SQL Archive

SQL vs NoSQL in the Cloud

by Hongde H
The article I choose this week is about the difference between SQL and NoSQL. According to the author, the different access patterns provided by NoSQL and SQL result in very different scalability and performance. He pointed out that NoSQL elements allow data access only in a narrow predefined access pattern. And by giving us an example, the author stated that DHT (Distributed Hash Table) is accessible via hash table API; given the exact key, the value is returned. The access pattern for other NoSQL data services is similarly narrow and well-defined, and as a result scalability and performance structure are predictable and reliable. However, In other words, in SQL, the access pattern is not known in advance, the data model does not enforce a specific way to work with the data. It is built with an emphasis on data integrity, simplicity, data normalization and abstraction, which are all extremely important for large complex applications. read more...

SQL and the Future

by Asim K
In his 1998 journal article from The Future of SQL, Craig S. Mullins describes the future of SQL as bright – and although this seems like an optimistic statement, the truth is that it is the present that Mullins was worried about. Mullins begins by explaining why in the 90s SQL had been so successful saying that it’s an abstract and in-depth language that is used to query and provide structure to data. If you know English, then you’ll be able to grasp onto SQL pretty easily – a lot more easily than COBOL, C, or Python source code – which gives SQL the advantage because users can be more productive in a shorter amount of time. He also explains the natural flexibility of SQL, saying that there is more than one way to do one thing and it could be equally as efficient. The “threat of the present” is that SQL was at the time under threat by XML and that SQL was limited in what it could do vs XML. Same goes for Java. The future, Mullin says, is fuzzy logic in congruence with SQL, saying that applying rough human logic to SQL code would help SQL expand and become even more than it was in the 90s. A few of these examples are given in the article (see: citation). Mullin ends by stating that infrastructure is needed in the IT community and SQL provides that infrastructure like nothing else does. read more...

Google Chooses SQL

by Brian B
The article I chose this week is “Google App Engine Goes Old School With SQL Database” by Caleb Garling. Article starts off by saying that Google was one of the leaders of the NoSQL movement. However, by choosing a typical SQL server they have reaffirmed SQL’s place in technology. They implemented this on top of their App Engine as well as their “BigTable” NoSQL database. The reason behind this was that developers did not want to have to develop on BigTable due to difficulties with translating their existing relational data models over to BigTable compliant models. The article goes on to talk briefly about the difference between NoSQL and SQL databases. Starting that NoSQL databases “are meant to “scale” across vast numbers of servers so they can accommodate the mountains of data facing companies in the internet age (Garling, 2011).” Whereas SQL databases “order data into neat rows and columns – give you more ways to slice and dice your data (Garling, 2011).”  The article finishes by saying that while Google moved back towards traditional SQL, Oracle moved towards the newer NoSQL system. read more...

A day in the life of a DBA

by Kevin S
Now that we are creating databases, I thought that I would share an article that I found in where a DBA describes a day in his work and some tips on supporting the daily tasks. The article, named “The Case of the Missing Index”, starts off by going through almost humorously through his day as his co-workers ask him to fix an issue with the DB application. He runs through his routine of troubleshooting and eventually finds the culprit which, as you may of guessed, was a missing index file which had been deleted by a co-worker in order to create more room on the hard drive. read more...

Yahoo Breaches Exposes Thousands of Users

by Sam T
In this article, a well known tech company, Yahoo, was another victim to a SQL injection attack. This attack gave the hackers access to more than 400,000 users emails and passwords. What was most shocking was that the passwords that were stored was completely unencrypted and were now public. According to the security firm Sophos, the hacker group D33DS said “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat”. Yahoo has confirmed that this breach did happen and urged it users to change their passwords. The article then goes on about how Yahoo wasn’t the only one who fell victim to the security breach but also Formspring, LinkedIn, Eharmony and Last.fm. read more...

Dozens of College Servers Breached by SQL Injection

by Eric C
Not only is the design and performance of databases an important aspect in the way databases work, but also the security of a database. There are many types of attacks that can be done to a database and the most common is a SQL injection. In a news article from CNET, hackers were able to collect thousands of personal data of students from college databases worldwide through the use of SQL injections. More than fifty universities were affected, and some of the top name colleges include Harvard, Princeton, and Stanford. To make matters worse, some 140,000 records were posted online for all to download. The information includes usernames and passwords, addresses, phone numbers, and some payroll information regarding both students and faculty. The mastermind behind this data dump is apparently by a group called GhostShell, whose intent was not to reveal personal data, but was to “focus on higher education.” However, the group not only found personal data, but also discovered that malware were already injected in the first place, showing the security risks many of these database servers have. read more...

Database Security: Oracle or SQL?

by Asim K
In her 2010 article titled, “SQL Server Most Secure Database; Oracle Least Secure Database Since 2002”, Laura DiDio explores the security and vulnerability of the two leading database systems out: Oracle and SQL. Quite from the beginning, meaning the title, Laura explains how the SQL database is more secure than Oracle – and not just by a tiny margin. During an eight and a half year period, from 2002 to 2010, the NIST CVE (National Vulnerability Database) statistics recorded 321 security related issues for Oracle, the highest of any vendor. This was six times more than that reported of SQL server. DiDio explains that SQL’s unmatched security is not a fluke or luck of draw, it is rather a direct result of Microsoft’s investment in the Trustworthy Computing Initiative, an initiative launched by Microsoft in 2002 where they stopped code development across all product like the scrub the code base and make their products more reliable and secure. read more...

Detecting and Preventing SQL Injections

by Kathy S
In this article journal the authors discuss how web applications are often vulnerable for attackers to easily access the application’s underlying database. They define an SQL injection as a type of attack which the attacker adds Structured Query Language code to a web form input box to gain access or make changes to data. In the article, the authors/researchers propose different tools to detect and prevent this vulnerability. The main consequences of these vulnerabilities are attacks on authorization, authentication, confidentiality, and integrity.  One of the proposed techniques to prevent SQLIAs (SQL Injection Attacks) is called WAVES, which is a black-box technique for testing web applications for SQL injection vulnerabilities. The tool identifies all points a web application can be used to inject SQLIAs. It builds attacks that target these points and monitors the application’s response to the attacks by utilizing machine learning. Other tools that help prevent SQLIAs are:  JDBC-Checker, CANDID, and SAFELI, AMNESIA, SQL Guard and SQL check, and WebSSARI. The author’s go into much detail explaining what each tool does to prevent SQLIAs and how they work. They test these tools and explain their results at the end of the article. If interested, I’d recommend reading the whole article to find more information. read more...

SQL Injections

by Claudia J
The article that I picked this week was a peer reviewed called “Preventing SQL injection attacks in stored procedures.” The author talks about that an SQL injection attack mainly targets interactive web applications that use database services which accept user inputs and use them to form SQL statements at runtime. It also says that an SQL injection attack the attacker usually provides malicious SQL queries segments that cause the database to result in different requests.
From what I understood from the author is that it results hard to avoid this type of attacks. It mentions that one way is to examining dynamic SQL query semantics at runtime but is not 100% secure that will not get SQL injection attacks. The author proposes a novel technique to defend against the attacks targeted at stored procedures where application analysis with runtime validation will help to eliminate the occurrence of such attacks.
The authors go in depth on other types of queries we can use to help prevent SQL injections. SQL injection is a very common technique hackers use to attack underlying databases by altering the programs behavior. This article is good because it connects to the class content specially right now that we are in the middle of a project and working with SQL queries. It gives us an insight of the type of vulnerabilities that are out there when programming. It is important to try to make sensitive files of our databases “hard” to find to make it harder for hackers to get into our system.
Wei, K, Muthuprasanna, Suraij. (2006) Preventing SQL injection attacks in stored procedures. MIS Quarterly, PP 1-8. Retrieved November 11, 2012. http://0-ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnumber=1615052&tag=1 read more...

Dealing with Heterogeneous Database Environments

by Katheryn T
I read an article about how to retain data integrity and the structure of a database with heterogeneous data. Heterogeneous data is data that comes from various sources with many different formats. This is a problem because SQL databases are relational and use a table system to organize data with very similar formats. For a solution, the article states that using HTTP over XML can help maintain the structure of a database better. The first step is to send the query to a SQL query capture and transfer module. The next step is to send that query to the target database system. While all the queries are being processed, there is a time stamp on all of them to ensure they are processed correctly. The last step is to receive and process the query. The request is then labeled “received” and is filed. Time stamps are very important because the queries need to be executed sequentially. In the second step, there is an error handling process. Some requests may be in DML or DDL and some may be MS SQL or Oracle. There are procedures for handling these issues. In one case, there is no discrepancies and the query is processed. In another case, there are substitutes for adapting data. The last case is that there is no alternative. read more...