Download presentation
Presentation is loading. Please wait.
1
CS242 SQL
2
What is SQL? SQL: stands for Structured Query Language allows you to access a database is an ANSI standard computer language can execute queries against a database can retrieve data from a database can insert new records in a database can delete records from a database can update records in a database is easy to learn
3
SQL SQL works with database programs like MS Access, DB2, Informix, MS SQL Server, Oracle, Sybase,
4
Relational Database Comprised of “tables” Tables comprised of “rows” or records Rows contain columns or fields of data Columns have types associated with them Data is accessed with queries
5
Relational Database Multiple tables Reduces redundancy Require few assumptions about how data is related Adaptive
6
Adaptive Legal values for a given field can grow City Name column 1) create a table for the city name 2) change the city name column to index into table 3) as new city names appear in interface, add them to the table
7
Flat File Database Simple database scheme Single table “spreadsheet”
8
SQL DDL (data definition language) CREATE table ALTER table DROP table
9
CREATE TABLE Column definitions: Column name, data type, required data, default value CREATE TABLE persons (lastName char(50), firstName char(50), Address char(50), City char(50), State char(2))
10
SQL Data Types AccessSQL-ServerOracleMySQLPostgreSQL booleanYes/NoBitByteN/ABoolean integer Number (integer) IntNumber Int Integer (synonyms) Integer Int float Number (single) Float Real NumberFloatNumeric currencyCurrencyMoneyN/AN/AMoney string (fixed) N/ACharCharCharChar string (variable) Text (<256) Memo (65k+) Varchar Varchar Varch ar2 VarcharVarchar binary object OLE Object Memo Binary (fixed up to 8K) Varbinary (<8K) Image (<2GB) Long Raw Blob Text Binary Varbina ry
11
Adding Data INSERT – insert a row of data UPDATE – update one or more coumns in selected rows DELETE – delete selected rows of data
12
Queries SELECT SELECT returns a result set – a table of data as described in the query SELECT lastName FROM persons SELECT firstName FROM persons WHERE lastName = ‘woodley’ SELECT firstName FROM persons WHERE lastName LIKE ‘%woo%’
13
Primary Key Uniquely identifies a single record Either a value that is guaranteed to be unique OR Automatically generated by the DBMS to BE unique
14
Retrieving from a database // connect $db = mysql_connect("localhost", "root"); // select the database mysql_select_db("mydb",$db); // retrieve data from table $result = mysql_query("SELECT * FROM employees",$db);
15
Results of a Query odbc_fetch_array $result = odbc_exec($db,$query); if ($myrow = odbc_fetch_array($result)) { // output HTML code here to begin the table //echo " \n"; do{ printf(" %s %s %s % s %s \n", $myrow ["date"], $myrow["time"], $myrow["Slot 1"], $myrow["Slot 2"], $myrow["Slot 3"]); $myrow = odbc_fetch_array($result); } while ($myrow["date"]!=""); // end the table started above //echo " "; }
![Results of a Query odbc_fetch_array $result = odbc_exec($db,$query); if ($myrow = odbc_fetch_array($result)) { // output HTML code here to begin the table //echo \n ; do{ printf( %s %s %s % s %s \n , $myrow [ date ], $myrow[ time ], $myrow[ Slot 1 ], $myrow[ Slot 2 ], $myrow[ Slot 3 ]); $myrow = odbc_fetch_array($result); } while ($myrow[ date ]!= ); // end the table started above //echo ; }](http://images.slideplayer.com./42/11279369/slides/slide_15.jpg "Results of a Query odbc_fetch_array $result = odbc_exec($db,$query); if ($myrow = odbc_fetch_array($result)) { // output HTML code here to begin the table //echo \n ; do{ printf( %s %s %s % s %s \n , $myrow [ date ], $myrow[ time ], $myrow[ Slot 1 ], $myrow[ Slot 2 ], $myrow[ Slot 3 ]); $myrow = odbc_fetch_array($result); } while ($myrow[ date ]!= ); // end the table started above //echo ; }")
16
Result Sets <?php // make a table with a row labeling the columns echo " \n Name Position \n"; // open a connection to the database $db = mysql_connect("localhost", "root"); mysql_select_db("mydb",$db); // retrieve entire table of data $result = mysql_query("SELECT * FROM employees",$db); // get and process a row at a time while ($myrow = mysql_fetch_row($result)) { // output a table row and insert the fields into the cells printf(" %s %s %s \n", $myrow[1], $myrow[2], $myrow[3]); } echo " \n"; ?>
![Result Sets < php // make a table with a row labeling the columns echo \n Name Position \n ; // open a connection to the database $db = mysql_connect( localhost , root ); mysql_select_db( mydb ,$db); // retrieve entire table of data $result = mysql_query( SELECT * FROM employees ,$db); // get and process a row at a time while ($myrow = mysql_fetch_row($result)) { // output a table row and insert the fields into the cells printf( %s %s %s \n , $myrow[1], $myrow[2], $myrow[3]); } echo \n ; >](http://images.slideplayer.com./42/11279369/slides/slide_16.jpg "Result Sets < php // make a table with a row labeling the columns echo \n Name Position \n ; // open a connection to the database $db = mysql_connect( localhost , root ); mysql_select_db( mydb ,$db); // retrieve entire table of data $result = mysql_query( SELECT * FROM employees ,$db); // get and process a row at a time while ($myrow = mysql_fetch_row($result)) { // output a table row and insert the fields into the cells printf( %s %s %s \n , $myrow[1], $myrow[2], $myrow[3]); } echo \n ; >")
17
PHP and Form Data Google: php form data Decent tutorial on retrieving and processing form data using PHP: http://apptools.com/phptools/forms/fo rms1.php
18
GET and POST $_GET: When using the $_GET variable all variable names and values are displayed in the URL.When using the $_GET variable all variable names and values are displayed in the URL. ( This would include password information.) Has a max of 100 charactersHas a max of 100 characters
19
GET and POST $_POST: The $_POST variable is an array of variable names and values sent by the HTTP POST method.The $_POST variable is an array of variable names and values sent by the HTTP POST method. Information sent from a form with the POST method is invisible to others and has no limits on the amount of information to send.Information sent from a form with the POST method is invisible to others and has no limits on the amount of information to send.
20
SQL Injection Example SQL statement: SELECT FROM persons WHERE lastName = ‘” + formUserName + “’; If you enter into the username box on your form the string: a’ or ‘t’=‘t (No beginning nor ending quote.) You get: SELECT FROM persons WHERE lastName = ‘a or ‘t’=‘t’ Will return a valid username.
21
Multiple SQL Statements SQL statement: SELECT FROM persons WHERE lastName = ‘” + formUserName + “’; If you enter into the username box on your form the string: a';DROP TABLE persons; SELECT * FROM data WHERE name LIKE '% You get: SELECT FROM persons WHERE lastName = ‘a’; DROP TABLE persons; SELECT * FROM data where NAME LIKE ‘%’
22
SQL Injection Video: http://www.youtube.com/watch?v=MJ NJjh4jORY http://www.youtube.com/watch?v=MJ NJjh4jORY Attacks by example: http://www.unixwiz.net/techtips/sql- injection.html
23
Do not use form data directly Check and sanitize the form data before putting it in your SQL query statement.
Similar presentations
