...due to a SQL injection flaw in a web application that communicate with a database. Over ten years have passed since a famous hacker coined the term “SQL injection” and it is still considered one of the major application threats. A lot has been said on this vulnerability, but not all of the aspects and implications have been uncovered, yet. This paper aim is to collate some of the existing knowledge, introduce new techniques and demonstrate how to get complete control over the database management system's underlying operating system, file system and internal network through SQL injection vulnerability in over-looked and theoretically not exploitable scenarios. This paper also discuss about the prevention from the SQL Injection, not only in ORACLE but also in PHP, C#, JAVA and other languages. INDEX ABSTRACT………………………………………………………………………………….....02 INTRODUCTION……………….…………………………….…….………………………….04 BLIND SQL INJECTION…………………………………….………………………………..05 SQL INJECTION OVERVIEW…………………………….………………………………....06 CATEGORIES OF SQL INJECTION ATTACKS…………………………………………..07 WHAT’S VULNERABLE…………………………………………………………..…………08 WHAT’S NOT VULNERABLE…………………………………………………….………….08 SQL INJECTION METHODS……………………………………….……………….……….09 SQL MANIPULATION………………………………………………………..……………….09 CODE INJECTION……………………………………………………….……………………10 FUNCTION CALL INJECTION……………………………………………………………….11 BUFFER OVERFLOWS………………………………………………………………………13 SQL INJECTION TESTING METHODOLOGY………………………………………….....14 PREVENTING SQL INJECTION...
Words: 3449 - Pages: 14
...Database Design DBM502 – Database Management March 24th, 2014 University of Phoenix Professor: Sam Haidar EzStream This paper will provide an overview of the database to be utilized for the startup company EzStream Inc. The core business of EzStream is to provide a complete solution to stream media content via online or WIFI. Customers will have the choice to rent, buy, or pay a monthly subscription to watch media content. Several components will break down the development of the database and provide details to the database infrastructure. Conceptual Design The conceptual design of EzStream’s DB will consist of Movies, Suppliers, and Customers. Customers will either rent or purchase movies, and have the option of paying a monthly subscription rate to watch movies via digital streaming. Data Analysis and Requirements * Tasks during Research and Analysis: * Identify essential "real world" information (e.g. interviews) * Remove redundant, unimportant details * Clarify unclear natural language statements * Fill remaining gaps in discussions * Distinguish data and operations Requirement Analysis First step: filter essential information vs unimportant details * Essentials * There are customers, suppliers, and media content * Identify age of audience for rentals * Customers have a customer identification number * Four weeks maximal rental time. * Unimportant details * "...Rentals since a few...
Words: 1876 - Pages: 8
...A Survey of SQL Injection Defense Mechanisms Kasra Amirtahmasebi, Seyed Reza Jalalinia and Saghar Khadem Chalmers University of Technology, Sweden akasra, seyedj, saghar{@student.chalmers.se} Abstract SQL Injection Attack (SQLIA) is a prevalent method which makes it possible for the attackers to gain direct access to the database and culminates in extracting sensitive information from the firm’s database. In this survey, we have presented and analyzed six different SQL Injection prevention techniques which can be used for securing the data storage over the Internet. The survey starts by presenting Variable Normalization and will continue with AMNESIA, Prepared statements, SQL DOM, SQLrand and SQLIA prevention in stored procedures respectively. that determining whether a SQL statement is allowable or not is done by checking the existence of normalized statement in the ready-sorted allowable list. 2.1. Background Many web pages ask users to input some data and make a SQL queries to the database based on the information received from the user i.e. username and passwords. By sending crafted input a malicious user can change the SQL statement structure and execute arbitrary SQL commands on the vulnerable system. Consider the following username and password example, in order to login to the web site, the user inputs his username and password, by clicking on the submit button the following SQL query is generated: SELECT * FROM user_table WHERE user_id = ‘john’ and password...
Words: 5643 - Pages: 23
...Databases in use:- 1. Mysql What is MS SQL? It is a relational web hosting database that is used to store web site information like blog posts or user information. MS SQL is the most popular type of database on Windows servers. It is not free but it has many advanced features that make it suitable for businesses. What is MS SQL capable of? In basic terms, an MS SQL database is capable of storing any type of that you want. It will let you quickly store and retrieve information and multiple web site visitors can use it at one time. You will use SQL statements to accomplish all of this. In more technical terms, most versions of MS SQL have the following features: • Buffer management • Logging and Transaction • Concurrency and locking • Replication services • Analysis services • Notification services • Integration services • Full text search service • Stored procedures • Triggers • Views • Sub-SELECTs (i.e. nested SELECTs) What is MS SQL used for? MS SQL is the database of choice for web applications on a Windows platform (using .NET or ASP). These languages make is extremely easy to connect to a MS SQL database. It is also used for many popular content management systems and other scripts. Learn more about what is MS SQL on its official website. They have comprehensive learning material. You should also check out the SQL tutorial on W3Schools and some articles on the SQL Community Server blog. If you are looking for a web host that supports MS SQL, look at...
Words: 2647 - Pages: 11
...Stored procedures Stored procedures can help improve application performance and reduce database access traffic. All database access must go across the network, which, in some cases, can result in poor performance. For each SQL statement, a database manager application must initiate a separate communication with DB2. To improve application performance, you can create stored procedures that run on your database server. A client application can then simply call the stored procedures to obtain results of the SQL statements that are contained in the procedure. Because the stored procedure runs the SQL statement on the server for you, database performance is improved. In addition, stored procedures can help to centralize business logic. If you make changes to a stored procedure, the changes are immediately available to all client applications that use it. Stored procedures are programs that have the following characteristics: • Contain procedural constructs with SQL statements • Are stored in databases and run on DB2 servers • Can be called by name by an application that is using SQL • Allow an application program to run in two parts: the application on the client and the stored procedure on the server The following figures show how two client applications access a database located on a database server. A client application that does not use stored procedures to access a database can require more network traffic. A client application that takes advantage of a stored...
Words: 2097 - Pages: 9
...SQL Server 2012 Security Best Practices - Operational and Administrative Tasks SQL Server White Paper Author: Bob Beauchemin, SQLskills Technical Reviewers: Darmadi Komo, Jack Richins, Devendra Tiwari Published: January 2012 Applies to: SQL Server 2012 and SQL Server 2014 Summary: Security is a crucial part of any mission-critical application. This paper describes best practices for setting up and maintaining security in SQL Server 2012. Copyright The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual...
Words: 15647 - Pages: 63
...SQL Fundamentals The Structured Query Language (SQL) comprises one of the fundamental building blocks of modern database architecture. SQL defines the methods used to create and manipulate relational databases on all major platforms. At first glance, the language may seem intimidating and complex but it's really not all that bad. In a series of articles over the next few weeks we'll explore the inner workings of SQL together. By the time we're through, you'll have the fundamental knowledge you need to go out there and start working with databases! This week, our first article in the SQL series provides an introduction to the basic concepts behind SQL and we'll take a brief look at some of the main commands used to create and modify databases. Throughout this article, please keep our goal in mind: we're trying to get the "big picture" of SQL -- not a mastery of the individual commands. We'll provide a few examples for illustrative purposes and explain the theory behind them, but don't feel frustrated if you can't write your own SQL commands after reading this article. We'll cover each of the major commands in detail in future weekly installments. If you'd like a reminder in your e-mail inbox each week when the next article is posted, please take a moment and subscribe to our newsletter. By the way, the correct pronunciation of SQL is a contentious issue within the database community. In their SQL standard, the American National Standards Institute declared that the official...
Words: 1859 - Pages: 8
...Cloud Database Management System IS508E group NO.6 project Group NO.6 members: PENG Yu KALAI Kumaraguru KUTTIKKAT VENUGOPAL Sreehari Contents General business case ............................................................................................................... 1 Introduction and problems ....................................................................................................... 1 The existing technology ............................................................................................................ 2 Challenges of Implementation: ................................................................................................. 9 Reference: ............................................................................................................................... 10 General business case Thanks to the successful management, the business of the company expands very fast. However, the database management system cannot withstand the quickly and greatly increased work load, the break-down frequency increases, which make the decision-making efficiency and customer experience drop. The company tries to turn around this bad trend and poses two solutions: one is to update the present DBMS including hardware, software and human resource; the other one is to make use of SQL Azure from Microsoft to set up cloud environment and transfer the DBMS there. After cost analysis, we find that to reach the same efficiency standard, the cost of...
Words: 3594 - Pages: 15
...Teach Yourself SQL in 21 Days, Second Edition Table of Contents: Introduction Week 1 at a Glance Day 1 Introduction to SQL Day 2 Introduction to the Query: The SELECT Statement Day 3 Expressions, Conditions, and Operators Day 4 Functions: Molding the Data You Retrieve Day 5 Clauses in SQL Day 6 Joining Tables Day 7 Subqueries: The Embedded SELECT Statement Week 1 in Review Week 2 at a Glance Day 8 Manipulating Data Day 9 Creating and Maintaining Tables Day 10 Creating Views and Indexes Day 11 Controlling Transactions Day 12 Database Security Day 13 Advanced SQL Topics Day 14 Dynamic Uses of SQL Week 2 in Review Week 3 at a Glance Day 15 Streamlining SQL Statements for Improved Performance Day 16 Using Views to Retrieve Useful Information from the Data Dictionary Day 17 Using SQL to Generate SQL Statements Day 18 PL/SQL: An Introduction Day 19 Transact-SQL: An Introduction Day 20 SQL*Plus Day 21 Common SQL Mistakes/Errors and Resolutions Week 3 in Review Appendixes A Glossary of Common SQL Statements B Source Code Listings for the C++ Program Used on Day 14 C Source Code Listings for the Delphi Program Used on Day 14 D Resources E ASCII Table F Answers to Quizzes and Excercises © Copyright, Macmillan Computer Publishing. All rights reserved. Teach Yourself SQL in 21 Days, Second Edition Acknowledgments A special thanks to the following individuals: foremost to my loving wife, Tina, for her tolerance and endless support, to Dan Wilson for his...
Words: 128515 - Pages: 515
...DD1334 Databasteknik Laboration 1: SQL Basics Andreas Gustafsson, Hedvig Kjellström, Michael Minock and John Folkesson The purpose of Laboration 1 is to learn how to retrieve rmation stored in relational databases. You will learn 1) how to formulate SQL queries and understand how they apply to the schema and how they are executed; 2) how constraints effect insertions and deletions; 3) about the basics of view, transactions, indices and triggers. The recommended reading for Laboration 1 is that of Lectures 1-7 , particularly Chap 6-8. Laboration Come prepared to the review session! Only one try is allowed – if you fail, you are not allowed to try again until the next lab session. The review will take 10 minutes or less, so have all papers in order. To pass you should have Completed Task 1 with at least 9 of the 10 queries right, completed Task 2 and able to explain why certain actions give errors and other do not, also 8 of the 9 steps should be documented showing you executed them correctly, Task 3 the output file should show that the trigger works as it should. The grade is A if passed when the review when due. See the Lab Grading page in bilda contents for the due dates for the labs and the grading of late assignments. Laboration 1 is intended to take 30h to complete. Computing Environment In this assignment you will use Nestor 2.0. Nestor is KTH’s logic engine (computer) dedicated to hold the databases used in this and other similar courses. Nestor is aptly named after...
Words: 2303 - Pages: 10
...Introduction to SQL LEARNING OBJECTIVES After studying this chapter, you should be able to: ■ Concisely define each of the following key terms: relational DBMS (RDBMS), catalog, schema, data definition language (DDL), data manipulation language (DML), data control language (DCL), scalar aggregate, vector aggregate, base table, virtual table, dynamic view, and materialized view. ■ ■ ■ ■ ■ Visit www.pearsonhighered.com/ hoffer to view the accompanying video for this chapter. Interpret the history and role of SQL in database development. Define a database using the SQL data definition language. Write single-table queries using SQL commands. Establish referential integrity using SQL. Discuss the SQL:1999 and SQL:2008 standards. INTRODUCTION Pronounced “S-Q-L” by some and “sequel” by others, SQL has become the de facto standard language for creating and querying relational databases. (Can the next standard be the sequel to SQL?) The primary purpose of this chapter is to introduce SQL, the most common language for relational systems. It has been accepted as a U.S. standard by the American National Standards Institute (ANSI) and is a Federal Information Processing Standard (FIPS). It is also an international standard recognized by the International Organization for Standardization (ISO). ANSI has accredited the International Committee for Information Technology Standards (INCITS) as a standards development organization; INCITS is working on the next version of the SQL standard...
Words: 22483 - Pages: 90
...revisions of the SQL standard. * SQL Server version 1.0: SQL Server version 1.0 is a 16 bit server modeled in the year 1989 for supporting OS/2. * SQL Server version 1.1: SQL Server version 1.1 is also a 16 bit server designed in the year 1991 to support OS/2. * SQL Server version 4.2: SQL Server version 4.2 was released in the year 1992. SQL 4.2 is bundled with IBM OS/2 1.3 version. * SQL Server version 4.21: In the year 1993, Microsoft server 4.21 came into existence. SQL 4.21 was the first version of SQL Server that supports Windows NT. * SQL Server version 6.0: In 1995, SQL Server version 6.0 was introduced. After Windows NT, Sybase and Microsoft parted and worked on their individual design. SQL Server version 6.0 was the chief version aimed in provision of Windows NT by Microsoft. * SQL Server version 6.5: SQL Server version 6.5 got released in the year 1996. * SQL Server version 7.0: SQL Server version 7.0 was the rewritten version from Sybase legal code. The code name of SQL Server version 7.0 is Sphinx. SQL Server version 7.0 was introduced in 1998. In 1999, SQL Server version 7.0 with OLAP tools came into site. * SQL Server version 8.0 / SQL Server version 2000: SQL Server version 2000 was the first one made of IA-64 architecture. Several advancements have been made in SQL Server version 2000 which improved its performance. Later in the year 2003, SQL Server version 2000 with 64-bits was released. * SQL Server version 9.0/ SQL Server version...
Words: 1606 - Pages: 7
...CSS330-1502A-01 Database Security Individual Project Key Assignment Chris Pangburn 27 April, 2015 Table of Contents Week 1: Database Security Architecture 4 Differentiate between a Database Management System and a database 4 Network Infrastructure for the best security posture 4 Additional Security mechanisms to protect the Database Server 6 Week 2: User Account Security 7 Creating Schemas 7 Creating Users, Creating Roles, Assigning Privileges based on Access Control Lists 7 Creating Views 10 Week 3: Database Vulnerabilities 11 Description of tools used to perform scans 11 Scan Information 11 False Positive Information 12 Discuss SQL injection attack 12 Week 4: Auditing Techniques 14 Security hardened network design 14 Research of auditing features 14 Description of a trigger 14 Implementation of auditing 14 Week 5: Auditing Policies 15 Write SQL 15 Report based on access 15 Report based on system privileged 15 Audit report showing connection details 15 Report showing object access 15 References 16 Week 1: Database Security Architecture Differentiate between a Database Management System and a database Databases at their essence are nothing more than a collection of organized information (Mullins, 2013). A database can contain stored procedures, tables, fields, indexes, functions, views, security, and many other objects. Relationships between the data can be created which brings more meaning to how the data can be...
Words: 1807 - Pages: 8
...environment security is a crucial factor. Provide security to pages in the network is to difficulty. Password is not a good measurement for security. Good security mechanism is necessary on the Internet. Security in different levels applies to various documents. Security is depends how security assign to documents. Security depends on following categories. 1. Confidential 2. Secret 3. Non-secret 4. Public Confidential pages over the network provide full security. No way to tamper data in the page by third party. In this case biometrics are more useful and no way to disturb the page contents. First of all store all data about biometrics in database after that tally with this data. If tally satisfies with backend then provide access to the user. Collecting information is too difficult and store in database also need more space. There are two security...
Words: 1911 - Pages: 8
...DataGuard : Step-by-Step Instructions for Creating a Physical Standby DatabaseThis is a featured page DataGuard : Step-by-Step Instructions for Creating a Physical StandbyDatabase (By Wissem EL KHLIFI) Step-by-Step Instructions for Creating a Physical Standby Database using SQL commands 1. General Overview : The purpose of this document is to create a step by step guideline for using the Oracle Dataguard a High available mechanism. I spent about 7 days investigating about a problem faced from my first dataguard experience. Both primary and standby servers are on linux redhat : same version of OS. - Primary DB : 10.2.0.1 - Standby DB : 10.2.0.3 - Host Name of Primary DB : arcdb01.es.egwn.lan - Host Name of Standby DB : x06.d15.lan I m trying to setup oracle dataguard for 10G ; both primary and standby databases are in 10GR2. Configuring Oracle DataGuard using SQL commands – Creating a physical standby database ; I can’t get the log files or Archive logs on my StandBy db. Checking v$archive_dest_status view on PRIMARY DB, I found the error below : FROM PRIMARY DB : I getting an error Oracle not available SELECT * FROM v$archive_dest_status DEST_ID 2 DEST_NAME LOG_ARCHIVE_DEST_2 STATUS ERROR TYPE PHYSICAL DATABASE_MODE UNKNOWN RECOVERY_MODE UNKNOWN PROTECTION_MODE MAXIMUM PERFORMANCE DESTINATION X06.D15.LAN STANDBY_LOGFILE_COUNT 0 STANDBY_LOGFILE_ACTIVE 0 ARCHIVED_THREAD# 0 ARCHIVED_SEQ# 0 APPLIED_THREAD# 0 APPLIED_SEQ# 0 ERROR ORA-01034: ORACLE not available ...
Words: 2998 - Pages: 12