Chapter 4: Advanced SQL

Chapter 4: Advanced SQL

Chapter 4: Advanced SQL • SQL Data Types and Schemas • Integrity Constraints • Authorization • Embedded SQL • Dynamic SQL • Functions and Procedural Constructs** • Recursive Queries** • Advanced SQL Features**

Build-in Data Types in SQL (Cont.) • Can extract values of individual fields from date/time/timestamp • Example: extract (year from r.starttime) • Can cast string types to date/time/timestamp • Example: cast <string-valued-expression> as date • Example: cast <string-valued-expression> as time

User-Defined Types • create type construct in SQL creates user-defined type create type Dollars as numeric (12,2) final • create domain construct in SQL-92 creates user-defined domain types create domain person_name char(20) not null • Types and domains are similar. Domains can have constraints, such as not null, specified on them.

Integrity Constraints • Integrity constraints guard against accidental damage to the database, by ensuring that authorized changes to the database do not result in a loss of data consistency. • A checking account must have a balance greater than $10,000.00 • A salary of a bank employee must be at least $4.00 an hour • A customer must have a (non-null) phone number

Integrity Constraints • It is a mechanism used to prevent invalid data entry into the table. • Used for enforcing rules that the columns in a table have to confirm with • Types of integrity constraints • Domain integrity constraints • Entity integrity constraints • Referential integrity constraints

Domain Integrity constraints • Constraints set a range, and any violations that take place will prevent the user from performing the manipulation. • Not Null constraint • Check constraint

Not Null constraint • By default the table can contain null values. • The enforcement of Not Null in a table ensures that the table contains values. • Not Null can be defined using alter table command even when the table contains rows. • The table can be altered only if the column being modified contains not null values. • Note:- Zero and Null are not equivalent.

Check constraints • Specify conditions that each row must satisfy • Rules are governed by logical expressions or Boolean expressions • Cannot contain subqueries. Create table abc(a number(2) constraint aa check(a>10), b varchar2(15), c date);---during table creation Alter table abc add constraint aa check (a>10);---after table creation

Table Level constraint • IC defined at table level can impose rules on any columns in the table. • Not null can be given only at the column level

Entity Integrity constraints • Each row in a table can be uniquely identified using the entity constraint • Unique constraints • Primary key constraints

Unique constraints • Used to prevent the duplication of values within the rows of specified column or a set of columns in a table. • This constraint can also allow Null values. • If unique key is defined in more than one column then it is said to be composite unique key. • Can be applied only at table level.

Alter table abc add constraint dd unique(c); • Create table abc(a number(2) not null, b varchar2(15) unique, c date);

Primary Key constraints • Avoids duplication of rows and does not allow null values, when enforced in a column or set of columns. • Used for identification of a row. • A table can have only one primary key • Can be created during table creation or using alter table • Note:- cannot be defined in an alter table command when the table contains rows having Null values. • Create table abc(a number(2), b varchar2(15), c date, constraint a_prime primary key(a));

Referential Integrity constraints • To establish a ‘parent-child’ or a ‘master-detail’ relationship between two tables having a common column, a referential integrity constraint is used. • This can be implemented the column in the parent table as a primary key and the same column in the child table as a foreign key referring to the corresponding parent entry.

Basic concepts related to referential integrity • Foreign key:- Column(s) included in the ref. integrity refer to a referenced key • Referenced key:- It is a unique or a primary key defined on the column belonging to the parent table. • Child table:- depends upon the values present in the referenced key of the parent table. • Parent table:- Determines whether insertion or updation of data can be done in child table

At the time of table creation Create table dept(deptno number(2) primary key, dname varchar2(15) unique, loc varchar2(15) not null); Create table emp(empno number(2) primary key, ename varchar2(15) not null, salary number(7,2) not null, deptno number(2) constraint fk_Dept references dept(Deptno));

On delete cascade Create table account (….. Foreign key (branch_name) references branch on delete cascade on update cascade, …..)

Deferrable and immediate constraints • When a constraint is made deferrable, the checking is postponed till the transaction is committed. • The three conditions which can be set are • Deferrable initially immediate- this checks for constraint violation at the time of insert. • Deferrable initially deferred- checks at the time of commit. • Non deferrable initially immediate- default condition

Assertions • An assertionis a predicate expressing a condition that we wish the database always to satisfy. • The sum of all loan amounts for each branch must be less than the sum of all account balances at the branch. • Every loan has at least one customer who maintains an account with a minimum balance of $1000.00 • An assertion in SQL takes the form create assertion <assertion-name> check <predicate> • When an assertion is made, the system tests it for validity, and tests it again on every update that may violate the assertion • This testing may introduce a significant amount of overhead; hence assertions should be used with great care. • Asserting for all X, P(X) is achieved in a round-about fashion using not exists X such that not P(X)

Assertion Example • The sum of all loan amounts for each branch must be less than the sum of all account balances at the branch. create assertion sum_constraint check(not exists (select * from branchwhere (select sum(amount ) from loanwhere loan.branch_name = branch.branch_name ) >= (select sum (amount ) from accountwhere loan.branch_name = branch.branch_name )))

Assertion Example • Every loan has at least one borrower who maintains an account with a minimum balance or $1000.00 create assertion balance_constraint check (not exists ( select * from loanwhere not exists ( select * from borrower, depositor, accountwhere loan.loan_number = borrower.loan_numberand borrower.customer_name = depositor.customer_nameand depositor.account_number = account.account_numberand account.balance >= 1000)))

Why Security? • The data stored in the database need protection from unauthorized access and malicious destruction or alternation. • Protection against accidental introduction of inconsistency that integrity constraints provide. • There are 2 types of DB security • Discretionary security mechanism • Mandatory access control

Security Two types of DB security mechanisms. – Discretionary security mechanisms • Used to grant privileges to users • Include capabilities to access specific data files, or records, etc. in a specified mode –read, insert, etc.- – Mandatory security mechanisms • Used to enforce multilevel security. • Classifying the data and users into various security classes –levels. • A typical security policy of an organization is to allow certain classification level to see only the data items classified at the user’s own (or lower) classification level.

Mandatory Access control • Typical security classes: – Top Secret (TS). – Secret (S). – Confidential (C). – Unclassified (U). – TS is the highest level and U the lowest level • TS > S > C > U.

Mandatory Access Control (cont’d) One of the commonly used model for multilevel security is known as Bell-LaPadula model. It Classifies each subject (user, account, program) and object (relation, tuple, column, view, operation) into one of the security classifications TS, S, C, or U. Refer to the clearance (classification) of a subject S as class(S) and to the classification of an object O as class(O). Two restrictions are enforced on the Subject/Object classifications: 1. A subject S is not allowed read access to an object O unless class(S)=>class(O). Known as simple security property 2. A subject S is not allowed to write an object O unless class(S)<=class(O). Known as the *-property (star rule).

Security Violations • Forms of malicious access are • Unauthorized reading of data • Unauthorized modification of data • Unauthorized destruction of data. Database Security refers to protection from malicious access. • Security measures at the database system level. • Security measures at the OS level • Security measures at the Network level • Security measures at the Physical level • Security measures at the Human level

Authorization • Several forms of authorization can be assigned to a user. • Read authorization • Insert authorization • Update authorization • Delete authorization • Authorization for the modification of database schema • Index authorization • Resource authorization • Alteration authorization • Drop authorization Database admin has the ultimate authority to authorize new users/restructure the database

Granting of privileges • Authorization can be granted using grant command. • The passing of authorization from one user to another is represented by authorization graph. • In order to maintain security it is required that all edges in an authorization graph be part of some path originating with the database administrator.

Authorization grant graph U1 U4 DBA U2 U5 U3

Attempt to defeat authorization revocation DBA U1 U3 U2

The grant statement is used to confer authorization grant <privilege list> on <relation name or view name> to <user list> <user list> is: a user-id public, which allows all valid users the privilege granted A role Granting a privilege on a view does not imply granting any privileges on the underlying relations. The grantor of the privilege must already hold the privilege on the specified item (or be the database administrator). Authorization Specification in SQL

select: allows read access to relation,or the ability to query using the view Example: grant users U1, U2, and U3select authorization on the branch relation: grant select on branch to U1, U2, U3 insert: the ability to insert tuples update: the ability to update using the SQL update statement delete: the ability to delete tuples. all privileges: used as a short form for all the allowable privileges Privileges in SQL

The revokestatement is used to revoke authorization. revoke <privilege list> on <relation name or view name> from <user list> Example: revoke select on branch from U1, U2, U3 <privilege-list> may be all to revoke all privileges the revokee may hold. If <revokee-list> includes public, all users lose the privilege except those granted it explicitly. If the same privilege was granted twice to the same user by different grantees, the user may retain the privilege after the revocation. All privileges that depend on the privilege being revoked are also revoked. Revoking Authorization in SQL

Limitations of SQL Authorizations • Authorization cannot be given at the level of individual tuples • When authorizations are implemented at the application programs level then • Code for checking authorizations becomes intermixed with the rest of the application code • Difficulties in implementing authorization through application code leads to loop holes.

Audit trail • It is a log of all changes (inserts/deletes/updates) to the database, along with information such as which user performed the change and when the change was performed. • Can be created by triggers

Application Security • Protection of data while they are being transmitted • Protection against intruders who are able to bypass OS security • Privacy restrictions

Mechanisms used in Application Security • Encryption techniques • Authentication • Challenge-response systems • Digital signatures • Digital certificates • Central authentication • Securing applications • Privacy

Encryption support in databases • Disk blocks containing database data should be encrypted. • If the data has to be protected on account of privileges given to other users then encryption must be done before the data reach the database

Authentication • Verifying the identity of a person/software connection to a database. • common- password protection • Challenge-response system • Digital signatures • Digital certificates

Challenge-response systems • Dbase systems sends a challenge to the user. • User encrypts the challenge string using a secret password and returns the result • The dbase can verify the authenticity of the user by decrypting the string with the same secret password and checking with the original string.

Digital signatures • Electronic role of physical signatures on documents • Private key is used to sign data and the signed data is made public • Only persons with private key will be able to generate the signed data

Digital certificates • Authentication of digital signatures are done by means of a certification agency. • The certificate issued by those authorities can be verified, that these are authenticated signatures

Central authentication • A single-sign on system allows the user to be authenticated once and multiple applications can then verify the user’s identity through the central authentication service

Embedded SQL • The SQL standard defines embeddings of SQL in a variety of programming languages such as C, Java, and Cobol. • A language to which SQL queries are embedded is referred to as a host language, and the SQL structures permitted in the host language comprise embedded SQL. • The basic form of these languages follows that of the System R embedding of SQL into PL/I. • EXEC SQL statement is used to identify embedded SQL request to the preprocessor EXEC SQL <embedded SQL statement > END_EXEC Note: this varies by language (for example, the Java embedding uses # SQL { …. }; )

Dynamic SQL • Allows programs to construct and submit SQL queries at run time. • It is a very flexible and powerful tool • Used to accomplish tasks such as adding where clauses to a search based on what fields are filled out on a form or to create tables with varying names.

Examples of dynamic SQL dim sql sql = "Select ArticleTitle, ArticleBody FROM Articles WHERE ArticleID = “ sql = sql & request.querystring("ArticleID") set results = objConn.execute(sql) dim sql sql = "Select * from " & request.querystring("TableName") set results = objConn.execute(sql)

ODBC and JDBC • API (application-program interface) for a program to interact with a database server • Application makes calls to • Connect with the database server • Send SQL commands to the database server • Fetch tuples of result one-by-one into program variables • ODBC (Open Database Connectivity) works with C, C++, C#, and Visual Basic • JDBC (Java Database Connectivity) works with Java

Functions and Procedures • SQL:1999 supports functions and procedures • Functions/procedures can be written in SQL itself, or in an external programming language • Functions are particularly useful with specialized data types such as images and geometric objects • Example: functions to check if polygons overlap, or to compare images for similarity • Some database systems support table-valued functions, which can return a relation as a result • SQL:1999 also supports a rich set of imperative constructs, including • Loops, if-then-else, assignment • Many databases have proprietary procedural extensions to SQL that differ from SQL:1999

SQL Functions • Define a function that, given the name of a customer, returns the count of the number of accounts owned by the customer. create function account_count (customer_name varchar(20)) returns integer begin declare a_count integer; select count (* ) into a_countfrom depositorwhere depositor.customer_name = customer_namereturn a_count;end • Find the name and address of each customer that has more than one account. select customer_name, customer_street, customer_cityfrom customerwhere account_count (customer_name ) > 1

Chapter 4: Advanced SQL