Database Tables, queries Functions, procedures Connections 3

Download 0,64 Mb. Pdf ko'rish Sana 10.07.2022 Hajmi 0,64 Mb. #771304

Bu sahifa navigatsiya:

• Data storage Inside a database, data is stored into tables. As we mentioned in the previous post, the S in SQL stands for structured.
• FROM table_name WHERE ROWNUM number; Update command UPDATE table_name SET column1 = value1, column2 = value2, ...
• Functions... Real functions... UCASE() – Converts a field to upper case LCASE() – Converts a field to lower case
• Function Add a heading CREATE FUNCTION function_name(func_parameter1, func_parameter2, ..) RETURN datatype [characteristics]
• The application doesnt implement any defenses against SQL injection attacks, so an attacker can construct an attack like
• The key thing here is that the double-dash sequence -- is a comment indicator in SQL, and means
• This means that all products are displayed, including unreleased products. Going further, an attacker can cause the application to display all the products in any category
• SELECT * FROM products WHERE category = Gifts OR 1=1-- AND released = 1The modified query
• In Java In Phyton Use prepared statements and SQL arguments (example "stolen" from Matt Fellows): String insert = "INSERT INTO
• First, you probably should just use Django ORM, it will prevent any possibility of SQL injection. If for any reason you cant or dont want to then you

Database Tables, queries Functions, procedures Connections 1 2 3  Why database? Better Data Transferring Better Data Security Better data integration Minimized Data Inconsistency Faster data Access Database Management System (DBMS) is basically a collection of interrelated data and a set of software tools/programs which access, process, and manipulate data. It allows access, retrieval, and use of that data by considering appropriate security measures. The Database Management system (DBMS) is really useful for better data integration and security. Data storage Inside a database, data is stored into tables. As we mentioned in the previous post, the S in SQL stands for structured.  CRUD CRUD stands for...? Create command INSERT INTO table_name (column1, column2, column3, ...) VALUES (value1, value2, value3, ...); Read command SELECT column_name(s) FROM table_name WHERE ROWNUM <= number; Update command UPDATE table_name SET column1 = value1, column2 = value2, ... WHERE condition; Delete command DELETE FROM table_name WHERE condition; Functions..._Real_functions..._UCASE()_–_Converts_a_field_to_upper_case_LCASE()_–_Converts_a_field_to_lower_case'>Functions... Real functions... UCASE() – Converts a field to upper case LCASE() – Converts a field to lower case SUBSTR() – Extract characters from a text field LEN()/LENGTH() – Returns the length of a text field ROUND() – Rounds a numeric field to the number of decimals specified The CREATE FUNCTION statement is used for creating a stored function and user-defined functions. A stored function is a set of SQL statements that perform some operation and return a single value. Function Add a heading CREATE FUNCTION function_name(func_parameter1, func_parameter2, ..) RETURN datatype [characteristics] func_body CREATE or REPLACE PROCEDURE name(parameters) IS variables; BEGIN //statements; END; SQL injection(attack) The application doesn't implement any defenses against SQL injection attacks, so an attacker can construct an attack like: https://insecure-website.com/products?category=Gifts'--This results in the SQL query: SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1 The key thing here is that the double-dash sequence -- is a comment indicator in SQL, and means that the rest of the query is interpreted as a comment. This effectively removes the remainder of the query, so it no longer includes AND released = 1.  This means that all products are displayed, including unreleased products. Going further, an attacker can cause the application to display all the products in any category, including categories that they don't know about: https://insecure-website.com/products?category=Gifts'+OR+1=1-- This results in the SQL query: SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1The modified query will return all items where either the category is Gifts, or 1 is equal to 1. Since 1=1 is always true, the query will return all items In Java In Phyton Use prepared statements and SQL arguments (example "stolen" from Matt Fellows): String insert = "INSERT INTO customer(name,address,email) VALUES(?, ?, ?);"; PreparedStament ps = connection.prepareStatment(insert); First, you probably should just use Django ORM, it will prevent any possibility of SQL injection. If for any reason you can't or don't want to then you should use Python Database API. Here is the way you usually do that in Django: from django.db import connection do_sql('insert into table (column) values (%s)', (dinosaur,)) Thank you! Javokhir Isroilov Open for criticism and suggestion Download 0,64 Mb. Do'stlaringiz bilan baham: