Download presentation
Presentation is loading. Please wait.
1
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton
2
Recall Multi-Tier Architectures DBMS Server Web Server Web Browser Custom Client (e.g., Java, C#)
3
Why use stored procedures? Could just send individual SQL commands from UI Use stored procedures to: Optimize performance Keep SQL code on the server Improve security by preventing casual table browsing and modifications More easily create atomic transactions (more next week) Prevent SQL injection attacks
4
Another Problem: Injection Attacks Consider: Interface presents form prompting for username String username = userNameField.getText(); Interface builds query to get user’s custom picture from database "SELECT IDPicture FROM Users WHERE Username = '" + username + "'" Interface sends query to backend database So what’s the problem?
5
Another Problem: Injection Attacks Consider: Interface presents form prompting for username String username = userNameField.getText(); Interface builds query to get user’s custom picture from database "SELECT IDPicture FROM Users WHERE Username = '" + username + "'" Interface sends query to backend database User enters: smith'; DELETE FROM Users WHERE true OR Username ='
6
Guidelines Do not build queries using concatenation Do not use a highly privileged SQL account for access from the application Encrypt the DB connection string Cache static information in the application Always explicitly define the table columns you wish to fetch Use parameter validation at all layers
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.