Advanced Databases

Session 8
Academic year 2023-2024

Professor: Luis Angel Galindo

Evolution of the application architecture
• Most database users do not use a query language like SQL
Terminals Desktop PCs Web browsers

Application Application
Program Program
Propietary Network or
dial up phone lines Local Area Network Internet

Mainframe Computer Web Application Server

Database
Database

(a) Mainframe Era (b) Personal Computer Era (c) Web era

• Web browsers avoid the need for downloading/installing specialized code, while
providing a good graphical user interface
HTML example
<html>
<body>
<table border>
<tr> <th>ID</th> <th>Name</th> <th>Department</th> </tr>
<tr> <td>00128</td> <td>Zhang</td> <td>Comp. Sci.</td> </tr> ID Name Department
….
00128 Zhang Comp. Sci.
</table> 12345 Shankar Comp. Sci.
<form action="PersonQuery" method=get> 19991 Brandt History
Search for:
<select name="persontype">
<option value="student" selected>Student </option>
<option value="instructor"> Instructor </option> Search for: Student
</select> <br>
Name: <input type=text size=20 name="name"> Name:
<input type=submit value="submit"> submit

</form>
</body> </html>
Three-Layer Web Architecture
HTTP and sessions
• HTTP is connectionless
• The server closes the connection with the client once the server replies to a
request (releases all the resources reserved)
• Goal: reduce load on server
• But user authentication should be done only once per session
• Solution: use a cookie
• A cookie is a small piece of text containing identifying information
• Sent by server to the browser on the first interaction, to identify the session
• Sent by browser to the server that created the cookie on further interactions
• Part of the HTTP protocol
• Cookies can be stored permanently or for a limited time
Implementation of the client-server
• Usually on the client side: Javascript
• Javascript functions can
• Check input for validity
• Modify the displayed Web page, by altering the underlying Document Object
Model (DOM) tree representation of the displayed HTML text
• Communicate with a Web server to fetch data and modify the current page
using fetched data, without needing to reload/refresh the page
• On the server side greater variety: Java servlet, PHP, Python, RoR, ASP.NET…
• Server-side scripting simplifies the task of connecting a database to the Web
• Define an HTML document with embedded executable code/SQL queries.
• Input values from HTML forms can be used directly in the embedded code/SQL
queries.
• When the document is requested, the Web server executes the embedded
code/SQL queries to generate the actual HTML document
HTTP and sessions
• Servlet API supports handling of sessions by managing cookies
• To check if session is already active:
• if (request.getSession(false) == true) Session exists
HttpSession = request.getSession(false);
String userid = (String) session.getAttribute(“userid”)
• else .. redirect to authentication page
• check login/password
• Create new session
• HttpSession session = request.getSession(true)
• session.setAttribute(“userid”, userid)

• Servlets run inside application servers such as Apache Tomcat, IBM WebSphere and
Oracle Application Servers
Example of Javascript
Javascript used to validate form input
<html> <head>
<script type="text/javascript">
function validate() {
var credits=document.getElementById("credits").value;
if (isNaN(credits)|| credits<=0 || credits>=16) {
alert("Credits must be a number greater than 0 and less than 16");
return false
}
}
</script>
</head> <body>
<form action="createCourse" onsubmit="return validate()">
Title: <input type="text" id="title" size="20"><br />
Credits: <input type="text" id="credits" size="2"><br />
<Input type="submit" value="Submit">
</form>
</body> </html>
 Example of servlet code
import java.io.*; String persontype = request.getParameter("persontype");
String number = request.getParameter("name");
import javax.servlet.*;
if(persontype.equals("student")) {
import javax.servlet.http.*;
... code to find students with the specified name ...
public class PersonQueryServlet extends HttpServlet { ... using JDBC to communicate with the database ..
public void doGet (HttpServletRequest request, HttpServletResponse out.println("<table BORDER COLS=3>");
response)
out.println(" <tr> <td>ID</td> <td>Name: </td>" + " <td>Department</td> </tr>");
throws ServletException, IOException for(... each result ...){
{ ... retrieve ID, name and dept name
response.setContentType("text/html"); ... into variables ID, name and deptname
PrintWriter out = response.getWriter(); out.println("<tr> <td>" + ID + "</td>" + "<td>" + name + "</td>" + "<td>" + deptname
+ "</td></tr>");
out.println("<HEAD><TITLE> Query Result</TITLE></HEAD>");
};
out.println("<BODY>");
out.println("</table>");
….. BODY OF SERVLET (on the right) … }
out.println("</BODY>"); else {
out.close(); ... as above, but for instructors ...
} }
}
Application architecture
Application architecture
• Model-View-Controller (MVC) architecture 1
Internet Controller
• Model: business logic 8
6
5
2
7
• View: presentation of data on display device Web browser
View Model
• Controller: receives events, executes actions, and 3
returns a view to the user Data Access
Layer
• Business-logic layer 4

• Provides high-level view of data and actions on data

using an object data model Database

• Hides details of data storage schema Web/Application Server

• Enforce business rules and support workflows

• Data access layer
• Provides mapping from object model of business layer
to relational model of database
Web Services
• SOAP (Simple Object Access Protocol)
• Based on XML and uses WSDL (Web Services Description Language) to describe the
service interface and UDDI (Universal Description, Discovery, and Integration) to
services
• REST (Representational State Transfer)
• Uses HTTP and standard operations (GET, POST, PUT, DELETE) and returned data is
encoded either in XML or in JSON
• GraphQL
• Developed by Facebook, similar to REST, but the client specifies what data he
needs and receives exactly that data
• Odata (Open Data Protocol)
• Based on existing web technologies (HTTP, AtomPub, JSON), uses RESTful
conventions for creating and querying web services.
Data Access layer
• Allows application code to be written on top of object-oriented data model, while
storing data in a traditional relational database
• Alternative: implement object-oriented or object-relational database to store
object model (not commercial success!)
• Schema designer has to provide a mapping between object data and relational
schema
• E.g. Java class Student mapped to relation student, with corresponding mapping
of attributes
• An object can map to multiple tuples in multiple relations
• Application opens a session, which connects to the database
• Mapping used to create appropriate tuples in the database
• Query can be run to retrieve objects satisfying specified predicates
• Hibernate (Java), Entity Data Model (.NET), SQLAlchemy (Python)…
 Mapping example. Sequalize
class Person { CREATE TABLE Persons (
constructor(id, name, age) { id INT PRIMARY KEY,
this.id = id; name VARCHAR(255),
this.name = name; age INT
this.age = age; );
}
}

// Instance example of Person

const person = new Person(1, 'John Doe', 25);
 Mapping example. Sequalize
const { Sequelize, DataTypes } = require('sequelize');

const sequelize = new Sequelize('database', 'username',

'password', {
host: 'localhost',
dialect: 'mysql',
});

const PersonModel = sequelize.define('Person', {

id: {
type: DataTypes.INTEGER,
primaryKey: true,
autoIncrement: true,
},
name: {
type: DataTypes.STRING,
allowNull: false,
},
age: {
type: DataTypes.INTEGER,
allowNull: false, Synchronizing the model with the database
},
});

sequelize.sync(); Create a new record in the database

PersonModel.create({
name: 'John Doe',
age: 25,
}).then(person => {
console.log(Created Person:', person.toJSON());
});
EDM framework example
public class Customer
{
public int CustomerID { get; set; }
public string FirstName { get; set; }
public string LastName { get; set; }

// Navigation property for Orders

public virtual ICollection<Order> Orders { get; set; }
}
public class Order
{
public int OrderID { get; set; }
public DateTime OrderDate { get; set; }
// Foreign key for Customer
public int CustomerID { get; set; }

// Navigation property for Customer

public virtual Customer Customer { get; set; }
}
Application performance
• Caching techniques used to reduce cost of serving pages by exploiting commonalities
between requests
• At the server site
• Caching of JDBC connections between servlet requests
• a.k.a. connection pooling
• Caching results of database queries
• Cached results must be updated if underlying database changes
• Caching of generated HTML
• At the client’s network
• Caching of pages by Web proxy
Application security
XSS - cross-site scripting
Application authentication issues
• Never store passwords, such as database passwords, in clear text in scripts that may
be accessible to users
• Restrict access to database server from IPs of machines running application servers
• Two-factor authentication
• Authenticate Web site to user, using digital certificates, along with HTTPS protocol
• Central authentication using LDAP or Active Directory
• Use of SSO for user authentication (SAML, OpenID…)
Audit trails
• Applications must log actions to an audit trail, to detect who carried out an update,
or accessed some sensitive data
• Audit trails used after-the-fact to
• Detect security breaches
• Repair damage caused by security breach
• Trace who carried out the breach
• Audit trails needed at
• Database level, and at
• Application level