Presentation is loading. Please wait.

Presentation is loading. Please wait.

M.P. Johnson, DBMS, Stern/NYU, Spring 20051 C20.0046: Database Management Systems Lecture #24 M.P. Johnson Stern School of Business, NYU Spring, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "M.P. Johnson, DBMS, Stern/NYU, Spring 20051 C20.0046: Database Management Systems Lecture #24 M.P. Johnson Stern School of Business, NYU Spring, 2005."— Presentation transcript:

1 M.P. Johnson, DBMS, Stern/NYU, Spring 20051 C20.0046: Database Management Systems Lecture #24 M.P. Johnson Stern School of Business, NYU Spring, 2005

2 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 2 Homework Project part 5  Topic: web interface + any remaining loose ends  Up now  Due: end of semester  Run, don’t walk  Important: if you use data you from someone else (e.g., from the web), this should be visibly cited on your site Hw3 is up  optional

3 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 3 Agenda Injection attack prevention in Perl XML

4 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 4 Goals After Today:  Know how to prevent injection attacks in Perl  Know something about XML..

5 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 5 Review: Why security is hard It’s a “negative deliverable” It’s an asymmetric threat  “Remember, there are 1000 warheads unaccounted for. Marwan only needs one.” – Jack Bauer Tolstoy: “Happy families are all alike; every unhappy family is unhappy in its own way.”  Analogs: “homeland”, jails, debugging, proof-reading, Popperian science, fishing, MC algs So: fix biggest problems first

6 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 6 Injection attacks – MySQL/Perl/PHP Consider another input:  user: your-boss  pass: ' OR 1=1 OR pass = '  SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = 'your-boss' AND password = ' ' OR 1=1 OR pass = ' '; SELECT * FROM users WHERE user = 'your-boss' AND password = ' ' OR 1=1 OR pass = ' '; http://pages.stern.nyu.edu/~mjohnson/dbms/php/login.php SELECT * FROM users WHERE user = 'your-boss' AND password = '' OR 1=1 OR pass = ''; SELECT * FROM users WHERE user = 'your-boss' AND password = '' OR 1=1 OR pass = '';

7 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 7 Injection attacks – MySQL/Perl/PHP Consider another input:  user: your-boss  pass: ' OR 1=1 AND user = 'your-boss  Delete your boss! DELETE FROM users WHERE user = u AND password = p; DELETE FROM users WHERE user = u AND password = p; DELETE FROM users WHERE user = 'your-boss' AND pass = ' ' OR 1=1 AND user = ' your-boss'; DELETE FROM users WHERE user = 'your-boss' AND pass = ' ' OR 1=1 AND user = ' your-boss'; http://pages.stern.nyu.edu/~mjohnson/dbms/php/users.php DELETE FROM users WHERE user = 'your-boss' AND pass = '' OR 1=1 AND user = 'your-boss'; DELETE FROM users WHERE user = 'your-boss' AND pass = '' OR 1=1 AND user = 'your-boss';

8 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 8 Preventing injection attacks Ultimate source of problem: quotes Soln 1: don’t allow quotes!  Reject any entered data containing single quotes Q: Is this satisfactory?  Does Amazon need to sell O’Reilly books? Soln 2: escape any single quotes  Replace any ' with a '' or \'  In Perl, use taint mode – won’t show  In PHP, turn on magic_quotes_gpc flag in.htaccess show both PHP versions

9 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 9 Preventing injection attacks Soln 3: use prepare parameter-based queries  Supported in JDBC, Perl DBI, PHP ext/mysqli  http://pages.stern.nyu.edu/~mjohnson/dbms/perl/loginsafe.cgi http://pages.stern.nyu.edu/~mjohnson/dbms/perl/loginsafe.cgi  http://pages.stern.nyu.edu/~mjohnson/dbms/perl/userssafe.cgi http://pages.stern.nyu.edu/~mjohnson/dbms/perl/userssafe.cgi Very dangerous: using tainted data to run commands at the Unix command prompt  Semi-colons, prime char, etc.  Safest: define set if legal chars, not illegal ones

10 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 10 Review: secure hashing We store hashed passwords instead of the passwords themselves. Why? Shouldn’t the hashed passwords still be secret?

11 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 11 And now for something completely different: XML XML: eXtensible Mark-up Language Very popular language for semi-structured data Mark-up language: consists of elements composed of tags, like HTML Emerging lingua franca of the Internet, Web Services, inter-vender comm

12 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 12 Unstructured data At one end of continuum: unstructured data  Text files  Stock market prices  CIA intelligence intercepts  Audio recordings  “Just one damn bit after another” Churchill? Henry Ford? No (intentional, formal) patterns to the data Difficult to manage/make sense of  Why we need data-mining

13 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 13 Structured data At the other end: structured data  Tables in RDBMSs  Data organized into semantic chunks entities  Similar/related entities grouped together Relationships, classes  Entities in same group have same structure Same fields/attributes/properties Easy to make sense of  But sometimes too rigid a req.  Difficult to send—convert to tab-delimited

14 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 14 Semi-structured data Not too random  Data organized into entities  Similar/related grouped to form other entities Not too structured  Some attributes may be missing  Size of attributes may vary Support of lists/sets Juuust Right  Data is self-describing

15 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 15 Semi-structured data Predominant examples:  HTML: HyperText Mark-up Language  XML: eXtensible Mark-up Language NB: both mark-up languages (use tags) Mark-up lends self of semi-structured data  Demarcate boundaries for entities  But freely allow other entities inside

16 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 16 Data model for semi-structured data Usually represented as directed graphs Graph: set of vertices (nodes) and edges  Dots connected by lines; not nec. a tree! In model,  Nodes ~ entities or fields/attributes  Edges ~ attribute-of/sub-entity-of Example: publisher publishes >=0 books  Each book has one title, one year, >=1 authors  Draw publishers graph

17 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 17 XML is a SSD language Standard published by W3C  Officially announced/recommended in 1998 XML != HTML  XML != a replacement for HTML  Both are mark-up languages Big diffs:  XML doesn’t use predefined tags (!) But it’s extensible: tags can be added  HTML is about presentation:,, XML is about content:,

18 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 18 XML syntax Like HTML in many respects but more strict All tags must be closed  Can’t have: this is a line  Every start tag has an end tag  Although style can replace both IS case-sensitive IS space-sensitive XML doc has a unique root element

19 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 19 XML syntax Tags must be properly nested  Not allowed I’m not kidding  Intuition: file folders Elements may have quoted attributes  … Comments same as in HTML:  Draw publishers XML

20 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 20 Escape chars in XML Some chars must be escaped  Distinguish content from syntax Can also declare value to be pure text: >< <> && "" '&apos; jsdljsd <>>]]> 3 < 5 "Don&apos;t call me &apos;Ishmael&apos;!"

21 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 21 XML Namespaces Different schemas/DTDs may overlap  XHTML and MathML share some tags Soln: namespaces  as in Java/C++/C#... 15...... 15...

22 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 22 Michael 123 Hilary 456 Bill 789 Michael 123 Hilary 456 Bill 789 row name ssn “Michael”123“Hilary”“Bill”456789 persons XML: persons From Relational Data to XML Data NameSSNMailing-address Michael123NY Hilary456DC Bill789Chappaqua

23 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 23 Semi-structured Data Explained List-valued attributes  XML is not 1NF! Impossible in (single, BCNF) tables:  two phones! namephone Bill 914- 222- 2222 212- 333- 3333 ??? Hilary 202-222-2222 914-222-2222 Bill 914-222-2222 212-333-3333 Hilary 202-222-2222 914-222-2222 Bill 914-222-2222 212-333-3333

24 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 24 Object ids and References SSD graph might not be trees! But XML docs must be Would cause much redundancy Soln: same concept as pointers in C/C++/J  Object ids and references Graph example:  Movies: Lost in Translation, Hamlet  Stars: Bill Murray, Scarlet Johansson Lost in Translation 2003 Hamlet 1999 Bill Murray Lost in Translation 2003 Hamlet 1999 Bill Murray

25 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 25 What do we do with XML? Things done with XML:  Send to partners  Parse XML received  Convert to RDBMS rows  Query for particular data  Convert to other XML  Convert to formats other than XML Lots of tools/standards for these…

26 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 26 DTDs & understanding XML XML is extensible Advantage: when creating, we can use any tags we like Disadv: when reading, they can use any tags they like  Using XML docs a priori is very difficult Solution: impose some constraints

27 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 27 DTDs DTD: Document Type Definition You and partners/vertical industry/academic discipline decide on a DTD/schema for your docs  Specify which entities you may use/must understand  Specify legal relationships DTD specifies the grammar to be used  DTD = set of rules for creating valid entities DTD tells your software what to look for in doc

28 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 28 DTD examples Well-formed XML v. valid XML Simple example:  http://pages.stern.nyu.edu/~mjohnson/dbms/xml/note.xml http://pages.stern.nyu.edu/~mjohnson/dbms/xml/note.xml  http://pages.stern.nyu.edu/~mjohnson/dbms/xml/badnote.xml http://pages.stern.nyu.edu/~mjohnson/dbms/xml/badnote.xml  http://pages.stern.nyu.edu/~mjohnson/dbms/xml/badnote2.xml http://pages.stern.nyu.edu/~mjohnson/dbms/xml/badnote2.xml  Copy from: http://pages.stern.nyu.edu/~mjohnson/dbms/eg/xml.txt http://pages.stern.nyu.edu/~mjohnson/dbms/eg/xml.txt Partial publisher example rules:  Root  publisher  Publisher  name, book*, author*  Book  title, date, author+  Author  firstname, middlename?, lastname

29 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 29 Partial DTD example (typos!) <!DOCTYPE PUBLISHER [ <!DOCTYPE PUBLISHER [ DTD is not XML, but can be embedded in or ref.ed from XML Replacement for DTDs is XML Schema

30 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 30 XML Applications/dialects MathML: Mathematical Markup Language  http://wwwasdoc.web.cern.ch/wwwasdoc/WWW/public ations/ictp99/ictp99N8059.html http://wwwasdoc.web.cern.ch/wwwasdoc/WWW/public ations/ictp99/ictp99N8059.html VoiceXML: http://newmedia.purchase.edu/~Jeanine/interfac es/rps.xml http://newmedia.purchase.edu/~Jeanine/interfac es/rps.xml ChemML: Chemical Markup Language XHMTL: HTML retrofitted as an XML application

31 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 31 XML Applications/dialects Copy from: http://pages.stern.nyu.edu/~mjohnson/dbms/eg/xml.txt http://pages.stern.nyu.edu/~mjohnson/dbms/eg/xml.txt MathML: Mathematical Markup Language  http://wwwasdoc.web.cern.ch/wwwasdoc/WWW/publications/ictp 99/ictp99N8059.html http://wwwasdoc.web.cern.ch/wwwasdoc/WWW/publications/ictp 99/ictp99N8059.html ChemML: Chemical Markup Language X4ML: XML for Merrill Lynch XHMTL: HTML retrofitted as an XML application  Validation: http://pages.stern.nyu.edu/~mjohnson/dbms/ http://pages.stern.nyu.edu/~mjohnson/dbms/

32 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 32 XML Applications/dialects VoiceXML:  http://newmedia.purchase.edu/~Jeanine/interfaces/rps.xml http://newmedia.purchase.edu/~Jeanine/interfaces/rps.xml  AT&T Directory Assistance  http://phone.yahoo.com/ http://phone.yahoo.com/ Image from http://www.voicexml.org/tutorials/intro2.html

33 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 33 More XML Apps FIXML  XML equiv. of FIX: Financial Information eXchange swiftML  XML equiv. of SWIFT: Society for Worldwide Interbank Financial Telecommunications message format Apache’s Ant  Scripting language for Java build management  http://ant.apache.org/manual/using.html http://ant.apache.org/manual/using.html Many more:  http://www-106.ibm.com/developerworks/xml/library/x-stand4/ http://www-106.ibm.com/developerworks/xml/library/x-stand4/

34 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 34 More XML Applications/Protocols RSS: Rich Site Summary/Really Simple Syndication  News sites, blogs…  http://slate.msn.com/rss/ http://slate.msn.com/rss/  http://slashdot.org/index.rss http://slashdot.org/index.rss  Screenshot http://paulboutin.weblogger.com/pictures/viewer$673  More info: http://slate.msn.com/id/2096660/http://slate.msn.com/id/2096660/ my channel story 1 … // other items my channel story 1 … // other items

35 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 35 More XML Applications/Protocols SOAP: Simple Object Access Protocol  XML-based messaging format  Used by Google API: http://www.google.com/apis/http://www.google.com/apis/  Amazon API: http://amazon.com/gp/aws/landing.htmlhttp://amazon.com/gp/aws/landing.html  Amazon light: http://kokogiak.com/amazon/http://kokogiak.com/amazon/  Other examples: http://www.wired.com/wired/archive/12.03/google.html?pg= 10&topic=&topic_set= http://www.wired.com/wired/archive/12.03/google.html?pg= 10&topic=&topic_set SOAP envelope with header and body  Request sales tax for total <SOAP:Envelope xmlns:SOAP="urn:schemas-xmlsoap-org:soap.v1"> 100 <SOAP:Envelope xmlns:SOAP="urn:schemas-xmlsoap-org:soap.v1"> 100

36 M.P. Johnson, DBMS, Stern/NYU, Spring 2005 36 More XML Applications/Protocols %(key)s 0 10 true false %(key)s 0 10 true false

Download ppt "M.P. Johnson, DBMS, Stern/NYU, Spring 20051 C20.0046: Database Management Systems Lecture #24 M.P. Johnson Stern School of Business, NYU Spring, 2005."

Similar presentations

XML-XSL Introduction SHIJU RAJAN SHIJU RAJAN Outline Brief Overview Brief Overview What is XML? What is XML? Well Formed XML Well Formed XML Tag Name.

XML-XSL Introduction SHIJU RAJAN SHIJU RAJAN Outline Brief Overview Brief Overview What is XML? What is XML? Well Formed XML Well Formed XML Tag Name.
XML: Extensible Markup Language

XML: Extensible Markup Language
XML 6.3 DTD 6. XML and DTDs A DTD (Document Type Definition) describes the structure of one or more XML documents. Specifically, a DTD describes:  Elements.

XML 6.3 DTD 6. XML and DTDs A DTD (Document Type Definition) describes the structure of one or more XML documents. Specifically, a DTD describes:  Elements.
CSE 190: Internet E-Commerce Lecture 17: XML, XSL.

CSE 190: Internet E-Commerce Lecture 17: XML, XSL.
1 Lecture 10 XML Wednesday, October 18, 2006. 2 XML Outline XML (4.6, 4.7) –Syntax –Semistructured data –DTDs.

1 Lecture 10 XML Wednesday, October 18, XML Outline XML (4.6, 4.7) –Syntax –Semistructured data –DTDs.
M.P. Johnson, DBMS, Stern/NYU, Sp20041 C20.0046: Database Management Systems Lecture #23 Matthew P. Johnson Stern School of Business, NYU Spring, 2004.

M.P. Johnson, DBMS, Stern/NYU, Sp20041 C : Database Management Systems Lecture #23 Matthew P. Johnson Stern School of Business, NYU Spring, 2004.
Creating a Well-Formed Valid Document. 2 Objectives Introducing XHTML Creating a Well-Formed Document Creating a Valid Document Creating an XHTML Document.

Creating a Well-Formed Valid Document. 2 Objectives Introducing XHTML Creating a Well-Formed Document Creating a Valid Document Creating an XHTML Document.
Semi-structured Data. Facts about the Web Growing fast Popular Semi-structured data –Data is presented for ‘human’-processing –Data is often ‘self-describing’

Semi-structured Data. Facts about the Web Growing fast Popular Semi-structured data –Data is presented for ‘human’-processing –Data is often ‘self-describing’
XML Introduction What is XML –XML is the eXtensible Markup Language –Became a W3C Recommendation in 1998 –Tag-based syntax, like HTML –You get to make.

XML Introduction What is XML –XML is the eXtensible Markup Language –Became a W3C Recommendation in 1998 –Tag-based syntax, like HTML –You get to make.
Sistemi basati su conoscenza XML Prof. M.T. PAZIENZA a.a. 2002-2003.

Sistemi basati su conoscenza XML Prof. M.T. PAZIENZA a.a
XML(EXtensible Markup Language). XML XML stands for EXtensible Markup Language. XML is a markup language much like HTML. XML was designed to describe.

XML(EXtensible Markup Language). XML XML stands for EXtensible Markup Language. XML is a markup language much like HTML. XML was designed to describe.
1 Lecture 08: XML and Semistructured Data. 2 Outline XML (Section 17) –XML syntax, semistructured data –Document Type Definitions (DTDs) XPath.

1 Lecture 08: XML and Semistructured Data. 2 Outline XML (Section 17) –XML syntax, semistructured data –Document Type Definitions (DTDs) XPath.
1 Lecture 08: XML and Semistructured Data. 2 Outline XML (Section 17) –XML syntax, semistructured data –Document Type Definitions (DTDs) XPath.

1 Lecture 08: XML and Semistructured Data. 2 Outline XML (Section 17) –XML syntax, semistructured data –Document Type Definitions (DTDs) XPath.
Document Type Definitions. XML and DTDs A DTD (Document Type Definition) describes the structure of one or more XML documents. Specifically, a DTD describes:

Document Type Definitions. XML and DTDs A DTD (Document Type Definition) describes the structure of one or more XML documents. Specifically, a DTD describes:
Introduction to XML This material is based heavily on the tutorial by the same name at www.w3schools.com.

Introduction to XML This material is based heavily on the tutorial by the same name at
4/20/2017.

4/20/2017.
Marco Mesiti Dep. of Computer Science University of Genova XML eXtensible Markup Language.

Marco Mesiti Dep. of Computer Science University of Genova XML eXtensible Markup Language.
Creating a Basic Web Page

Creating a Basic Web Page
XML introduction to Ahmed I. Deeb Dr. Anwar Mousa  presenter  instructor University Of Palestine-2009.

XML introduction to Ahmed I. Deeb Dr. Anwar Mousa  presenter  instructor University Of Palestine-2009.
XP Tutorial 9New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Working with XHTML Creating a Well-Formed Valid Document Tutorial 9.

XP Tutorial 9New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Working with XHTML Creating a Well-Formed Valid Document Tutorial 9.

Similar presentations

Ads by Google