1 / 6

Database Connectivity

Database Connectivity. Rose-Hulman Institute of Technology Curt Clifton. Recall Multi-Tier Architectures. Custom Client (e.g., Java, C#). Web Browser. Web Server. DBMS Server. Why use stored procedures?. Could just send individual SQL commands from UI Use stored procedures to:

barryf
Download Presentation

Database Connectivity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Database Connectivity Rose-Hulman Institute of Technology Curt Clifton

  2. Recall Multi-Tier Architectures Custom Client(e.g., Java, C#) Web Browser Web Server DBMS Server

  3. Why use stored procedures? • Could just send individual SQL commands from UI • Use stored procedures to: • Optimize performance • Keep SQL code on the server • Improve security by preventing casual table browsing and modifications • More easily create atomic transactions (more next week) • Prevent SQL injection attacks

  4. Another Problem: Injection Attacks • Consider: • Interface presents form prompting for usernameString username = userNameField.getText(); • Interface builds query to get user’s custom picture from database"SELECT IDPicture FROM Users WHERE Username = '" + username + "'" • Interface sends query to backend database • So what’s the problem?

  5. Another Problem: Injection Attacks • Consider: • Interface presents form prompting for usernameString username = userNameField.getText(); • Interface builds query to get user’s custom picture from database"SELECT IDPicture FROM Users WHERE Username = '" + username + "'" • Interface sends query to backend database • User enters: smith'; DELETE FROM Users WHERE true OR Username ='

  6. Guidelines • Do not build queries using concatenation • Do not use a highly privileged SQL account for access from the application • Encrypt the DB connection string • Cache static information in the application • Always explicitly define the table columns you wish to fetch • Use parameter validation at all layers

More Related