Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Similar presentations


Presentation on theme: "Database Connectivity Rose-Hulman Institute of Technology Curt Clifton."— Presentation transcript:

1 Database Connectivity Rose-Hulman Institute of Technology Curt Clifton

2 Recall Multi-Tier Architectures DBMS Server Web Server Web Browser Custom Client (e.g., Java, C#)

3 Why use stored procedures?  Could just send individual SQL commands from UI  Use stored procedures to: Optimize performance Keep SQL code on the server Improve security by preventing casual table browsing and modifications More easily create atomic transactions (more next week) Prevent SQL injection attacks

4 Another Problem: Injection Attacks  Consider: Interface presents form prompting for username String username = userNameField.getText(); Interface builds query to get user’s custom picture from database "SELECT IDPicture FROM Users WHERE Username = '" + username + "'" Interface sends query to backend database  So what’s the problem?

5 Another Problem: Injection Attacks  Consider: Interface presents form prompting for username String username = userNameField.getText(); Interface builds query to get user’s custom picture from database "SELECT IDPicture FROM Users WHERE Username = '" + username + "'" Interface sends query to backend database  User enters: smith'; DELETE FROM Users WHERE true OR Username ='

6 Guidelines  Do not build queries using concatenation  Do not use a highly privileged SQL account for access from the application  Encrypt the DB connection string  Cache static information in the application  Always explicitly define the table columns you wish to fetch  Use parameter validation at all layers


Download ppt "Database Connectivity Rose-Hulman Institute of Technology Curt Clifton."

Similar presentations


Ads by Google