Maintaining Stored Procedures in Database Application

Similar documents
Oracle Database: SQL and PL/SQL Fundamentals

Oracle Database: SQL and PL/SQL Fundamentals NEW

Oracle Database: SQL and PL/SQL Fundamentals

Database Programming with PL/SQL: Learning Objectives

Duration Vendor Audience 5 Days Oracle End Users, Developers, Technical Consultants and Support Staff

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

Oracle 10g PL/SQL Training

CHAPTER 2 DATABASE MANAGEMENT SYSTEM AND SECURITY

Oracle SQL. Course Summary. Duration. Objectives

SQL Server for developers. murach's TRAINING & REFERENCE. Bryan Syverson. Mike Murach & Associates, Inc. Joel Murach

4 Simple Database Features

Triggers & Packages. {INSERT [OR] UPDATE [OR] DELETE}: This specifies the DML operation.

How I hacked PacketStorm ( )

MOC 20461C: Querying Microsoft SQL Server. Course Overview

Oracle Database 10g: Introduction to SQL

Understanding Sql Injection

SQL Injection January 23, 2013

Instant SQL Programming

Oracle Database: SQL and PL/SQL Fundamentals NEW

Programming Database lectures for mathema

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

ATTACHMENT 6 SQL Server 2012 Programming Standards

SQL Server An Overview

Oracle Database 10g: Program with PL/SQL

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

Querying Microsoft SQL Server

ORACLE 9I / 10G / 11G / PL/SQL COURSE CONTENT

How To Create A Table In Sql (Ahem)

White Paper. Blindfolded SQL Injection

1 File Processing Systems

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

Darshan Institute of Engineering & Technology PL_SQL

Oracle Database 10g Express

Chapter 1: Introduction

Course ID#: W 35 Hrs. Course Content

Oracle Database 12c: Introduction to SQL Ed 1.1

5.1 Database Schema Schema Generation in SQL

Intro to Embedded SQL Programming for ILE RPG Developers

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

IT2305 Database Systems I (Compulsory)


Commercial Database Software Development- A review.

Token Sequencing Approach to Prevent SQL Injection Attacks

PL/SQL Overview. Basic Structure and Syntax of PL/SQL

SQL Server Database Coding Standards and Guidelines

Duration Vendor Audience 5 Days Oracle Developers, Technical Consultants, Database Administrators and System Analysts

CSE 530A Database Management Systems. Introduction. Washington University Fall 2013

SQL Server. 1. What is RDBMS?

DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS

Oracle Database: Program with PL/SQL

Chapter 1: Introduction. Database Management System (DBMS) University Database Example

Querying Microsoft SQL Server 20461C; 5 days

Blindfolded SQL Injection. Written By: Ofer Maor Amichai Shulman

æ A collection of interrelated and persistent data èusually referred to as the database èdbèè.

IT2304: Database Systems 1 (DBS 1)

Review your answers, feedback, and question scores below. An asterisk (*) indicates a correct answer.

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

MOC QUERYING MICROSOFT SQL SERVER

Driver for JDBC Implementation Guide

Course 20461C: Querying Microsoft SQL Server Duration: 35 hours

Oracle to MySQL Migration

CS2Bh: Current Technologies. Introduction to XML and Relational Databases. Introduction to Databases. Why databases? Why not use XML?

Migrate Topaz databases from One Server to Another

The Import & Export of Data from a Database

Querying Microsoft SQL Server Course M Day(s) 30:00 Hours

Oracle Database: Develop PL/SQL Program Units

AV-005: Administering and Implementing a Data Warehouse with SQL Server 2014

Introduction to Databases

Oracle 11g PL/SQL training

Demystified CONTENTS Acknowledgments xvii Introduction xix CHAPTER 1 Database Fundamentals CHAPTER 2 Exploring Relational Database Components

Chapter 2 Database System Concepts and Architecture

Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification

SQL Injection for newbie

1. INTRODUCTION TO RDBMS

Oracle Database: Program with PL/SQL

Review your answers, feedback, and question scores below. An asterisk (*) indicates a correct answer.

Database security issues PETRA BILIĆ ALEXANDER SPARBER

Introducing Microsoft SQL Server 2012 Getting Started with SQL Server Management Studio

Exposed Database( SQL Server) Error messages Delicious food for Hackers

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

CS346: Database Programming.

Ch.5 Database Security. Ch.5 Database Security Review

The Relational Model. Why Study the Relational Model?

SQL Databases Course. by Applied Technology Research Center. This course provides training for MySQL, Oracle, SQL Server and PostgreSQL databases.

BCA. Database Management System

Oracle Database: Program with PL/SQL

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Oracle Database: Introduction to SQL

What is a database? COSC 304 Introduction to Database Systems. Database Introduction. Example Problem. Databases in the Real-World

1. What is SQL Injection?

Oracle Database: Program with PL/SQL

Basic Concepts of Database Systems

SQL Injection. Slides thanks to Prof. Shmatikov at UT Austin

A Brief Introduction to MySQL

Oracle Database 11g SQL

Semantic Stored Procedures Programming Environment and performance analysis

Oracle Database: Introduction to SQL

D61830GC30. MySQL for Developers. Summary. Introduction. Prerequisites. At Course completion After completing this course, students will be able to:

Transcription:

Maintaining Stored Procedures in Database Application Santosh Kakade 1, Rohan Thakare 2, Bhushan Sapare 3, Dr. B.B. Meshram 4 Computer Department VJTI, Mumbai 1,2,3. Head of Computer Department VJTI, Mumbai 4 Abstract Stored procedure and triggers have an irreplaceable importance in any database application, as they provide a powerful way to code application logic that can be stored on the server and execute according to the need of application. Writing stored procedures for database application involves set of sql statements with an assigned name that's stored in the database in compiled form so that it can be shared by a number of programs. The use of stored procedures can be helpful in controlling access to data end-users may enter or change data but do not write procedures, preserving data integrity and improving productivity statements in a stored procedure only need to be written one time. I. INTRODUCTION Database Management System (DBMS) is a software system that enables users to define, create and maintain the database and provides controlled access to database. There are three types of sql statements DDL : define the database structure or schema. DML : procedural, non-procedural. TCL : security, integrity, concurrency control. In any database application the data flow is controlled by sql statements, this gives us the flexibility to access data in particular form and in selected manner. The stored procedures are the major part of any DB application, Stored procedures offer several distinct advantages over embedding queries in your Graphical User Interface (GUI). II. Stored procedures and Triggers In a database management system DBMS, a stored procedure is a set of Structured Query Language SQL statements with an assigned name that's stored in the database in compiled form so that it can be shared by a number of programs. The use of stored procedures can be helpful in controlling access to data end-users may enter or change data but do not write procedures, preserving data integrity and improving productivity statements in a stored procedure only need to be written one time. Stored procedures are similar to user defined functions (UDFs). The major difference is that UDFs can be used like any other expression within SQL statements, whereas stored procedures must be invoked using the CALL statement. 400

CALL <procedure name> (...) or EXECUTE <procedure name> (...) Stored procedures may return result sets, i.e. the results of a SELECT statement. Such result sets can be processed using cursors, by other stored procedures, by associating a result set locator, or by applications. Stored procedures may also contain declared variables for processing data and cursors that allow it to loop through multiple rows in a table. Stored procedure languages typically include IF, WHILE, LOOP, REPEAT, and CASE statements, and more. Stored procedures can receive variables, return results or modify variables and return them, depending on how and where the variable is declared. Stored procedures are modular, This is a good thing from a maintenance standpoint. When query trouble arises in your application, you would likely agree that it is much easier to troubleshoot a stored procedure than an embedded query buried within many lines of GUI code.stored procedures are tunable. By having procedures that handle the database work for your interface, you eliminate the need to modify the GUI source code to improve a query's performance. Changes can be made to the stored procedures--in terms of join methods, differing tables, etc.--that are transparent to the front-end interface. Stored procedures abstract or separate server-side functions from the client-side. It is much easier to code a GUI application to call a procedure than to build a query through the GUI code. Stored procedures are usually written by database developers/administrators. Persons holding these roles are usually more experienced in writing efficient queries and SQL statements Triggers The SQL CREATE TRIGGER statement provides a way for the database management system to actively control, monitor, and manage a group of tables whenever an insert, update, or delete operation is performed. The statements specified in the SQL trigger are executed each time an SQL insert, update, or delete operation is performed. An SQL trigger may call stored procedures or user-defined functions to perform additional processing when the trigger is executed.unlike stored procedures, an SQL trigger cannot be directly called from an application. Instead, an SQL trigger is invoked by the database management system on the execution of a triggering insert, update, or delete operation. The definition of the SQL trigger is stored in the database management system and is invoked by the database management system, when the SQL table, that the trigger is defined on, is modified. An SQL trigger can be created by specifying the CREATE TRIGGER SQL statement. The statements in the routine-body of the SQL trigger are transformed by SQL into a program object. The program is created in the schema specified by the trigger name qualifier. The specified trigger is registered in the SYSTRIGGERS, SYSTRIGDEP, SYSTRIGCOL, and SYSTRIGUPD SQL Catalogs. If SQL names were specified, the trigger will be created in the schema specified by the implicit or explicit qualifier. If system names were specified, the trigger will be created in the schema that is specified by the qualifier. If not qualified, the trigger will be created in the same schema as the subject table. If the trigger name is not a valid system name, or if a program with the same name already exists, the database manager will generate a system name. NO CASCADENO CASCADE is allowed for compatibility with other products and is not used by DB2 UDB for iseries. BEFORE Specifies that the trigger is a before trigger. The database manager executes the triggeredaction before it applies any changes caused by an insert, delete, or update operation on the subject table. It also specifies that the triggered-action does not activate other triggers because the triggeredaction of a before trigger cannot contain any updates. AFTER Specifies that the trigger is an after trigger. The database manager executes the triggeredaction after it applies any changes caused by an insert, delete, or update operation on the subject table. It also specifies that the triggered-action does not activate other triggers because the triggeredaction of a BEFORE trigger cannot contain any updates. INSERT Specifies that the trigger is an insert trigger. The database manager executes the triggered-action whenever there is an 401

DELETE Specifies that the trigger is a delete trigger. The database manager executes the triggeredaction whenever there is a delete operation on the subject table. A DELETE trigger cannot be added to a table with a referential constraint of ON DELETE CASCADE. UPDATE Specifies that the trigger is an update trigger. The database manager executes the triggeredaction whenever there is an update operation on the subject table. An UPDATE trigger event cannot be added to a table with a referential constraint of ON DELETE SET NULL. If an explicit column-name list is not specified, an update operation on any column of the subject table, including columns that are subsequently added with the ALTER TABLE statement, activates the triggered-action. III. Writing Stored procedures It is not necessary that a stored procedure will have to written. It can be the case when a stored procedure doesn't written anything. For Example, a stored procedure can be used to Insert, delete or update a sql statement. Allows local variables, loops, procedures, examination of one tuple are at time. Rough Form DECLARE BEGIN END @ Declarations Executable statements The DECLARE portion is optional Fig flow of stored procedure IV. Preventing attacks in stored procedures In this section, we present a stored procedure that is vulnerable to a SQLIA and explain how an attacker could exploit this vulnerability. We also present various techniques that can be employed to gain illegitimate access to the system as well as the network resources. A stored procedure is an operation set that is stored. Typically, stored procedures are written in SQL. Since stored procedures are stored on the server side, they are available to all clients. Once the stored procedure is modified, all clients automatically get the new version. 1. CREATE PROCEDURE [EMP].[RetrieveProfile] @Name varchar(50), @Passwd varchar(50) 2. WITH EXECUTE AS CALLER 3. AS 4. BEGIN 5. DECLARE @SQL varchar(200); 6.... 7. SET @SQL= select PROFILE from EMPLOYEE where ; 8.... 9. IF LEN(@Name) > 0 AND LEN(@Passwd) > 0 10. BEGIN 11.... 12. SELECT @SQL=@SQL+ NAME= +@Name+ and ; 13. SELECT @SQL=@SQL+ PASSWD= +@Passwd+ ; 14.... 15. END 16. ELSE 17. BEGIN 18.... 19. SELECT @SQL=@SQL+ NAME= Guest ; 20.... 21. END 22.... 402

23. EXEC(@SQL) 24.... 25. END Code 1. Stored Procedure vulnerable to SQL- Injection A sample stored procedure called with the username and password as user inputs in a variable length string format is shown in Code 1. Notice that, there is an EXEC system function which allow the user to dynamically build a SQL statement in string format and later execute it. This feature is supported in most other business database products also. Dynamically built SQL statements provide great user flexibility but also face a great threat from SQLIAs. The process of building an SQL statement could be used by the attacker to change the original intended semantics of the SQL statement. If the stored procedure in Code 1 is called with no values for @Name and @Passwd variables, the following query would get executed: select PROFILE from EMPLOYEE where NAME= Guest When user inputs are provided for @Name and @Passwd, the following query would get executed: select PROFILE from EMPLOYEE where NAME= name and PASSWD= passwd In this scenario, suppose a user gives input for variable @Name as OR 1=1 and any string, say null, for the variable @Passwd the query would take the form: select PROFILE from EMPLOYEE where NAME= or 1=1 and PASS= null The characters mark the beginning of a comment in SQL, and everything after that is ignored. The query as interpreted by the database is a tautology and hence will always be satisfied, and the database would return information about all users. Thus an attacker can bypass all authentication modules in place and gain unrestricted access to critical data on the web server. An SQL-Injection Attack (SQLIA) is a subset of the unverified/unsanitized input vulnerability and occurs when an attacker attempts to change the logic, semantics or syntax of a legitimate SQL statement by inserting new SQL keywords or operators into the statement. This definition includes, but is not limited, to attacks based on tautologies, injected additional statements, exploiting untyped parameters, stored procedures, overly descriptive error messages, alternate encodings, length limits, second-order injections and injection of UNION SELECT, ORDER BY and HAVING clauses. A detailed explanation of the different types and forms of SQLIAs and the ways in which they can be exploited are available in the public domain. The widely deployed defense today is to train the programmers and web-developers about the security implications of their code and to teach them corrective measures and good programming practices. However, rewriting or revising the entire lot of existing legacy code is not an easy process and is not a financially viable option for many organizations. Even this does not guarantee any foolproof defense and hence we need automated processes to detect the vulnerability and eliminate them. Various other techniques like escaping the quotes and limiting the length of user inputs are employed as a quick fix solution. Unfortunately, even these security measures are only inadequate against highly sophisticated attacks. It is of even greater concern that well known database vendor products like Microsoft SQL Server etc. provide attackers direct access to the command line shell and registry using methods like xp cmdshell, xp regread etc. Some of the very recent incidents only highlight the magnitude of this problem and hence the urgent need to address it in an appropriate manner. V. Stored procedures Vs Functions Functions and stored procedures serve separate purposes. Although it's not the best analogy, functions can be viewed literally as any other function you'd use in any programming language, but stored procedures are more like individual programs or a batch script. Functions normally have an output and optionally inputs. The output can then be used as the input to another function or as a predicate to a SQL Query e.g., SELECT a, b, dbo.myfunction(c) FROM table or SELECT a, b, c FROM table WHERE a = dbo.myfunc(c). A function is a subprogram written to perform certain computations A scalar function returns only a single value (or NULL), whereas a table function returns a (relational) table comprising zero or more rows, each row with one or more columns. Functions must return a value (using the RETURN keyword), but for stored procedures 403

this is not compulsory. Stored procedures can use RETURN keyword but without any value being passed. Functions could be used in SELECT statements, provided they don t do any data manipulation. However, procedures cannot be included in SELECT statements. A function can have only IN parameters, while stored procedures may have OUT or INOUT parameters. A stored procedure can return multiple values using the OUT parameter or return no value at all. CREATE FUNCTION MyFunction (@somevalue INTEGER) RETURNS INTEGER AS BEGIN DECLARE @retval INTEGER SELECT localvalue FROM dbo.localtonationalmaptable WHERE nationalvalue = @somevalue RETURN @retval END [4] C. Cerrudo. Manipulating Microsoft sql server using sql injection. http://www.appsecinc.com/presentations/manipulating SQL Server Using SQL Injection.pdf, White Paper. [5] S. Friedl. Sql injection attacks by example. http://www.unixwiz.net/techtips/sqlinjection.html. [6] O. W. A. S. P. (OWASPD). Top ten most critical web application vulnerabilities. http://www.owasp.org/documentation/topten.html, 2005. [7] T. R. site exposes Data. http://www.netsecurity.org/news.php?id=1593, 2002. [8] K. Spett. Blind sql injection. http://www.spidynamics.com/whitepapers/blind SQLInjection.pdf, White Paper. [9] C. V. N. VU#982109. http://www.kb.cert.org/vuls/id/982109, 2005. [10]Dynamically maintain the teaching examples of triggers and stored procedures about the course of database application, Wu Da-sheng; Wu Sheng-yu Education Technology and Computer (ICETC), 2010 2nd International Conference VI. Conclusion In the end we can say that a Stored procedure not only enhancing the possibility of reusing the code and execution plan, but it also increases the performance of the database by reducing the traffic of the network by reducing the amount of information send over the network. Design-time automation makes coding faster and ensures that all the procedures generated use the same naming conventions and structure. In an effort to improve their coding efficiency in a large SQL project, the authors wrote a set of design-time stored procedures that generate run-time stored procedures, and have used them in project after project ever since. VII. References [1] C. Anley. Advanced sql injection in sql server applications. http://www.nextgenss.com/papers/advancedsqlinjection.pdf [2] C. Anley. (more) advanced sql injection. http://www.nextgenss.com/papers/more advanced sql injection.pdf, White Paper. [3] B. M. L. Archive. http://seclists.org/lists/bugtraq/2005/, 2005. 404

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information