SQL

SQL Performance Tips {4}

by Andrew H
I read an article by Craig Mullins called, SQL Performance Basics. I chose the article because I was searching for SQL statement articles and it was closer to the top and the fact that it has to do with performance caught my eye. The article states that as much as 75% of poor relational performance is caused by poorly coded SQL. The article goes through a few different ways to help increase performance as well as how to avoid coding SQL poorly. As the author says with proper training and experience coding it in an efficient way is not hard but can still be an elusive task for many coders. Some of his simple tips to create an efficient database are, to think relationally, code join instead of implementing cursors for every table that is going to be read, always provide only the exact columns that you need to retrieve, and filter data using a where clause. To always provide the exact columns that you need the author says to use a SELECT statement in SQL but don’t have use SELECT* as this is a bad practice for programs because that statement will retrieve all columns from the tables being accessed. The WHERE clause is important because you should filter what data you need out before bringing it in to your program, as this will greatly increase the speed of your application. read more...

Removing Vulnerabilities in SQL Code {3}

by Leonardo S
The article I chose for this week is titled “Using Automated Fix Generation to Secure SQL Statements”.  The main purpose of the article is to propose a certain method of securing code from SQL injection attacks.  The article starts by stating that since 2002, more than half of all cyber attacks were done by exploiting input validation vulnerabilities.  SQL injection attacks accounted for 20% of all of those attacks.  For those who don’t know, an SQL injection attack is when a hacker inputs his or her own SQL statement in order to gain access to certain information.  The author’s proposed method of helping to prevent this kind of attack to java code is by using prepared statements rather than just plain text SQL statements.  His reasoning for this is that prepared statements limit the input that could affect the statement.  The author tested this by using prepared statements in five mock java programs which contained vulnerabilities.  Their conclusion was that the vulnerabilities were removed in each program. read more...

Honeypots, Dorks and a protective SQL Injection. {1}

by Garcello D
The Article I decided to blog about this week is called “Glasopf Web application honeypot gets SQL injection emulation capability,” it is written by Lucian Constantin on pcworld.com. So basically the Honeynet Project is a none-profit organization that develops open source security research tools. It created a component for the honeypot software that can emulate applications vulnerable to SQL injection attacks which trick attackers into revealing their intentions.  For starters what you are probably wondering is what is a honeypot? Well a honeypot is a system that is intentionally left vulnerable so that it can collect technical information about attacks. The gained information can then be used to strengthen the security of other real systems that are found on the same network, or to develop attack signatures for security products like firewalls. Honeypots can also be used by researchers to discover previously unknown attacks and undetected malware or they can be used by businesses to understand how a system exposed that is exposed to the internet can be targeted by hackers. The title of the article mentions the word Glasopf, which is a honeypot tool created by the people involved in the honeynet project. Glastopf is kind of like a Dummy that attracts attackers because it consists of a web server that dynamically emulates vulnerable web applications in order to attract attackers. Glastopf has been in development since 2009, until recently it wasn’t able to emulate SQL injection vulnerabilities which is important because it commonly attracts attackers. Now it can because the Honeynet project released an SQL injection handler, a new component which allows it to emulate the injection vulnerabilities. This component can emulate a bunch of vulnerabilities at once which they call dorks, so when attackers use the search engines to locate their prey there’s a high chance they will encounter a dork without knowing it. The component is still new though and its future reports will show just how effective it is. read more...

SQL White Box Testing {1}

by Andrew S
The article talks about how SQL software testing techniques do not address some of the important key features of SQL.  And then goes on to present a set of guidelines for designing white-box tests to exercise the way an SQL query processes its stored data.  White-box testing is a way of testing SQL software in order to check for test-set size and fault detecting ability.  The author claims that the process of writing and testing database queries must have some distinguishing particularities in order to create a thorough testing software.  As a result, there are specific guidelines that must be followed when developing a software testing technique.  These guidelines can help achieve more complete unit tests for queries and be used in the task of writing and testing SQL. read more...

SQL Simplified {4}

by Andrew M
The article I read was entitled “Interactive SQL Query Suggest: Making Databases User-Friendly” by Ju Fan. This article talks about the difficulty of SQL and how it is very daunting to many people who are new to it. Many users do not use SQL because it is too hard for them to learn the language and to use the queries correctly. Ju Fan says that some of the current solutions are to use keywords to help in creating SQL queries. While this is efficient enough for new users it does not work well enough for more advanced users. The author proposes using something known as SQLSugg or SQL Suggestions. This takes the idea of using keywords and then advances it by using pre-made templates. In effect, the user types in a keyword and SQLSugg produces templates of pre-made queries which might meet the user’s needs. SQLSugg allows advanced users to use these templates and makes the creation of queries much easier. read more...

SQL Injection Remains a Constant Threat {5}

by Brian B
The article that I picked this week is named “Black Hat is Over, But SQL Injection Attacks Presist” by Victor Cruz. The article starts off by talking about an attack that happened earlier this year to yahoo that resulted in a break and leak of 400,000 of usernames and passwords from Yahoo. It says that SQL attacks have also affected companies such as Sony and LinkedIn recently, so this is obviously still a large threat to companies. The author gives an example of SQL injection saying that “hackers visit a website and fill out a text field with a SQL statement such as 1+1=2, which the log-in field interprets as true, allowing it to pass as legitimate credentials (Cruz, 2012).” This causes the server to release confidential information accidently because it has been tricked into thinking that a valid user has logged into the system. The article goes on to state that “Privacy Rights Clearinghouse reported that 312 million data records have been lost since 2005 and 83% of hacking-related data breaches were executed via SQL injection attacks (Cruz, 2012).” The article goes on to talk about how they are developing more reliable software to look for SQL injections and decipher them from safe input. The tool in question is called “libinjection” and is able to sort through heaps of data by converting input into tokens and checking those resulting tokens for anything that maybe being sent to try and attack the server. The article finishes by saying that “SQL Injection attacks are automated and website owners may be blissfully unaware that their data could actively be at risk (Cruz, 2012).” read more...

Auditing SQL {3}

by Rudy P
This week I will be blogging about the journal entry “Auditing a Batch of SQL Queries” by Rajeev Motwani, Shubha U. Nabar, and Dilys Thomas of Stanford University. This Journal entry talked about ways SQL Queries are audited and how to determine suspicious SQL queries. The Journal makes mention of a command AUDIT, which I had never seen before. They use it an example: read more...

New Software Development for SQL – Splice SQL Engine {1}

by Phuong H
In the article “Splice Machine Secures Funding to Develop the Splice SQL Engine,” the author talks about the new software development for SQL called the Spice SQL engine. A lot of businesses today turn to Big Data or NoSQL nowadays because of the overwhelmed data they have to handle with. However, the authors argue that it is a mistake to eliminate SQL. Turning to Big Data or NoSQL is also at a high cost because we have to train people how to use it and rewrite existing application/reports. With the new Splice SQL engine, it enable users to build a hyper-personalized web, mobile and social application with the knowledge they already have with SQL and SQL tools available on the marketplace. read more...

SQL Performance Tips You Can Use Now {1}

by Hieu H
We have all learned throughout the course that the database can affect our applications’ overall performances. As we progress in our knowledge of databases and SQL, we will undoubtedly be exposed to more advanced queries and techniques. However, there are some “basic” techniques that we can use to improve relational database performance now. Cullins points out that “up to 75% of poor relational performance” is caused by inefficient SQL queries and application code. By following some simple rules, we can eliminate some of these issues. The first step is to use JOIN queries instead of cursors for every table. JOINs will return only what we need from the database. The next step is to stop using SELECT * in our queries.  Instead of selecting every column in a table, we should select only the required columns. Another trick to improve performance is to use the WHERE clause. This helps to filter out and return only the desired information. read more...

SQL Crash Course {1}

by Kevin S
This week I decided to read the article “SQL language crash course(just enough to be dangerous)”. The author covers things such as SELECT, FROM, WHERE, INSERT, UPDATE, DELETE, and several others. He ties each of these in with short examples and explanations of their implementations. These keywords work in all versions of SQL Servers and are important to know. read more...