View
224
Download
0
Embed Size (px)
Citation preview
Security
• Data Control Language (DCL)• Data is a valuable resource• Access should be controlled• SQL security procedures
– CREATE VIEW– Authorization commands
Authorization
• Based on privilege concept• You cannot execute an
operation without the appropriate privilege
• DBA has all privileges
GRANT• Defines a user’s privileges
GRANT privileges ON object TO users
[WITH GRANT OPTION];• An object is a base table or view• The keyword privilege can be ALL PRIVILEGES or
chosen from
– SELECT– UPDATE– DELETE– INSERT
• Privileges can be granted to everybody using the keyword PUBLIC or to selected users by specifying their user identifier
GRANT• The UPDATE privilege can specify particular
columns in a base table or view
• WITH GRANT OPTION
– Permits a user to pass privileges to another user
Using GRANT
• Give Alice all rights to the STOCK table.
GRANT ALL PRIVILEGES ON stock TO alice;
• Permit the accounting staff, Todd and Nancy, to update the price of a stock.
GRANT UPDATE (stkprice) ON stock TO todd, nancy;
• Give all staff the privilege to select rows from ITEM.
GRANT SELECT ON item TO PUBLIC;
• Give Alice all rights to view STK.
GRANT SELECT, UPDATE, DELETE, INSERT ON stk
TO alice;
REVOKE
• Removes privileges• Format
REVOKE privileges ON object FROM users;
• Cascading REVOKE– Reverses use of the WITH GRANT OPTION– When a user’s privileges are revoked, all users
whose privileges were established using WITH GRANT OPTION are also revoked
Using REVOKE
• Remove Sophie's ability to select from ITEM.
REVOKE SELECT ON item FROM sophie;
• Nancy is no longer permitted to update stock prices.
REVOKE UPDATE ON stock FROM nancy;
The catalog• A relational database containing definitions
of base tables, view, etc.• Also known as data dictionary or metadata• Can be interrogated using SQL• Called systems tables rather than base
tables• Key tables are
– sysobjects– syscolumns– systypes– sysindexes– sysusers
Interrogating the catalog
• Find how many columns belong to each table:SELECT sysobjects.name 'Table', COUNT(syscolumns.name) 'Number of Columns' FROM sysobjects, syscolumns WHERE sysobjects.id = syscolumns.id GROUP BY sysobjects.name;
• What columns in what tables store dates?SELECT sysobjects.name 'Table', syscolumns.name 'Column' FROM sysobjects, syscolumns, systypes WHERE sysobjects.id = syscolumns.id AND syscolumns.xtype = systypes.xtype AND systypes.name = 'datetime'
SQL Routines• SQL code that is stored in the database• Provide a controlled interface to data
• Procedure– Perform some processing of data
• Function– Similar to procedure, but returns a value– Can be called in a SQL statement
• Trigger– Code that is invoked automatically by a DML
statement
FUNCTIONS• Take parameter values and return a value• Database has built-in system functions• We have already used some system
functions:– COUNT takes a column and returns the count– SELECT COUNT(*) FROM emp;
• Aggregate functions– Operate on a collection of values, return a single
value
• Scalar functions– Operate on a single value, return a single value.
• Rowset functions– Return sets of rows that can be used as tables
SYSTEM FUNCTIONS
Aggregate Scalar
AVG GETDATE
COUNT SUBSTRING
MAX UPPER
MIN LOWER
SUM SQUARE
ROUND
SIN
Calling functions
• Called from within a SELECT statement • Parameters enclosed in parentheses
SELECT SUBSTRING(empfname, 1, 3) FROM emp;
• If no parameters, use empty parenthesis
SELECT getdate();
2003-11-16 10:00:48.967
Creating functions
CREATE FUNCTION function_name (@param1_name param1_data_type,
@param2_name param2_data_type,
…)
RETURNS return_data_type
AS
BEGIN function_body RETURN scalar_expression
END
CREATE FUNCTION Example
CREATE FUNCTION comp_discount (@price money, @discount_pct int)
RETURNS moneyASBEGINDECLARE @new_price moneySET @new_price = (@price - (@discount_pct / 100.0)*@price)RETURN (@new_price)END
SELECT dbo.comp_discount(5.95, 20)4.7600
PROCEDURES
• Take input parameters and perform processing
• No return value• Called with the EXECUTE (EXEC) command• System built-in stored procedures
– Names begin with sp_
• We have already seen a system stored procedure:
EXEC sp_password null, ‘abc123’
Some Other System Stored Procedures
• sp_columns– Lists columns for a table– EXEC sp_columns 'item‘
• sp_addlogin– Adds a new user to the database– EXEC sp_addlogin 'testusr', ‘passwd’, ‘dbname‘
• sp_who– Lists database users and processes– EXEC sp_who
CREATE PROCEDURE
CREATE PROCEDURE procedure_name @parameter1_name parameter1_data_type,
@parameter2_name parameter2_data_type,
…)
AS
BEGIN procedure_body
END
CREATE PROCEDURE Example
CREATE PROCEDURE NewSale
@saledate datetime,
@saletext char(50)
AS
BEGIN
INSERT INTO sale
VALUES (dbo.next_saleno(), @saledate, @saletext)
END
Triggers
• Procedure that is automatically run when a DML statement is executed– INSERT– UPDATE– DELETE
• Defined on a single table• Triggers can fire before or after the SQL
statement• Triggers can modify data but cannot call
other triggers• Access to data being modified is through
virtual tables ‘inserted’ and ‘deleted’
CREATE TRIGGER
CREATE TRIGGER trigger_name
FOR|INSTEAD OF INSERT,UPDATE,DELETE
ON table_name
BEGIN
trigger_body
END
CREATE TRIGGER Example• Trigger to audit change on stock table:
CREATE TRIGGER stock_update ON stockINSTEAD OF UPDATEASBEGININSERT INTO stock_log (stkcode, date_changed, old_stkprice, new_stkprice, old_stkqty, new_stkqty) SELECT deleted.stkcode, getdate(), deleted.stkprice, inserted.stkprice, deleted.stkqty, inserted.stkqty FROM deleted, insertedEND