65k+) Varchar Varchar Varch ar2 VarcharVarchar binary object OLE Object Memo Binary (fixed up to 8K) Varbinary (<8K) Image (<2GB) Long Raw Blob Text Binary Varbina ry

Adding Data  INSERT – insert a row of data  UPDATE – update one or more coumns in selected rows  DELETE – delete selected rows of data

Queries SELECT SELECT returns a result set – a table of data as described in the query SELECT lastName FROM persons SELECT firstName FROM persons WHERE lastName = ‘woodley’ SELECT firstName FROM persons WHERE lastName LIKE ‘%woo%’

Primary Key  Uniquely identifies a single record  Either a value that is guaranteed to be unique OR  Automatically generated by the DBMS to BE unique

Retrieving from a database // connect $db = mysql_connect("localhost", "root"); // select the database mysql_select_db("mydb",$db); // retrieve data from table $result = mysql_query("SELECT * FROM employees",$db);

Results of a Query odbc_fetch_array $result = odbc_exec($db,$query); if ($myrow = odbc_fetch_array($result)) { // output HTML code here to begin the table //echo " \n"; do{ printf(" %s %s %s % s %s \n", $myrow ["date"], $myrow["time"], $myrow["Slot 1"], $myrow["Slot 2"], $myrow["Slot 3"]); $myrow = odbc_fetch_array($result); } while ($myrow["date"]!=""); // end the table started above //echo " "; }

Result Sets <?php // make a table with a row labeling the columns echo " \n Name Position \n"; // open a connection to the database $db = mysql_connect("localhost", "root"); mysql_select_db("mydb",$db); // retrieve entire table of data $result = mysql_query("SELECT * FROM employees",$db); // get and process a row at a time while ($myrow = mysql_fetch_row($result)) { // output a table row and insert the fields into the cells printf(" %s %s %s \n", $myrow[1], $myrow[2], $myrow[3]); } echo " \n"; ?>

PHP and Form Data Google: php form data Decent tutorial on retrieving and processing form data using PHP: rms1.php

GET and POST  $_GET: When using the $_GET variable all variable names and values are displayed in the URL.When using the $_GET variable all variable names and values are displayed in the URL. ( This would include password information.) Has a max of 100 charactersHas a max of 100 characters

GET and POST  $_POST: The $_POST variable is an array of variable names and values sent by the HTTP POST method.The $_POST variable is an array of variable names and values sent by the HTTP POST method. Information sent from a form with the POST method is invisible to others and has no limits on the amount of information to send.Information sent from a form with the POST method is invisible to others and has no limits on the amount of information to send.

SQL Injection Example SQL statement: SELECT FROM persons WHERE lastName = ‘” + formUserName + “’; If you enter into the username box on your form the string: a’ or ‘t’=‘t (No beginning nor ending quote.) You get: SELECT FROM persons WHERE lastName = ‘a or ‘t’=‘t’ Will return a valid username.

Multiple SQL Statements SQL statement: SELECT FROM persons WHERE lastName = ‘” + formUserName + “’; If you enter into the username box on your form the string: a';DROP TABLE persons; SELECT * FROM data WHERE name LIKE '% You get: SELECT FROM persons WHERE lastName = ‘a’; DROP TABLE persons; SELECT * FROM data where NAME LIKE ‘%’

SQL Injection Video: NJjh4jORY NJjh4jORY Attacks by example:  injection.html

Do not use form data directly Check and sanitize the form data before putting it in your SQL query statement.