1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
CS 370 Database Systems Lecture 12 Introduction to SQL.
-
Upload
melvyn-hopkins -
Category
Documents
-
view
229 -
download
0
Transcript of CS 370 Database Systems Lecture 12 Introduction to SQL.
CS 370 Database SystemsCS 370 Database Systems
Lecture 12 Introduction to SQL
• Structured Query Language
• The most widely used relational query
language
• The standard for relational database
management systems (RDBMS)
SQL OverviewSQL Overview
• Two sublanguages:
– Data Manipulation Language (DML) – This subset of SQL
allows users to pose queries and to insert, delete, and
update rows.
– Data Definition Language (DDL) – This subset of SQL
supports the creation, deletion, and modification of
definitions for tables and views.
SQL OverviewSQL Overview
• 1970 – E. Codd develops relational database concept
• 1974-1979 – IBM Sequel language developed as part of System R
project at the IBM San Jose Research Laboratory
• Renamed Structured Query Language (SQL)
• 1986 – ANSI SQL standard released
• Current – SQL is supported by most major database vendors
• ANSI and ISO standard SQL:– SQL-86– SQL-89– SQL-92 – SQL:1999– SQL:2003
HistoryHistory
• Specify syntax/semantics for data definition and
manipulation
• Define data structures
• Enable portability
• Allow for later growth/enhancement to standard
Purpose of SQL StandardPurpose of SQL Standard
• The basic form of an SQL query is:-
SELECT [DISTINCT] select-list
FROM from-list
WHERE qualification
• Clauses of the SELECT statement:– SELECT
• List the columns (and expressions) that should be returned from the query
– FROM• Indicate the table(s) or view(s) from which data will be obtained
– WHERE• Indicate the conditions under which a row will be included in the result
Basic SQL QueryBasic SQL Query
CS370 Spring 2007
SELECT DISTINCT S.sid FROM Sailors S, Reserves RWHERE S.sid=R.sid
sid sname rating age
1 Frodo 7 22
2 Bilbo 2 39
3 Sam 8 27
Sailorssid bid day
1 102 9/12
2 103 9/12
2 102 9/13
Reserves
sid
1
2Find sailors that have reserved at least one boat
SELECT DISTINCTSELECT DISTINCT
CS370 Spring 2007
• How about:
SELECT S.sid FROM Sailors S, Reserves RWHERE S.sid=R.sid
sid
1
2
2
SELECT DISTINCTSELECT DISTINCT
CS370 Spring 2007
How about:
SELECT S.snameFROM Sailors S, Reserves RWHERE S.sid=R.sid
sid sname rating age
1 Frodo 7 22
2 Bilbo 2 39
3 Sam 8 27
4 Bilbo 5 32
Sailors
sid bid day
1 102 9/12
2 103 9/13
4 105 9/13
Reserves
sname
Frodo
Bilbo
Bilbo
SELECT DISTINCT S.snameFROM Sailors S, Reserves RWHERE S.sid=R.sid
sname
Frodo
Bilbo
vs:
SELECT DISTINCTSELECT DISTINCT
CS370 Spring 2007
• Semantics of an SQL query are defined in terms of
the following conceptual evaluation strategy:
1. FROM clause: compute cross-product of all tables
2. WHERE clause: Check conditions, discard tuples that fail.
(called “selection”).
3. SELECT clause: Delete unwanted fields. (called
“projection”).
4. If DISTINCT specified, eliminate duplicate rows.
Query SemanticsQuery Semantics
• SQL is based on set and relational operations with certain modifications and enha
ncements
• A typical SQL query has the form:
select A1, A2, …, An
from R1, R2, …, Rm
where P
- Ai represent attributes
- Ri represent relations
- P is a predicate.
Basic StructureBasic Structure
ProjectionProjection• The select clause corresponds to the projection
operation of the relational algebra. It is used to list the attributes desired in the result of a query.
• Find the names of all branches in the loan relationselect branch-namefrom loan
Equivalent to: branch-name(loan)
• An asterisk in the select clause denotes “all attributes”select *from loan
Duplicate RemovalDuplicate Removal
• SQL allows duplicates in relations as well as in query results. Use select distinct to force the elimination of duplicates.Find the names of all branches in the loan relation, and remove duplicates
select distinct branch-namefrom loan
• The keyword all specifies that duplicates not be removed.
select all branch-namefrom loan
force the DBMS to remove duplicates
force the DBMS not to remove duplicates
Arithmetic Operations on Retrieved ResultsArithmetic Operations on Retrieved Results
• The select clause can contain arithmetic expressions involving the operators,,, and , and operating on constants or attributes of tuples.
• The query:select branch-name, loan-number, amount * 100 from loan
would return a relation which is the same as the loan relations, except that the attribute amount is multiplied by 100
• The where clause specifies conditions that tuples in the relations in the from clause must satisfy.
• Find all loan numbers for loans made at the Perryridge branch with loan amounts greater than $1200.
select loan-numberfrom loanwhere branch-name=“Perryridge” and amount >1200
• SQL allows logical connectives and, or, and not. Arithmetic expressions can be used in the comparison operators.
The where ClauseThe where Clause
• The where clause specifies conditions that tuples in the relations in the from clause must satisfy.
• Find all loan numbers for loans made at the Perryridge branch with loan amounts greater than $1200.
select loan-numberfrom loanwhere branch-name=“Perryridge” and amount >1200
• SQL allows logical connectives and, or, and not. Arithmetic expressions can be used in the comparison operators.
The where ClauseThe where Clause
The where Clause (Cont.)The where Clause (Cont.)
• SQL includes the between operator for convenience.• Find the loan number of those loans with loan amounts
between $90,000 and $100,000 (that is, $90,000 and $100,000)
select loan-numberfrom loanwhere amount between 90000 and
100000
The from ClauseThe from Clause
• The from clause corresponds to the Cartesian product operation of the relational algebra.
• Find the Cartesian product borrower loanselect *from borrower, loan
It is rarely used without a where clause.• Find the name and loan number of all customers h
aving a loan at the Perryridge branch.select distinct customer-name, borrower.loan-numb
er from borrower, loanwhere borrower.loan-number = loan.loan-number an
d branch-name = “Perryridge”
The Rename OperationThe Rename Operation
• Renaming relations and attributes using the as clause:old-name as new-name
• Find the name and loan number of all customers having a loan at the Perryridge branch; replace the column name loan-number with the name loan-id.
select distinct customer-name, borrower.loan-number as loan-idfrom borrower, loanwhere borrower.loan-number = loan.loan-number and
branch-name = “Perryridge”
Set OperationsSet Operations
• The set operation union, intersect, and except operate on relations and correspond to the relational algebra operations , and .
• Each of the above operations automatically eliminates duplicate; to retain all duplicates use the corresponding multiset versions union all, intersect all and except all.Suppose a tuple occurs m times in r and n times in s, then, it occurs:– m + n times in r union all s– min(m,n) times in r intersect all s– max(0,m-n) times in r except all s
Set operationsSet operations
• Find all customers who have a loan, an account, or both:(select customer-name from depositor)union (select customer-name from borrower)
• Find all customers who have both a loan and an account.
(select customer-name from depositor)intersect(select customer-name from borrower)
• Find all customers who have an account but no loan.(select customer-name from depositor)except (select customer-name from borrower)
CS370 Spring 2007
Find sids of sailors who’ve reserved a red or a green boat
sid sname rating age
1 Frodo 7 22
2 Bilbo 2 39
3 Sam 8 27
SailorsReserves
bid bname color
101 Nina red
102 Pinta blue
103 Santa red
105 Titanic green
Boats
sid bid day
1 102 9/12
2 103 9/13
4 105 9/13
X
sid
2
4
SELECT R.sidFROM Boats B,Reserves RWHERE(B.color=‘red’ OR B.color=‘green’)
AND R.bid=B.bid
AND, OR, UNION & INTERSECTAND, OR, UNION & INTERSECT
CS370 Spring 2007
SELECT R.sidFROM Boats B,Reserves RWHERE(B.color=‘red’ AND B.color=‘green’)
AND R.bid=B.bid
Find sids of sailors who’ve reserved a red and a green boat
sid sname rating age
1 Frodo 7 22
2 Bilbo 2 39
3 Sam 8 27
SailorsReservessid bid day
1 101 9/12
2 103 9/13
1 105 9/13
Xbid bname color
101 Nina red
102 Pinta blue
103 Santa red
105 Titanic green
Boats
AND & ORAND & OR
CS370 Spring 2007
SELECT R.sidFROM Boats B,Reserves RWHERE B.color = ‘red’
AND R.bid=B.bid
INTERSECT
SELECT R.sidFROM Boats B,Reserves RWHERE B.color = ‘green’ AND R.bid=B.bid Reserves
sid bid day
1 101 9/12
2 103 9/13
1 105 9/13
bid bname color
101 Nina red
102 Pinta blue
103 Santa red
105 Titanic green
Boats
sid
1
2
sid
1 =sid
1
Use INTERSECT instead of ANDUse INTERSECT instead of AND
CS370 Spring 2007
Reservessid bid day
1 102 9/12
2 103 9/13
4 105 9/13
bid bname color
101 Nina red
102 Pinta blue
103 Santa red
105 Titanic green
Boats
sid
2
sid
4
=
sid
2
4
SELECT R.sidFROM Boats B, Reserves RWHERE B.color = ‘red’ AND R.bid=B.bid UNION
SELECT R.sidFROM Boats B, Reserves RWHERE B.color = ‘green’ AND R.bid=B.bid
Could also use UNION for the OR queryCould also use UNION for the OR query
SELECT S.sid FROM Sailors SEXCEPTSELECT S.sid FROM Sailors S, Reserves RWHERE S.sid=R.sid
Find sids of sailors who have not reserved a boat
sid sname rating age
1 Frodo 7 22
2 Bilbo 2 39
3 Sam 8 27
Reservessid bid day
1 102 9/12
2 103 9/13
1 105 9/13
Sailors
First find the set of sailors who have reserved a boat…
and then compare it with the rest of the sailors
sid
3
ESCEPT: Set DifferenceESCEPT: Set Difference