Database Security for Electronics Ltd - Case Study Example

PART A Database Security for Electronics Ltd Introduction A database is the collection of the information which is organized in order to be accessed easily; it can be managed and, being updated. Databases are stored in database servers that are the most significant servers in every company. In an organization, databases store information about the client’s details, the financial information, and the details of the human resource and, all the data that may be of significant to the company. All the data that are stored in the database should be secured properly. Database security is the process of protecting the files stored in the database from any malicious attempts of viewing the data or modifying the data (Ramakrishnan & Gehrke, 2003, p 157). The standard language that is used for making an interactive query from and, updating the databases as Microsoft SQL server is known as the Structure Query Language (SQL). This paper tries to analyze the potential issues that are arising from having a database server online. Securities in the software applications are very significant in all the organization that has databases. An SQL injection attack is one of the identified potential issues that might arise from having the databases online. SQL injection attack is a type of an attack that comes from what the user has inputted, and is not well checked to find if the input is valid. SQL Injection attack enables the external users to view information from the database. In other systems that are well designed, it will only include the information that is available to the public. While in a system which is poorly designed, this would only allow the external users in discovering other people’s password (Basta & Zgola, 2012, p 167). The objective of the SQL injection attack is to fool a database system to a running malicious code that will reveal the sensitive data or information or else it may compromise the whole server. SQL injection attacks are of two types; there are the first-order attacks, and the second-order attacks. The first-order attacks happens when the attacker attempts to receive an immediate desired result, this can be by direct response coming from the application that is being interacted to, or it may be some other response mechanisms, for example emails. While the second-order attacks takes place when the attacker attempts to inject some of the data that are going to reside in the database, although the payload will not be activated immediately. Most websites are commonly used in mounting the attack on the database (Cherry, 2011, pg 201). For example, the below is an example for a typical SQL statement that can be used to mount an attack on the website. SELECT ProductName, Unit Price, QuantityperUnit FROM Products WHERE ProductName LIKE ‘F%’ The above SQL statement tries to select the name of the product, the price per unit, and the unit per quantity from where the products are stored where the ProductName must start with a letter F (ProductName LIKE ‘F%’). The main aim of the attackers in database is to make sure that they inject their own SQL into a statement that the application may use when querying the database. For the above SQL statement, just in any case the query was generated from the website; the user must therefore insert the letter ‘F’ as the query. However, if a server side code inserts a user input directly in an SQL statement, the SQL statement may look like this, but it is only fine if the data that is inputted is valid. String sql = “SELECT ProductName, Unitprice, QuantityPerUnit “+ “FROM Products” + WHERE ProductName LIKE ‘”+ search, Text + “%’; SQL injection attack damages SQL injection attacks have been somehow limited concerning the risks that are associated with unintended disclosure of the data. Today SQL injection has evolved, and it has become the preferred method and, processes that are used by the hackers in breaching well-liked websites. It has also inserted a malware websites. SQL injections alternatively, may be used in tandem with many exploits in order to manipulate how the data can be displayed to the visitors’ website. SQL injection attack cal also damage other vulnerabilities and, obtaining the database access of SQL providing an interface which facilitates the access to, and the interactions that takes place in the database (Bai & Liu, 2010, pg 182). The SQL Injection attack method damages the database by exploiting the Web application by means of injecting the malicious queries, hence causing the data manipulation. There are other threats that are poses by SQL injection attacks that seem not to be solitary. How to avoid SQL Injection For one to avoid an SQL injection attack, one should make sure that he/she firstly filters out some characters like the single quotes, the back slashes, the semi colons and, the double quotes, and extended character such as, the Null, new line and all strings from the input from the users. Alternatively, one can avoid the SQL injections by taking a significant precaution such as data sanitization and, validation. Sanitization is the process by which data are submitted by means of function to ensure that, there are no dangerous characters are passed to the SQL query in the data (Shahriar, 2009, p 147). However, validation is somehow different, in a way that it tries to ensure that data that are submitted are in the form of what it is expected. This may include the act of ensuring that the e-mail addresses that are opened contain a sign of “@”. Validation is normally carried out in two ways that is by blacklisting dangerous or unwanted characters, and through the method of white listing only some characters who are allowed in some circumstances. Database security Database security is the process by which set of the activities are aimed at protecting the whole database in a given organization. The database can be protected from the intrusion that is referred as the authenticated misuse, the malicious attacks and, inadvertent mistakes that are made by authorized people or persons. Database security is very important since networks are the most vulnerable to attacks that is due to an increased number of the vulnerabilities that may lead to exploited to be able to access the database. Ways of protecting the database The advanced security by means of database encryption is very significant; hence, it is required in every sector and, increasingly needed to comply with the regulatory mandates. Other public sector uses the database encryption to protect the privacy of the citizens, and the national security. Many organizations today are very concerned about the management, although it has been a very big challenge in the database encryption. PART B Create table customer CREATE TABLE is the keyword that tells the database system what is expected to be done. When creating tables, the unique name or the identifier has to follow CREATE TABLE statement. The brackets comes the list that defines each column in the table and, the type of the data type it is. Syntax of the CREATE TABLE statement is: CREATE TABLE table_name ( Column1 datatype, Column2 datatype, Column3 datatype, ..... ColumnN datatype, PRIMARY KEY (one or more columns) The CREATE TABLE statement for the customers table is: CREATE TABLE customers ( Customer_id number (10) not null, customer_name varchar2 (50) not null,   Address varchar2 (50),  City varchar2 (50),   State varchar2 (25),   Zip _code varchar2 (10),   CONSTRAINT customers_pk PRIMARY KEY (customer_id) ); Create Table Product When creating tables, the unique name or the identifier has to follow CREATE TABLE statement. Syntax of the CREATE TABLE statement is: CREATE TABLE table_name ( Column1 datatype, Column2 datatype, Column3 datatype, ..... ColumnN datatype, PRIMARY KEY (one or more columns) The CREATE TABLE statement for the product table is: CREATE TABLE products ( Product_ID INT (10) AUTO_INCREMENT PRIMARY KEY Product_name varchar2 (50) ) ENGINE=InnoDB Create Table Order The CREATE TABLE statement for the order table is: CREATE TABLE order ( Order_ID INT (10) AUTO_INCREMENT PRIMARY KEY, Customer_ID INT (10), Product_ID INT (10), Quantity INT (5), Date_Ordered DATE, Date_Delivered DATE ) ENGINE = InnoDB; Altering Tables There are many occasions that may lead to altering of tables in the database, for example if one wishes to change the structure of the table, and then he/she has to alter the table. The syntax is; ALTER TABLE “table_name” [Alter specification] The alter specification is dependent on a type of the alteration that one wish to perform. ALTER TABLE 'Order' ADD FOREIGN KEY (Customer_ID) REFERENCES Customer (Customer_ID); In this case, the table of the order is being altered by adding the foreign key that is the customer_ID in the order table Solution ALTER TABLE Order ADD (Customer_ ID INT (10), ); ALTER TABLE 'Order' ADD FOREIGN KEY (Product_ID) REFERENCES Product (Product_ID); In this case, the order table is being altered by adding the foreign key that is the Product_ID into the order table. Solution ALTER TABLE ORDER ADD (Product_ID INT (10), ); Inserting into Customers Values The INSERT INTO statement is normally used to add new records as well, as information to a database table. Its syntax is INSERT INTO table_name VALUES (value1, value2, value3...) INSERT INTO Customer VALUES ('','Joe Bloggs','20 Green Avenue, Treforest, RCT, CF37 1DL', 'Bloggger1'); In this case, the new customer details are being added into the customer table. While adding a new customer into the table certain criteria should be followed. For example, FirstName should be the first one, followed by the LastName, thereafter, age, address, city and lastly the state. Solution INSERT INTO "Customer" (First, last, age, address, city, state) VALUES ('Joe', 'Bloggs', 20, 'CF37 1DL Blogger', 'Treforest', 'Green Avenue'); INSERT INTO Customer Values ("", "Kate Sykes", "36 Davids Lane STUNTS GREEN BN27 7NF", "password1"); For this case, the customer named Kate Sykes will be added to the customer value, where the order followed will be the name of the new customer followed by the address, and then the password. Solution INSERT INTO "Customer" (First, last, address, password) VALUES (‘’, ‘’, 'Kate', 'Sykes', ‘36 Davids Lane STUNTS GREEN BN27 7NF’, 'password 1'); INSERT INTO Customer Values ("", "Alice Barry", "30 Hertingfordbury Rd NEWHOUSE ML1 7TQ", "password2"); Solution INSERT INTO "Customer" (First, last, address, password) VALUES ( ‘’, ‘’, 'Alice', 'Barry', ‘30 Hertingfordbury Rd NEWHOUSE ML1 7TQ 7NF’, 'password 2'); INSERT INTO Customer Values ("", "Jade Little", "18 Scotsburn Rd TALLINGTON PE9 7UR", "password3"); Solution INSERT INTO "Customer" (First, last, address, password) VALUES ( ‘’, ‘’, 'Jade', 'Little', ‘Scotsburn Rd TALLINGTON PE9 7UR’, 'password 3'); INSERT INTO Customer Values ("", "Jack Porter", "93 Essex Rd TANKERSLEY S75 2EP", "password4"); Solution INSERT INTO "Customer" (First, last, address, password) VALUES ( ‘’, ‘’, 'Jack', 'Porter', ‘93 Essex Rd TANKERSLEY S75 2EP 7UR’, 'password 4'); INSERT INTO Customer Values ("", "Eleanor Hussain", "73 Wrexham Rd EYAM S30 9BT", "password5"); Solution INSERT INTO "Customer" (First, last, address, password) VALUES ( ‘’, ‘’, 'Eleanor', 'Hussain', ‘73 Wrexham Rd EYAM S30 9BT’, 'password 3'); Inserting into products INSERT INTO Product VALUES ('','Charles Dickens'); Solution INSERT INTO "Product" (first_column...last_column) VALUES (‘’, ‘Charles Dickens’); INSERT INTO Product VALUES ('','USB Stick'); Solution INSERT INTO "Product" (first_column...last_column) VALUES (‘’, ‘USB Stick'); INSERT INTO Product VALUES ('','Apple iphone 4S'); Solution INSERT INTO "Product" (first_column...last_column) VALUES (‘’, 'Apple iphone 4S'); INSERT INTO Product VALUES ('','Alienware Laptop'); Solution INSERT INTO "Product" (first_column...last_column) VALUES (‘’, 'Alienware Laptop'); INSERT INTO Product VALUES ('','Computer Mouse'); Solution INSERT INTO "Product" (first_column...last_column) VALUES (‘’, 'Computer Mouse'); INSERT INTO Product VALUES ('','The Thesaurus'); Solution INSERT INTO "Product" (first_column...last_column) VALUES (‘’, 'The Thesaurus'); INSERT INTO Product VALUES ('','Websters Dictionary'); Solution INSERT INTO "Product" (first_column...last_column) VALUES (‘’, 'Websters Dictionary'); Conclusion In conclusion, databases are very important to organizations that have an ability of storing information that are not displayed or accessed by the public. Securities to some files in the organization should be considered. Authentications and authorization of users should be allowed, in that only the authorized and authenticated members should be allowed the access of the files in the organization. SQL injection attacks alternatively should be highly avoided. List of References Afyouni, H. A. (2006), Database security and auditing: protecting data integrity and accessibility, London: Thomson/Course Technology. Bai, K., & Liu, P. (2010), Damage management in database management systems, London: Pennsylvania State University. Basta, A., & Zgola, M. (2012), Database security. London: Course Technology/Cengage Learning. Cherry, D. (2011), Securing SQL server protecting your database from attackers. London: Syngress. Ferraggine, V. E., Doorn, J. H., & Rivero, L. C. (2009), Handbook of research on innovations in database technologies and applications current and future trends, London: IGI Global (701 E. Chocolate Avenue, Hershey, Pennsylvania, 17033, USA). Herrero, L., & Corchado, E. (2010). Computational Intelligence in Security for Information Systems 2010, London: Springer. MacWhinney, B. (2000). The database (3. ed.). London: Lawrence Erlbaum. Ramakrishnan, R., & Gehrke, J. (2003), Database management systems (3rd ed.). New York: McGraw-Hill. Shahriar, H. (2009). Mutation-based testing of buffer overflows, SQL injections, and format string bugs,New York: Library and Archives Canada = Bibliothe?que et Archives Canada. Read More