Material for Database Class.
List of commits:
| Subject | Hash | Author | Date (UTC) |
|---|---|---|---|
| Small edit, correcting maefile. | 7baa188be7d322e5288b498afbb7beaa96a9770b | aubert@math.cnrs.fr | 2020-04-19 07:36:08 |
| Cleaned latex files. | 79b68f7b709ddeebc8133f7962fe5aabb3376304 | aubert@math.cnrs.fr | 2020-04-19 06:22:30 |
| Minor corrections in installation manual. | 436cee8616c25ccbed8bc406d988c2b4d28420f8 | aubert@math.cnrs.fr | 2020-04-19 06:19:04 |
| Minor corrections in installation manual. | cb8cdfbd506a1344c81aecda055165cc1ca54ece | aubert@math.cnrs.fr | 2020-04-19 06:17:52 |
| Working on install manual. | 3702c6437ee163eb4a61b4d69cffee8c8a76dc3d | aubert@math.cnrs.fr | 2020-04-19 06:04:22 |
| Worked on makefiles and example file. | 4255d5e85bb684349f7f7798455dd8b3a273254b | aubert@math.cnrs.fr | 2020-04-19 04:56:53 |
| Re-idented some of the code. | 124375e6bed1edb96d1bb4bcec8f111c8a3a1197 | aubert@math.cnrs.fr | 2020-04-19 03:10:02 |
| Java indentation | 2b317a12b7ab52bdca576a1bb46b2a2ce295464f | guest | 2020-04-18 22:21:04 |
| test | 6fefa044794ff1d74a3d2493556c836b3dd97e74 | guest | 2020-04-18 22:18:44 |
| Java indentation | 5b0e0eb38484a8c67517a36a438f148bd5efa740 | guest | 2020-04-18 22:14:01 |
| Worked on install notes. | b46b931ef11e3cb7dfe87c7f91ec9d5c558567e6 | aubert@math.cnrs.fr | 2020-04-17 05:22:20 |
| Started to integrate installation manual to notes. | fd27b7686dd4c9d99163cf7badc720cd4a050221 | aubert@math.cnrs.fr | 2020-04-17 04:09:11 |
| Replaced picture with text in Naming_Convention.md. | aff8c98c70b0834f9b0f076b881975daf3cdda03 | aubert@math.cnrs.fr | 2020-04-17 03:48:38 |
| Testing. | b1a0942b15742ce987e4ad63848e9e2afcdde7ae | aubert@math.cnrs.fr | 2020-04-17 02:03:52 |
| Added explanation on the importance of alt text in known bugs. | 3bddd86e1072b095a9f9d02f8c035f8d8f3e7155 | aubert@math.cnrs.fr | 2020-04-17 01:44:51 |
| Notes on passing parameters in url | eea245da85acbc2e3cf2dd94e10170dcd10eb04f | aubert@math.cnrs.fr | 2020-04-16 01:55:57 |
| Worked on Security Chapter. | e18b82c85cf995279993fb681d53f798f14b2932 | aubert@math.cnrs.fr | 2020-04-15 15:23:07 |
| Re-vamping the advanced java part. | bc34886513772e6920a153752267149ef89d9a70 | aubert@math.cnrs.fr | 2020-04-13 18:25:23 |
| Deleted Workflow file, since it is now in CONTRIb. | 194d0e9f227b1f56f893a010247417268552b9e4 | aubert@math.cnrs.fr | 2020-04-13 14:45:21 |
| SQL/XML indentation and comments | 618fca553f0ffa355ca330e90e9adeeeb42c586d | guest | 2020-04-13 00:09:03 |
Commit 7baa188be7d322e5288b498afbb7beaa96a9770b
- Small edit, correcting maefile.
Author: aubert@math.cnrs.fr
Author date (UTC): 2020-04-19 07:36
Committer name: aubert@math.cnrs.fr
Committer date (UTC): 2020-04-19 07:36
Parent(s): 79b68f7b709ddeebc8133f7962fe5aabb3376304
Signer:
Signing key:
Signing status: N
Tree: 6c9347961caad54a47e1b18a9ad71328ea83ed2e
Author: aubert@math.cnrs.fr
Author date (UTC): 2020-04-19 07:36
Committer name: aubert@math.cnrs.fr
Committer date (UTC): 2020-04-19 07:36
Parent(s): 79b68f7b709ddeebc8133f7962fe5aabb3376304
Signer:
Signing key:
Signing status: N
Tree: 6c9347961caad54a47e1b18a9ad71328ea83ed2e
| File | Lines added | Lines deleted |
|---|---|---|
| notes/Makefile | 9 | 14 |
| notes/lectures_notes.md | 3 | 1 |
| File notes/Makefile changed (mode: 100644) (index efaa9fe..41648af) | |||
| ... | ... | OPTIONSPANDOC:= --toc --filter pandoc-numbering --filter pandoc-citeproc --filte | |
| 15 | 15 | # Options common to all invokations of pandoc. Cf https://pandoc.org/MANUAL.html to understand them. | # Options common to all invokations of pandoc. Cf https://pandoc.org/MANUAL.html to understand them. |
| 16 | 16 | OPTIONSPANDOCODT:= $(OPTIONSPANDOC) --default-image-extension=svg | OPTIONSPANDOCODT:= $(OPTIONSPANDOC) --default-image-extension=svg |
| 17 | 17 | OPTIONSPANDOCHTML:= $(OPTIONSPANDOC) --css=style/style.css --toc-depth=1 --self-contained --default-image-extension=svg | OPTIONSPANDOCHTML:= $(OPTIONSPANDOC) --css=style/style.css --toc-depth=1 --self-contained --default-image-extension=svg |
| 18 | OPTIONSPANDOCPDF:= $(OPTIONPANDOC) --pdf-engine=xelatex --pdf-engine-opt=-shell-escape -V links-as-notes --default-image-extension=pdf | ||
| 18 | OPTIONSPANDOCPDF:= $(OPTIONSPANDOC) --pdf-engine=xelatex --pdf-engine-opt=-shell-escape -V links-as-notes --default-image-extension=pdf | ||
| 19 | 19 | # Options for (respectively) the odt, html and pdf outputs. | # Options for (respectively) the odt, html and pdf outputs. |
| 20 | 20 | .DEFAULT_GOAL:= all | .DEFAULT_GOAL:= all |
| 21 | 21 | # By default, we construct all the files. | # By default, we construct all the files. |
| ... | ... | JAVA_CODE = code/java/*.java | |
| 36 | 36 | # This must be run before compiling the pdf. | # This must be run before compiling the pdf. |
| 37 | 37 | ||
| 38 | 38 | .PHONY: fig $(FIG_SOURCE) | .PHONY: fig $(FIG_SOURCE) |
| 39 | fig : $(FIG_SOURCE) | ||
| 39 | fig: $(FIG_SOURCE) | ||
| 40 | 40 | $(FIG_SOURCE): | $(FIG_SOURCE): |
| 41 | 41 | latexmk -silent -cd -pdf $@ | latexmk -silent -cd -pdf $@ |
| 42 | 42 | # latexmk automates and simplifies the latex compilation of the figures. | # latexmk automates and simplifies the latex compilation of the figures. |
| ... | ... | odt: lectures_notes.md | |
| 73 | 73 | pdf: lectures_notes.md | pdf: lectures_notes.md |
| 74 | 74 | pandoc $(OPTIONSPANDOCPDF) -o lectures_notes.pdf $< | pandoc $(OPTIONSPANDOCPDF) -o lectures_notes.pdf $< |
| 75 | 75 | ||
| 76 | |||
| 77 | # Rule to compile to mediawiki | ||
| 78 | # This rule is not tested nor used. | ||
| 79 | |||
| 80 | #mediawiki: lectures_notes.md | ||
| 81 | # pandoc $(OPTIONSPANDOC) --default-image-extension=svg --to mediawiki -o lectures_notes.mw $< | ||
| 82 | |||
| 83 | |||
| 84 | 76 | ### | ### |
| 85 | 77 | # Rule for the example.md file, to test your installation. | # Rule for the example.md file, to test your installation. |
| 86 | 78 | ### | ### |
| ... | ... | temp: temp.md | |
| 110 | 102 | .PHONY: all | .PHONY: all |
| 111 | 103 | all: pdf odt html aux | all: pdf odt html aux |
| 112 | 104 | ||
| 105 | ### | ||
| 113 | 106 | # "Phony" rule to indent properly the latex files | # "Phony" rule to indent properly the latex files |
| 114 | .PHONY: clean_latex $(FIG_SOURCE) | ||
| 115 | clean_latex: $(FIG_SOURCE) | ||
| 116 | $(FIG_SOURCE): | ||
| 117 | latexindent -w -s $@ | ||
| 107 | ### | ||
| 108 | |||
| 109 | #.PHONY: clean_latex $(FIG_SOURCE) | ||
| 110 | #clean_latex: $(FIG_SOURCE) | ||
| 111 | #$(FIG_SOURCE): | ||
| 112 | # latexindent -w -s $@ | ||
| 118 | 113 | ||
| 119 | 114 | ### | ### |
| 120 | 115 | # "Phony" rule to beautify the java code | # "Phony" rule to beautify the java code |
| File notes/lectures_notes.md changed (mode: 100644) (index a759d19..5e1e6c1) | |||
| ... | ... | Technological measure of protections exist, and should be used. For instance, | |
| 8414 | 8414 | mysqldump --all-databases - u testuser -p password - h localhost > dump.sql | mysqldump --all-databases - u testuser -p password - h localhost > dump.sql |
| 8415 | 8415 | ``` | ``` |
| 8416 | 8416 | - Use encryption, salting _and_ hashing when it comes to password and other sensitive data. | - Use encryption, salting _and_ hashing when it comes to password and other sensitive data. |
| 8417 | - **Do not** let the users connect directly to your database, even through a piece of software you wrote (refer e.g. to <https://security.stackexchange.com/q/229954> for a discussion on why this is not a good idea). | ||
| 8417 | 8418 | ||
| 8418 | 8419 | If you are not familiar with the concepts of salting and hashing, you can consult e.g. <https://crackstation.net/hashing-security.htm>. | If you are not familiar with the concepts of salting and hashing, you can consult e.g. <https://crackstation.net/hashing-security.htm>. |
| 8419 | 8420 | In a nutshell, this is a measure of prevention to protect your users against weak passwords, and to make sure that only an encrypted version of their password will be stored in your database. | In a nutshell, this is a measure of prevention to protect your users against weak passwords, and to make sure that only an encrypted version of their password will be stored in your database. |
| ... | ... | Finally, `code/java/SimpleInjection03.java` shows how to use proper statements t | |
| 8495 | 8496 | ### Protections | ### Protections |
| 8496 | 8497 | ||
| 8497 | 8498 | Possible protections from sql injections (-like) includes: | Possible protections from sql injections (-like) includes: |
| 8499 | |||
| 8498 | 8500 | #. Prepared statements (a.k.a. stored procedures), | #. Prepared statements (a.k.a. stored procedures), |
| 8499 | 8501 | #. White list input validation, | #. White list input validation, |
| 8500 | 8502 | #. Escaping (AT YOUR OWN RISK). | #. Escaping (AT YOUR OWN RISK). |
| ... | ... | Solution to [%D %n (%T)](#problem:insecure_java) | |
| 8612 | 8614 | - Not asking explicitly for a secure connection is probably not a good idea. Using the default port can sometimes be problematic as well. | - Not asking explicitly for a secure connection is probably not a good idea. Using the default port can sometimes be problematic as well. |
| 8613 | 8615 | - Reading a figure as a string is a bad idea, since the user can try to manipulate the content of that field. The datatype read in the application should match the datatype we are trying to get. | - Reading a figure as a string is a bad idea, since the user can try to manipulate the content of that field. The datatype read in the application should match the datatype we are trying to get. |
| 8614 | 8616 | - Having `admin` / `admin` as a login / password is unforgivable. They should be changed. And, at least, the application should not connect to the database with admin rights! | - Having `admin` / `admin` as a login / password is unforgivable. They should be changed. And, at least, the application should not connect to the database with admin rights! |
| 8615 | - Giving the credentials in the source code is not a good idea. The application should connect to another application, hosted on the the server-side, that performs the connection to the database. | ||
| 8617 | - Giving the credentials in the source code is not a good idea. The application should connect to another application, hosted on the the server-side, that performs the connection to the database. Refer e.g. to <https://security.stackexchange.com/q/229954> for explanations on why users should not be allowed to connect directly to your database. | ||
| 8616 | 8618 | - Not using prepared statement, is a huge mistake. This can lead to `SQL` injection like the one we saw above. | - Not using prepared statement, is a huge mistake. This can lead to `SQL` injection like the one we saw above. |
| 8617 | 8619 | ||
| 8618 | 8620 | ||
Hints:
Before first commit, do not forget to setup your git environment:
Clone this repository using HTTP(S):
Clone this repository using ssh (do not forget to upload a key first):
Clone this repository using git:
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/caubert/CSCI_3410
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/caubert/CSCI_3410
Clone this repository using git:
git clone git://git.rocketgit.com/user/caubert/CSCI_3410
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main
... make some changes and some commits ...
git push origin main
RocketGit
Rocket your launch!
Rocket your launch!