Structured Query Language

Detecting and Preventing SQL Injections {2}

by Kathy S
In this article journal the authors discuss how web applications are often vulnerable for attackers to easily access the application’s underlying database. They define an SQL injection as a type of attack which the attacker adds Structured Query Language code to a web form input box to gain access or make changes to data. In the article, the authors/researchers propose different tools to detect and prevent this vulnerability. The main consequences of these vulnerabilities are attacks on authorization, authentication, confidentiality, and integrity.  One of the proposed techniques to prevent SQLIAs (SQL Injection Attacks) is called WAVES, which is a black-box technique for testing web applications for SQL injection vulnerabilities. The tool identifies all points a web application can be used to inject SQLIAs. It builds attacks that target these points and monitors the application’s response to the attacks by utilizing machine learning. Other tools that help prevent SQLIAs are:  JDBC-Checker, CANDID, and SAFELI, AMNESIA, SQL Guard and SQL check, and WebSSARI. The author’s go into much detail explaining what each tool does to prevent SQLIAs and how they work. They test these tools and explain their results at the end of the article. If interested, I’d recommend reading the whole article to find more information. read more...

Optimizing SQL Server Performance {1}

by Kathy S
In this journal article the authors state that many times efficiency and performance are the last criteria considered when designing and developing new applications using a database. Sometimes the application does not display the information requested to the database in a reasonable time or completely fails to display it. The reasons may be related to the application design, but in many cases the DBMS does not return the data quickly enough, due to the non-use of indexes, deficient design of the queries and/or database schema, excessive fragmentation, use of inaccurate statistics, failure to reuse the execution plans or improper use of cursors. The authors then review the objectives that should be considered in order to improve performance of SQL server instances. The most important objectives are: 1) Designing an efficient data schema, 2) Optimizing indexes, stored procedures and transactions, 3) Analyzing execution plans and avoiding recompiling them, 4) Monitoring access to data, 5) Optimizing queries. The authors conclude that optimization is an iterative process and includes identifying bottlenecks, solving them, measuring the impact of changes and reassessing the system from the first step as to determine if satisfactory performance is achieved. They also highlight the fact that a superior performance can be obtained by writing an efficient code at the application level and properly using the design and database development techniques. read more...