Concurrency Control

R/RR/W W/W User 2 ReadWrite User 1 Read Write R/W: Inconsistent Read problem. W/W: Lost Update problem.

Example Husband/Wife joint account with $1000 balance. Transactions: –Husband: Withdraw 800 –Wife: Withdraw 100 Processing: –Read Balance, Calculate New Balance, Write New Balance

Husband:ReadBalanceCalNewBalanceWriteNewBalance (In memory)(On disk) 1000New= Wife:ReadBalanceCalNewBalance WriteNewBalance 1000New=

Locking Locking is the most widely used approach to ensure serializability of concurrent transactions. Shared lock: read only access Exclusive lock: for both read and write access.

Lock Granularity The size of data items protected by a lock. –Entire database –Entire table –A page –A record –A Field The coarser the data item size, the lower the degree of concurrency permitted.

Dead Lock Two transactions wait for locks on items held by the other. T1T2 DataItem 1 DataItem 2 Lock Wait For Lock

Transaction An unit of work on database that is either completed in its entirety or is not performed at all.

Transaction Commands Begin Transaction Update commands Commit RollBack End Transaction

DefiningTransaction in An Application Truck Rental System: –Vehicle Table:VID, VType, VStatus » V1PickUp Available » V2TowTruck Booked –VReservation:RID, VID, Date » R1V21/2/04

Transaction Example (Pseudo Code) Sub Rent(RID, VID, RDate) Begin Transaction Insert (RID, VID, RDate) into VReservation table If No Error Then Update Vehicle Status If No Error Then Commit Transaction Else Roll Back End if Else Roll Back End if End Sub

Transaction ACID Properties Atomic –Transaction cannot be subdivided –All or nothing Consistent –Constraints don’t change from before transaction to after transaction –A transaction transforms a database from one consistent state to another consistent state. Isolated –Transactions execute independently of one another. –Database changes not revealed to users until after transaction has completed Durable –Database changes are permanent and must not be lost.

Oracle Table Lock 1. When DML commands are issued, Oracle implicitly places a shared lock on rows being affected, so no other user can change the same rows. When DDL commands are issued, Oracle implicitly places an exclusive lock on the table. 2. A user can explicitly lock a table by a LOCK TABLE command: –LOCK TABLE tablename IN SHARE MODE; –LOCK TABLE tablename IN EXCLUSIVE MODE; Note: Lock will be released when the user issues a ROLLBACK or COMMIT command, or when the user exits the system.

SELECT … FOR UPDATE Example: –SELECT * FROM Employee –WHERE EID=‘E5’ –FOR UPDATE; This command places a shared lock on selected records and let the user to view the records when it is anticipated that they will need to update. The lock is released after a UPDATE command is used or by a ROLLBACK or COMMIT command.

Oracle SQL Commit Autocommit –On –Off Rollback Commit

Log File (Journal) A file that contains all information about all updates to the database. It may contain the following data: –Transaction records: Transaction ID Type of action: –Begin, Insert,Delete, Modify, Commit, Rollback, End Before-image After-image –Checkpoint records The point of synchronization between the database and the transaction log file.

To Recover In the event of a failure, examine the log starting from the most recent checkpoint record. Any transaction with Transaction Start and Transaction Commit records should be redone: –Perform all the writes to the database using the after-image log records in the order in which they were written to the log.

Database Security

Threats to Data Security Accidental losses attributable to: –People Users: using another person’s means of access, viewing unauthorized data, introduction of viruses Programmers/Operators Database administrator: Inadequate security policy –Software failure DBMS: security mechanism, privilege Application software: program alteration –Hardware failure Theft and fraud Improper data access: –Loss of privacy (personal data) –Loss of confidentiality (corporate data) Loss of data integrity Loss of availability (through, e.g. sabotage)

Countermeasures to Threats Authorization –Authentication Access controls: privileges Database views BackUp and Recovery Enforcing integrity rules Encryption –Symmetric encryption: use same key for encryption and decryption –Asymmetric encryption: Public key: for encryption Private key: decryption RAID

Authorization Rules Controls incorporated in the data management system  Restrict: –access to data –actions that people can take on data  Authorization matrix for: –Subjects –Objects –Actions –Constraints

Figure 12-5 Authorization matrix

SQL Injection "SQL Injection" is an unverified/unsanitized user input vulnerability, and the idea is to convince the application to run SQL code that was not intended. Exploits applications that use external input for database commands.

SQL Injection Demo On a web page that takes customer ID entered in a textbox as input, then displays the customer’s data. 1. Retrieve all records:In the textbox, enter: ‘ OR 1=1 OR CID = ‘ 2. Guess table name or field name: ‘ AND 1=(SELECT COUNT(*) FROM Orders) AND CID=‘ 3. Finding some users: ' or cname like 'S%' or cid=‘ SQLInjectionDemo

Demo Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\salesDB.mdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select * from customer where cid = '" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) Try objConn.Open() Dim objDataReader As OleDbDataReader objDataReader = objComm.ExecuteReader() GridView1.DataSource = objDataReader GridView1.DataBind() Catch except As SystemException Response.Write(except.Message) End Try End Sub