|
1 | | -# Lesson 3: Database design, normal forms, SQL injection |
| 1 | +to start the server: |
| 2 | +using Node.js, start the server: node server.js |
2 | 3 |
|
3 | | -Objective: This class invites students to discuss Entity Relationship Diagram (ERD). |
4 | | -Students should be able to explain their choices of entities, relationships, attributes etc. |
5 | | -SQL injection should be explained with a demonstration (with a simple JS client). |
6 | | -Concepts of database transaction, ACID properties, normal forms should be introduced with |
7 | | -examples / live coding (creating a transaction, committing and rollback-ing). |
| 4 | +Go to home page on localhost: |
| 5 | +http://localhost:8080 |
8 | 6 |
|
9 | | -## Pre-Class Readings |
| 7 | +to show all of your todo list: |
| 8 | +http://localhost:8080/todos |
10 | 9 |
|
11 | | -Before arriving to class on Sunday, please watch all of the videos in [this video playlist](https://www.lynda.com/SharedPlaylist/ae29ea2f495c432793abc220da47baa6) on Lynda. |
| 10 | +to search your list using id: |
| 11 | +http://localhost:8080/todo/*id number* |
12 | 12 |
|
13 | | -Also, please read the following page that explains database foreign keys. |
14 | | -- [What is a Database Foreign Key](http://databases.about.com/cs/specificproducts/g/foreignkey.htm) |
15 | | - |
16 | | -## Topics to be covered |
17 | | - |
18 | | -### Entity Relationship Diagrams |
19 | | - - Associative entities from many-to-many relationships |
20 | | - - Boolean attribute instead of a table |
21 | | - |
22 | | -### Normalization |
23 | | -Database Design following normal forms as a convention. |
24 | | -These normal forms build incrementally. |
25 | | -E.g. The database is in 3NF if it is already in 2NF and satisfied the |
26 | | -rules for 3rd normal form. Read [here] (https://www.studytonight.com/dbms/database-normalization.php) for more details. |
27 | | - |
28 | | -#### 1NF (4 rules) |
29 | | -* Rule 1 : Single valued attributes (each column should have atomic value, no multiple values) |
30 | | -* Rule 2 : Attribute domain should not change |
31 | | -* Rule 3 : Unique names for attributes / columns |
32 | | -* Rule 4 : Order does not matter |
33 | | -#### 2NF |
34 | | -No partial dependency. (i.e. no field should depend on part of the primary key) |
35 | | -Example |
36 | | -``` |
37 | | -Score table (student_ID, subject_ID, score, teacher) |
38 | | -Subject table (subject_ID, subject Name) |
39 | | -``` |
40 | | -#### 3NF |
41 | | -No transitive dependency (i.e. no field should depend on non-key attributes). |
42 | | - |
43 | | -#### Boyce Codd Normal Form (3.5 NF) |
44 | | -for any dependency A → B, A should be a super key. |
45 | | - |
46 | | -#### 4NF |
47 | | -No multi-value dependency. |
48 | | - |
49 | | -### Complicated values to store in MySQL |
50 | | - - Storing prices (floating point errors) |
51 | | - - Storing dates (datetime vs. timestamp) |
52 | | - - datetime : fixed value (joining date of employee): has a calendar date and a wall clock time |
53 | | - - timestamp : unix timestamp, seconds elapsed from 1 Jan 1970 00:00 in UTC (takes timezone into consideration) |
54 | | - |
55 | | -### Database transactions |
56 | | -- A transaction is a set of commands that you want to treat as "one command." It has to either happen in full or not at all. |
57 | | - |
58 | | -- A classical example is transferring money from one bank account to another. To do that you have first to withdraw the amount from the source account, and then deposit it to the destination account. The operation has to succeed in full. If you stop halfway, the money will be lost, and that is Very Bad. |
59 | | - |
60 | | -### ACID properties |
61 | | - |
62 | | -- **Atomicity** : states that database modifications must follow an “all or nothing” rule. |
63 | | -Each transaction is said to be “atomic.” |
64 | | -If one part of the transaction fails, the entire transaction fails. |
65 | | -- **Consistency** : states that only valid data will be written to the database. If, for some reason, a transaction is executed that violates the database’s consistency rules, the entire transaction will be rolled back, and the database will be restored to a state consistent with those rules. |
66 | | -- **Isolation** : requires that multiple transactions occurring at the same time not impact each other’s execution. |
67 | | -- **Dependency** : ensures that any transaction committed to the database will not be lost. Durability is ensured through the use of database backups and transaction logs that facilitate the restoration of committed transactions in spite of any subsequent software or hardware failures. |
68 | | - |
69 | | -### SQL injection |
70 | | - |
71 | | -Some SQL clients accept input from user to fabricate the queries. |
72 | | -A malicious user can tweak the input so as to acquire more information from the database or |
73 | | -to destroy the database (literally!). Demo program `sql-injection.js` is in the `Week3` folder. |
74 | | - |
75 | | -Consider the following query `SELECT name, salary FROM employees where id = X`. |
76 | | - |
77 | | -#### Injection to get more information |
78 | | -``` |
79 | | -If X is `101 OR 1=1`, then the query returns all records because 1=1 is always true |
80 | | -SELECT name, salary FROM employees where id = 101 OR 1=1; |
81 | | -``` |
82 | | - |
83 | | -#### Injection to destroy the database |
84 | | -``` |
85 | | -If X is `101; DROP database mydb`, then the query will delete the entire database |
86 | | -SELECT name, salary FROM employees where id = 101; DROP database mydb; |
87 | | -``` |
88 | | -mysqljs prevents the second injection by not allowing multiple SQL statements |
89 | | -to be executed at once. |
90 | | - |
91 | | -### Understanding the asynchronous nature of database queries |
92 | | -Jim (@remarcmij) wrote these [excellent demo programs](https://github.com/remarcmij/database_examples) |
93 | | -for better understanding. Do check them out. |
94 | | - |
95 | | -## Reference Material |
96 | | - |
97 | | -- [Floating Point Inaccuracy](http://stackoverflow.com/questions/2100490/floating-point-inaccuracy-examples#2100502) |
98 | | -- [Example Entity Relationship Diagram (including associative entities)](http://users.csc.calpoly.edu/~jdalbey/308/Lectures/HOWTO-ERD.html) |
99 | | -- Scaffolding tools: |
100 | | - - [Yeoman](http://yeoman.io) - General framework for creating and scaffolding all types of projects |
101 | | - - [Sails](http://sails.js) - Lightweight framework for generating APIs and web server apps in Node |
102 | | - - [Loopback](http://loopback.io/) - A more "enterprise-ready" framework for generating and managing APIs. |
| 13 | +To search for an item by a keyword: |
| 14 | +in the url type: |
| 15 | +http://localhost:8080/todos/search/*keyword* |
0 commit comments