10. Model to SQL schema
Data Definition Language
Why use data definition language?
Multiple database designers modifying DDL
Version Control
Build the database script from scratch (for unit testing)
Examples
Create table
Alter table
Drop table
Create/drop view
15. SQL Security
Secure Configuration
Authentication
login/password
Authorization
What you can access
after you login
Data Encryption
Protectingsensitive
data from internal
and external hackers
16. SQL Security - Secure Configuration
Physically secure the server behind firewall
Enable only the minimum network protocols
required
Use Windows Update to apply patches
Surface Area Configuration - turn off default SQL
features
CLR Integration
Database mirroring
Debugging
Service broker
E-Mail functions
17. SQL Security - Authentication
Use simple connection strings containing user names
and passwords during development
Create SQL user for test-user (shows password in web.config &
app.config)
Use windows authentication in production with more
security
SQL 2008 uses encryption of the channel by default
(avoid data sniffing)
Windows Group Policy
password complexity
password history
password age expiration
lockout after failed attempts
18. SQL Security - Authorization
After authentication, what can you access?
Depends on your roles (owner, admin,
operator, reader, etc)
Principal
Anyindividual, group, or process that can request
access to a protected resource
Securable
object
that you can secured by granting or
denying of permissions
19. SQL Security - Principal
Windows-level principals
Domain, local, group
SQL Server-level principals
SQL login
login mapped to a windows login
login mapped to a certificate
login mapped to a asymmetric key
Database-level principals
Database user
user mapped to SQL server login
user mapped to windows login, certificate, asymmetric key
Database role
Application role
etc...
21. SQL Security – Dynamical SQL
Execute(@sql)
@sql is a dynamically generate SQL statement
@sql = ‘select * from course where name = ‘’‘ + @search + ‘’’’
Open for SQL injection attack
@search = ‘cse’’’; delete from users‘
Use sp_executesql (@sql, @search_text)
22. SQL Security – Encryption
Built-in SQL encryption methods:
EncryptByPassPhrase(), DecryptByPassPhrase()
EncryptByCertificate(), DecryptByCertificate()
Encryption side-effects:
Storage(encrypted values are larger size)
Performance
Create Index on encrypted data
Create Index on hash value
23. Review question
Difference between db logic design and
physical design?
Difference between deny vs revoke?
Can you think of a generalization scenario for
your project?
How many entities will you have in your db
design?
Can you identify where you would need
indexes in your db?
What db objects would you want to provide
more security in your db design?
25. Enterprise DB – availability & load
Availability = (Total Units of Time – Downtime) /
Total Units of Time
8,760 hours (365 days 24 hours) in a calendar year
100 hours of downtime during the year
(8760 – 100) / 8,760 (98.9% uptime)
Fail-over
When one db fails, another becomes active
DB Load Balance
Distribute data across different servers (multiple
active databases)
37. DB for Continuous Integration
Database needs to be built locally
For individual C# developers coding locally
For running unit tests locally
Database code needs to be in the source control
(version control)
Nightly builds on the server
Solution:
Database Solution in VS 2010 (cse 136)
Database build script (*.sql)
Command shell (CreateDB.cmd)
38. Review question
Difference between fail-over and load
balance?
What are the pros and cons of clustering?
What scenario would you recommend logging
shipping instead of mirroring?
What scenario would you recommend
mirroring instead of replication?
39. Demo
SQL Mixed mode
Create SQL user
Show Day 2 tutorial
Run .cmd to generate db
40. Assignment
Due Day 4
Create a database in SQL 2008
Create a database diagram
Create SQL Stored Procedures based on your
activity diagram(s) for your entire project’s
features.
Create a database solution using VS 2010 (see
day 2 tutorial)
Run the db command script
41. References
Database Modeling and Design
Pro SQL Server 2008 Failover Clustering