CSE 412 Database Management

Lecture 12
SQL and Schema Normalization
Jia Zou
Arizona State University

1
Agenda
• Data Definition Language
• Data Manipulation Language
• Basic Queries (SELECT-FROM-WHERE)
• ORDER BY
• Set Operations
• Null Values
• Aggregation
• Nested Queries
• Data Modification Languages
• Views
• Integrity Constraints
• Indexes
• Transaction
• Discretionary Access Control

2
GRANT Command
• GRANT privileges ON object TO users [WITH GRANT OPTION]
• The following privileges can be specified:
• SELECT: Can read all columns (including those added later via ALTER TABLE command).
• INSERT(col-name): Can insert tuples with non-null or non-default values in this column.
• INSERT means same right with respect to all columns.
• Update (col-name): similar to INSERT
• DELETE: Can delete tuples.
• REFERENCES (col-name): Can define foreign keys (in other tables) that refer to this column.
• Object can be a table or a view
• User can be a user or a role of user
• If a user has a privilege with the GRANT OPTION, can pass privilege on to other
users (with or without passing on the GRANT OPTION).
• Only owner can execute CREATE, ALTER, and DROP.
Revoke Command
• Revoke privileges ON object FROM users [CASCADE]
• When a privilege is revoked from X with CASCADE is specified, , it is
also revoked from all users who got it solely from X.
Example

5
Examples: GRANT and REVOKE of Privileges
• GRANT INSERT, SELECT ON Sailors TO Horatio
• Horatio can query Sailors or insert tuples into it.
• GRANT DELETE ON Sailors TO Yuppy WITH GRANT OPTION
• Yuppy can delete tuples, and also authorize others to do so.
• GRANT UPDATE (rating) ON Sailors TO Dustin
• Dustin can update (only) the rating field of Sailors tuples.
• GRANT SELECT ON ActiveSailors TO Guppy, Yuppy
• This does NOT allow the ‘uppies to query Sailors directly!
• REVOKE SELECT ON Sailors FROM Yuppy CASCADE;
• This will revoke the authorization for querying Sailors from Yuppy and all users who
got this privilege solely from Yuppy
Agenda
• Data Definition Language
• Data Manipulation Language
• Basic Queries (SELECT-FROM-WHERE)
• ORDER BY
• Set Operations
• Null Values
• Aggregation
• Nested Queries
• Data Modification Languages
• Views
• Integrity Constraints
• Indexes
• Discretionary Access Control
• Programming Interfaces

7
Working with SQL through an API
• E.g.: Python psycopg2, JDBC, ODBC (C/C++/VB)
• All based on the SQL/CLI (Call-Level Interface) standard
• The application program sends SQL commands to the DBMS at
runtime
• Responses/results are converted to objects in the application
program

8
Working with SQL through an API
https://pypi.org/project/psycopg2/

• E.g.: Python psycopg2, JDBC, ODBC (C/C++/VB)

• All based on the SQL/CLI (Call-Level Interface) standard
• The application program sends SQL commands to the DBMS at
runtime
• Responses/results are converted to objects in the application
program

9
Example API: Python psycopg2

10
More psycopg2 examples

11
Prepared statements: motivation

• Every time we send an SQL string to the DBMS, it must perform parsing,
semantic analysis, optimization, compilation, and finally execution
• A typical application issues many queries with a small number of patterns
(with different parameter values)
• Can we reduce this overhead?

12
Prepared statements: example

• The DBMS performs parsing, semantic analysis, optimization, and compilation

only once, when it “prepares” the statement
• At execution time, the DBMS only needs to check parameter types and validate
the compiled plan
• Most other API’s have better support for prepared statements than psycopg2
• E.g., they would provide a cur.prepare() method 13
Agenda
• Data Definition Language
• Data Manipulation Language
• Basic Queries (SELECT-FROM-WHERE)
• ORDER BY
• Set Operations
• Null Values
• Aggregation
• Nested Queries
• Data Modification Languages
• Views
• Integrity Constraints
• Indexes
• Discretionary Access Control
• Programming Interfaces
• SQL injection

14
“Exploits of a mom”

• The school probably had something like:

cur.execute("SELECT * FROM Students " + \ "WHERE (name = '" + name +
"')")
where name is a string input by user
• Called an SQL injection attack
15
SQL comments
• https://www.postgresql.org/docs/current/sql-syntax-
lexical.html#SQL-SYNTAX-COMMENTS

16
SQL Injection

17
 Guarding against SQL injection
• Escape certain characters in a user input string, to ensure that it
remains a single string
• E.g., ', which would terminate a string in SQL, must be replaced by '' (two
single quotes in a row) within the input string
• Luckily, most APIs provide ways to “sanitize” input automatically (if
you use them properly)
• E.g., pass parameter values in psycopg2 through %s’s

afe fe
s Sa
Un = 'SELECT * FROM
sql_query sql_query = 'SELECT * FROM %s'
{}'.format(user_input) cur.execute(sql_query) cur.execute(sql_query,
(user_input,))
18