RocketGit

caubert / CSCI_3410 (public) (License: CC BY 4.0) (since 2018-05-16) (hash sha1)

Material for Database Class.

Clone URLs: https://rocketgit.com/user/caubert/CSCI_3410 ssh://rocketgit@ssh.rocketgit.com/user/caubert/CSCI_3410 git://git.rocketgit.com/user/caubert/CSCI_3410

master

List of commits:

Subject	Hash	Author	Date (UTC)
Fixed some include code.	9caf6bc12caded947f222cb03fa0c1b10f2c8041	caubert	2021-03-24 13:11:20
Added question from quiz #3	7426197119517bff992e7753174de82ae3ff7ed7	caubert	2021-03-22 16:37:09
Added instructions in case the server time zone is off.	6f845eee2eec6538a18e6e64fa5e140039aa4482	caubert	2021-03-22 14:32:00
Added a reference to UML.	7b36cee0763b42c481474181423020cb600123fd	caubert	2021-03-17 13:59:50
Some notes in DB applications added.	3535d187737aea90413e73489729a4a64ce89f80	caubert	2021-03-17 13:55:48
Fixed typo	cfc6ac63d8ed0d0a2b9f4f530524d4723f5baae6	caubert	2021-03-12 18:36:32
fixed couple of typos.	6191d6cc01638c07ab0b48a086718fc2440fa367	caubert	2021-03-12 18:31:47
Added quiz #2$	ff134e831427d6e24603af76be52576928dae301	caubert	2021-03-01 19:51:12
Added missing file.	d7f2b8ceb14456db8ee2857fcd2b9445bcff1f95	caubert	2021-02-16 18:54:57
Added more complex queries and triggers for HW_Vaccine.	1b133f143e9c6fec72271de28345df39689235f8	caubert	2021-02-09 20:23:30
Added project 1 and its solution.	14f03a1733c084b26dbc72c009e2b7b832ed8643	caubert	2021-02-06 21:46:04
Added project 1 and its solution.	b7a31871ebccbf4caff81d9d57ed6847f4dc5543	caubert	2021-02-06 21:45:24
Added simple examples for SQL.	4ea62f6930ff19bcff8d406d95c9cd84c0f0216d	caubert	2021-02-02 22:24:41
Added first project.	e851058cc58a9d47ada9970f8b914e798c7d2ce7	caubert	2021-01-27 19:57:12
Few typos.	45ba15cd03fab4388439b617c656f52b2ec96319	caubert	2021-01-26 20:08:24
Small fix in code.	7860e391d0bbe82336b8f05585f846e829d181b1	caubert	2021-01-26 18:55:17
Fixed various bugs.	fa76c1e469a4263d7bb7da79532abd1eedcc49be	caubert	2021-01-22 19:27:01
First quizz, and fix bug with code displayed.	bc9b6bb097e30186805b02dc1cdc5de2d5feabe4	caubert	2021-01-22 19:21:54
Edited the preamble.	364e709107602e163ea9365f25ccf1f5a6bb1914	caubert	2021-01-11 16:00:07
Started to edit notes and add final exam from fall 2020.	bb747e27ce08ce17e91913e947614e3057580995	caubert	2021-01-06 22:26:07

Commit 9caf6bc12caded947f222cb03fa0c1b10f2c8041 - Fixed some include code.
Author: caubert
Author date (UTC): 2021-03-24 13:11
Committer name: caubert
Committer date (UTC): 2021-03-24 13:11
Parent(s): 7426197119517bff992e7753174de82ae3ff7ed7
Signer:
Signing key:
Signing status: N
Tree: 8b4fb54d73c45b689f1936a9ba8df5706706bd04

File	Lines added	Lines deleted
notes/lectures_notes.md	120	101

File notes/lectures_notes.md changed (mode: 100644) (index 7877ac0..ebb5590)
...	...	Exercise +.#ErrorsInCode
9111	9111	In the code below, there are five errors between line 13 and line 32.	In the code below, there are five errors between line 13 and line 32.
9112	9112	They are not subtle Java errors (like misspelling a key word) and do not come from the DBMS (so you should assume that the password is correct, that the database exists, etc.).	They are not subtle Java errors (like misspelling a key word) and do not come from the DBMS (so you should assume that the password is correct, that the database exists, etc.).
9113	9113	Highlight each error and explain why it is an error.	Highlight each error and explain why it is an error.
	9114
	9115		<!-- Bug, this code should be indented to be in the current environment. -->
9114	9116
9115		```{.java .numberLines .includeLink include=code/java/ProgWithErrors.java}
9116		```
	9117
	9118		```{.java .numberLines .includeLink include=code/java/ProgWithErrors.java}
	9119		```
9117	9120
9118	9121	Exercise +.#	Exercise +.#
9119	9122

...	...	Solution +.#
9288	9291
9289	9292	Here is what the program should look like:	Here is what the program should look like:
9290	9293
	9294		<!-- Bug, this code should be indented to be in the current environment. -->
9291	9295
9292		```{.java .numberLines .includeLink include=code/java/TestForNull.java}
9293		```
	9296		```{.java .numberLines .includeLink include=code/java/TestForNull.java}
	9297		```
9294	9298
9295		This program should display:
	9299		This program should display:
9296	9300
9297	9301	```{.bash}	```{.bash}
9298	9302	This last query changed 1 row(s).	This last query changed 1 row(s).

...	...	Problem (Advanced Java Programming) +.#Advanced_java
9306	9310	~	~
9307	9311
9308	9312	Read, execute, break, edit, compile, patch, hack and (most importantly) understand the following program:	Read, execute, break, edit, compile, patch, hack and (most importantly) understand the following program:
	9313
	9314		<!-- Bug, this code should be indented to be in the current environment. -->
9309	9315
9310		```{.java .numberLines .includeLink include=code/java/AdvancedProg.java}
9311		```
	9316
	9317		```{.java .numberLines .includeLink include=code/java/AdvancedProg.java}
	9318		```
9312	9319
9313	9320	Problem (A GUEST Java Program) +.#Guest_Java	Problem (A GUEST Java Program) +.#Guest_Java
9314	9321	~	~
9315	9322
9316	9323	Consider the code below:	Consider the code below:
9317	9324
9318		```{.java .numberLines .includeLink include=code/java/GuestProgram.java}
9319		```
	9325		<!-- Bug, this code should be indented to be in the current environment. -->
9320	9326
9321		In the following three exercises, you will add some code below the comment `// INSERT HERE Solution to exercises 1, 2 and 3.`{.java} in order to obtain a behavior like the following one (you do not have to reproduce it exactly!).
	9327		```{.java .numberLines .includeLink include=code/java/GuestProgram.java}
	9328		```
	9329
	9330		In the following three exercises, you will add some code below the comment `// INSERT HERE Solution to exercises 1, 2 and 3.`{.java} in order to obtain a behavior like the following one (you do not have to reproduce it exactly!).
9322	9331	The user input is underlined, and hitting "enter" is represented by $↵$:	The user input is underlined, and hitting "enter" is represented by $↵$:
9323	9332
9324	9333
9325		```{text}
9326		How many guests do you have?
9327		͟2͟↵
9328		Enter name of guest 1.
9329		M͟a͟r͟c͟u͟s͟ ͟H͟e͟l͟l͟s͟↵
9330		Enter name of guest 2.
9331		C͟y͟n͟t͟h͟i͟a͟ ͟H͟e͟a͟v͟e͟n͟s͟↵
9332		……………⌛……………
9333		Oh no, (at least) one of the guest from the black list confirmed their presence!
9334		The name of the first one is Marcus Hells.
	9334		```{text}
	9335		How many guests do you have?
	9336		2͟↵
	9337		Enter name of guest 1.
	9338		M͟a͟r͟c͟u͟s͟ ͟H͟e͟l͟l͟s͟↵
	9339		Enter name of guest 2.
	9340		C͟y͟n͟t͟h͟i͟a͟ ͟H͟e͟a͟v͟e͟n͟s͟↵
	9341		……………⌛……………
	9342		Oh no, (at least) one of the guest from the black list confirmed their presence!
	9343		The name of the first one is Marcus Hells.
9335	9344
9336		Do you want to remove all the guests that are on the black list and who have confirmed
9337		their presence? Enter "Y" for yes, anything else for no.
9338		```
	9345		Do you want to remove all the guests that are on the black list and who have confirmed
	9346		their presence? Enter "Y" for yes, anything else for no.
	9347		```
9339	9348
9340		You should suppose that `BLACKLIST` contains more than one name, and that some other operations are performed where ……………⌛…………… is (typically, some guests will confirm their presence).
9341		Using batch processing or prepared statements will be a plus, but is not mandatory to solve these exercises.
	9349		You should suppose that `BLACKLIST` contains more than one name, and that some other operations are performed where ……………⌛…………… is (typically, some guests will confirm their presence).
	9350		Using batch processing or prepared statements will be a plus, but is not mandatory to solve these exercises.
9342	9351
9343		#. Write a snippet that
9344		#. Asks the user how many guests they have,
9345		#. For each guest, asks their name (using `key.nextLine()`{.java}, that returns the `String`{.java} entered by the user),
9346		#. For each guest name entered, inserts in the `GUEST` table an integer that is incremented after each insertion, the name entered by the user, and `NULL`.
9347		#. Write a snippet such that if there is at least one guest who confirmed their presence and whose name is on the blacklist, a message will be displayed on the screen containing the name of (at least) one of those guests.
9348		#. Write a snippet that asks the user whenever they want to remove from the guest list all the persons on the blacklist that confirmed their presence, and do so if they enter "yes" (or some variation).
	9352		#. Write a snippet that
	9353		#. Asks the user how many guests they have,
	9354		#. For each guest, asks their name (using `key.nextLine()`{.java}, that returns the `String`{.java} entered by the user),
	9355		#. For each guest name entered, inserts in the `GUEST` table an integer that is incremented after each insertion, the name entered by the user, and `NULL`.
	9356		#. Write a snippet such that if there is at least one guest who confirmed their presence and whose name is on the blacklist, a message will be displayed on the screen containing the name of (at least) one of those guests.
	9357		#. Write a snippet that asks the user whenever they want to remove from the guest list all the persons on the blacklist that confirmed their presence, and do so if they enter "yes" (or some variation).
9349	9358
9350	9359	## Solutions to Selected Problems {-}	## Solutions to Selected Problems {-}
9351	9360

...	...	Solution to [%D %n (%T)](#problem:Guest_Java)
9360	9369
9361	9370	They both starts with:	They both starts with:
9362	9371
9363		```{.java .numberLines dedent=6 .includeLink include=code/java/GuestProgramSolution.java snippet=exercise-1-intro}
9364		```
	9372		<!-- Bug, this code should be indented to be in the current environment. -->
9365	9373
9366		Then the solution using batch processing could be:
	9374		```{.java .numberLines dedent=6 .includeLink include=code/java/GuestProgramSolution.java snippet=exercise-1-intro}
	9375		```
9367	9376
9368		```{.java .numberLines dedent=6 .includeLink include=code/java/GuestProgramSolution.java snippet=exercise-1-batch }
9369		```
	9377		Then the solution using batch processing could be:
9370	9378
9371		while the solution using prepared statements could be:
9372
9373		```{.java}
9374		PreparedStatement ps = conn.prepareStatement("INSERT INTO GUEST VALUES(?, ?, NULL);");
9375		while (counter < guest_total) {
9376		System.out.print("Enter name of guest " + (counter + 1) + ".\n");
9377		guest_name = key.nextLine();
9378		ps.setInt(1, counter);
9379		ps.setString(2, guest_name);
9380		ps.executeUpdate();
9381		counter++;
9382		}
9383		```
9384
9385		@problem:Guest_Java -- Solution to Q. -.#
9386
9387		We let `SQL` do all the hard work:
9388
9389		```{.java .numberLines dedent=6 .includeLink include=code/java/GuestProgramSolution.java snippet=exercise-2}
9390		```
9391
9392		@problem:Guest_Java -- Solution to Q. -.#
9393
9394		Similarly, we let `SQL` do all the hard work:
9395
9396		```{.java .numberLines dedent=6 .includeLink include=code/java/GuestProgramSolution.java snippet=exercise-3}
9397		```
	9379		```{.java .numberLines dedent=6 .includeLink include=code/java/GuestProgramSolution.java snippet=exercise-1-batch }
	9380		```
	9381
	9382		while the solution using prepared statements could be:
	9383
	9384		```{.java}
	9385		PreparedStatement ps = conn.prepareStatement("INSERT INTO GUEST VALUES(?, ?, NULL);");
	9386		while (counter < guest_total) {
	9387		System.out.print("Enter name of guest " + (counter + 1) + ".\n");
	9388		guest_name = key.nextLine();
	9389		ps.setInt(1, counter);
	9390		ps.setString(2, guest_name);
	9391		ps.executeUpdate();
	9392		counter++;
	9393		}
	9394		```
	9395
	9396		@problem:Guest_Java -- Solution to Q. -.#
	9397
	9398		We let `SQL` do all the hard work:
	9399
	9400		```{.java .numberLines dedent=6 .includeLink include=code/java/GuestProgramSolution.java snippet=exercise-2}
	9401		```
	9402
	9403		@problem:Guest_Java -- Solution to Q. -.#
	9404
	9405		Similarly, we let `SQL` do all the hard work:
	9406
	9407		```{.java .numberLines dedent=6 .includeLink include=code/java/GuestProgramSolution.java snippet=exercise-3}
	9408		```
9398	9409
9399	9410	# A Bit About Security	# A Bit About Security
9400	9411

...	...	Problem (Insecure Java Programming) +.#insecure_java
9617	9628
9618	9629	Consider the following code:	Consider the following code:
9619	9630
9620		```{.java .numberLines dedent=6 .includeLink include=code/java/InsecureProgram.java snippet=gist}
9621		```
9622
9623		Assume this software is connecting to a schema in a database hosted at <http://example.com/> using:
9624
9625		```{.java}
9626		Connection conn = DriverManager.getConnection(
9627		"jdbc:mysql://example.com/:3306/?user=admin&password=admin");
9628		```
	9631		<!-- Bug, this code should be indented to be in the current environment. -->
9629	9632
9630		The schema contains three tables (`DISK`, `BOOK` and `VINYL`), each with `Title` and `Price` attributes.
9631		The compiled version is then shared with customers all around the world.
9632
9633		You can find a program in a compilable state at `code/java/InsecureProgram.java` that connects to localhost, if you want to test it.
9634	9633
	9634		```{.java .numberLines dedent=6 .includeLink include=code/java/InsecureProgram.java snippet=gist}
	9635		```
9635	9636
9636		Question -.#
9637		~
9638
9639		The authors of this program believe that the top-secret title of the next disk by a secret group will not be accessible to the user of this program because its price is set to `NULL` in the `DISK` table.
9640		Prove them wrong.
	9637		Assume this software is connecting to a schema in a database hosted at <http://example.com/> using:
9641	9638
9642		Question -.#
9643		~
9644
9645		This database application and the whole set-up contains at least three vulnerabilities.
9646		List as many as you can think of, and, when relevant, describe how to fix them.
	9639		```{.java}
	9640		Connection conn = DriverManager.getConnection(
	9641		"jdbc:mysql://example.com/:3306/?user=admin&password=admin");
	9642		```
	9643
	9644		The schema contains three tables (`DISK`, `BOOK` and `VINYL`), each with `Title` and `Price` attributes.
	9645		The compiled version is then shared with customers all around the world.
	9646
	9647		You can find a program in a compilable state at `code/java/InsecureProgram.java` that connects to localhost, if you want to test it.
	9648
	9649
	9650		Question -.#
	9651		~
	9652
	9653		The authors of this program believe that the top-secret title of the next disk by a secret group will not be accessible to the user of this program because its price is set to `NULL` in the `DISK` table.
	9654		Prove them wrong.
	9655
	9656		Question -.#
	9657		~
	9658
	9659		This database application and the whole set-up contains at least three vulnerabilities.
	9660		List as many as you can think of, and, when relevant, describe how to fix them.
9647	9661
9648	9662	## Solutions to Selected Problems {-}	## Solutions to Selected Problems {-}
9649	9663

...	...	Solution to [%D %n (%T)](#problem:insecure_java)
9652	9666
9653	9667	@problem:insecure_java -- Solution to Q. -.#	@problem:insecure_java -- Solution to Q. -.#
9654	9668	~	~
9655
	9669
9656	9670	This program is vulnerable to `SQL` injection. A user entering "DISK" followed by `0 OR PRICE IS NULL OR PRICE IS NOT NULL` would have access to all the entries, no matter their price tag or lack of one.	This program is vulnerable to `SQL` injection. A user entering "DISK" followed by `0 OR PRICE IS NULL OR PRICE IS NOT NULL` would have access to all the entries, no matter their price tag or lack of one.
9657	9671
9658	9672	@problem:insecure_java -- Solution to Q. -.#	@problem:insecure_java -- Solution to Q. -.#

...	...	Problem (ER Diagram from XML File -- Customer) +.#xmltoercustomer
10218	10232	~	~
10219	10233
10220	10234	Consider the following `xml` file:	Consider the following `xml` file:
10221
10222		```{.xml .numberLines .includeLink include=code/xml/customers.xml}
10223		```
10224
10225		Try to draw the ER model that would correspond to the relational implementation of this database.
10226		Justify your choices.
	10235
	10236		<!-- Bug, this code should be indented to be in the current environment. -->
	10237
	10238
	10239		```{.xml .numberLines .includeLink include=code/xml/customers.xml}
	10240		```
	10241
	10242		Try to draw the ER model that would correspond to the relational implementation of this database.
	10243		Justify your choices.
10227	10244
10228	10245	---	---
10229	10246

...	...	Problem (ER Diagram from XML File -- Award) +.#xmltoeraward
10231	10248	~	~
10232	10249
10233	10250	Find below a mashup of actual data from the National Science Foundation (courtesy of <https://www.nsf.gov/awardsearch/download.jsp>):	Find below a mashup of actual data from the National Science Foundation (courtesy of <https://www.nsf.gov/awardsearch/download.jsp>):
	10251		<!-- Bug, this code should be indented to be in the current environment. -->
10234	10252
10235		```{.xml .numberLines .includeLink include=code/xml/NSFAward.xml}
10236		```
10237
10238		It contains information about one particular award that was awarded to an institution on behalf of two researchers.
10239		Quoting the [National Science Foundation](https://www.nsf.gov/about/research_areas.jsp) (NSF):
10240	10253
10241		> NSF is divided into the following seven directorates that support science and engineering research and education:…. Each is headed by an assistant director and each is further subdivided into divisions like …
	10254		```{.xml .numberLines .includeLink include=code/xml/NSFAward.xml}
	10255		```
	10256
	10257		It contains information about one particular award that was awarded to an institution on behalf of two researchers.
	10258		Quoting the [National Science Foundation](https://www.nsf.gov/about/research_areas.jsp) (NSF):
	10259
	10260		> NSF is divided into the following seven directorates that support science and engineering research and education:…. Each is headed by an assistant director and each is further subdivided into divisions like …
10242	10261
10243		From this `xml` file and the information given above, draw an ER diagram for NSF's awards.
10244		Do not hesitate to comment on the choices you are making and on what justifies them.
	10262		From this `xml` file and the information given above, draw an ER diagram for NSF's awards.
	10263		Do not hesitate to comment on the choices you are making and on what justifies them.
10245	10264
10246	10265	## Solutions to Selected Problems {-}	## Solutions to Selected Problems {-}
10247	10266

Hints:
Before first commit, do not forget to setup your git environment:

git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):

git clone https://rocketgit.com/user/caubert/CSCI_3410

Clone this repository using ssh (do not forget to upload a key first):

git clone ssh://rocketgit@ssh.rocketgit.com/user/caubert/CSCI_3410

Clone this repository using git:

git clone git://git.rocketgit.com/user/caubert/CSCI_3410

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:

... clone the repository ...
... make some changes and some commits ...
git push origin main