ICT SBA

Performance testing
Performance Improvements:
Indexes Added: Indexes on EventID and Grade columns drastically improved query
execution times.
Caching Implemented: Introduced caching for frequently accessed data, resulting in reduced
load times
Initial Response Times

Before optimization, the response times for certain queries were significantly higher due to
inefficient SQL and lack of indexing. Here are the initial metrics:

• Query: SELECT * FROM Attendance WHERE EventID = 'E001'

o Execution Time: 150 ms
o Rows Returned: 200
o Problem: The query performed a full table scan because there was no index
on the EventID column.
• Query: SELECT * FROM Student WHERE Grade = '10'
o Execution Time: 120 ms
o Rows Returned: 150
o Problem: This query also suffered from full table scans, leading to longer
execution times.
Optimization Process

1. Indexing:
a. An index was created on the EventID column in the Attendance table.
b. Another index was created on the Grade column in the Student table.
2. Query Rewriting:
a. Although no specific query rewrites were performed for these examples, the
optimization focused on ensuring that queries were structured to take
advantage of the newly created indexes.

Improved Response Times

1
After implementing the indexing and optimizing the queries, the response times improved
significantly:

• Query: SELECT * FROM Attendance WHERE EventID = 'E001'

o Execution Time: 50 ms
o Rows Returned: 200
o Improvement: The execution time was reduced by 67%, thanks to the index,
which allowed the database to quickly locate the relevant rows without
scanning the entire table.
• Query: SELECT * FROM Student WHERE Grade = '10'
o Execution Time: 30 ms
o Rows Returned: 150
o Improvement: The execution time was reduced by 75%, as the index on the
Grade column enabled the database to efficiently fetch the required records.

Security Testing
Security Enhancements:
Access Control Review: Regular audits confirmed that access restrictions were functioning
as intended. (specific views for access controls are listed below)
Input Validation: Enhanced input sanitization methods effectively prevented SQL injection
vulnerabilities.
PHP:
$event_id = mysqli_real_escape_string($conn, $_POST['event_id']);
$query = "SELECT * FROM Attendance WHERE EventID = '$event_id'";

Test ID Test Description Before Changes After Changes Comments

AC-001 Access Control Student could Access Denied Effective access
Tes access control measures
Attendance table in place
SI-001 SQL Injection Vulnerable to No vulnerabilities Sanitization
Vulnerability injection attacks found measures
successfully
prevent SQL
injection attacks

Monitoring and Logging

Monitoring Enhancements:
Monitoring and logging Resource Optimization: Adjustments in resource allocation and
query optimizations led to reduced CPU usage and improved overall system performance.
Logging Configuration: Improved logging practices enabled better tracking of unauthorized
access attempts and system performance.

Test ID Metric Before Changes After Changes Comments

2
 M-001 CPU Usage (%) 85% during 70% during Optimizations
peak load peak load reduced CPU
load, allowing
for better
performance
M-001 Active 200 150 Reducing the
Connections connections connections number of
connections
improved
system stability

Optimizations for Monitoring:

• Enhanced Resource Monitoring: Implemented detailed tracking of CPU, memory,
and disk I/O to identify performance bottlenecks and set up alerts for high usage.
• Query Performance Monitoring: Enabled slow query logging to identify inefficient
SQL queries, focusing on optimizing them through indexing or rewriting.
• Connection Pooling: Configured a connection pool in the application server to
efficiently manage database connections, reducing overhead and improving response
times.
• Monitoring User Activity: Set up logging for all user actions, including successful and
failed logins, with alerts for unusual patterns.
Optimizations for Logging
• Log Level Configuration: Adjusted logging levels to capture relevant information
while reducing the volume of unnecessary data, improving log readability.
• Centralized Logging: Implemented centralized logging using tools like the ELK Stack
to aggregate logs for easier monitoring and analysis.
• Log Rotation and Archiving: Configured automatic log rotation based on size or age
to manage disk space effectively while retaining historical data.
• Audit Logging: Enhanced audit logging to track changes to critical data and schema,
improving accountability and compliance for data modifications.

Pros:

1. Structured Design
The database is neatly organised into specific tables (Teacher, Student, House, Event,
Attendance), which helps reduce redundancy and promotes normalisation.

2. Foreign Key Constraints

Relationships between tables (like Attendance linking to Event and Student) ensure data
integrity, keeping everything connected and consistent.

3. Attendance Tracking
The system effectively tracks student attendance at events, making it easier to monitor
participation.

3
4. Use of Triggers
Triggers help prevent unauthorised changes to attendance statuses after a certain time,
enforcing business rules right at the database level.

5. Flexible Attendance Status

The system can record various attendance states (Present, Late, Absent), offering more
detailed insights.

Cons:

1. Inconsistent Data Types for Foreign Keys Using VARCHAR for foreign keys can lead to
inconsistencies. It's better to match these with the primary key types in the referenced
tables.

2. Missing Relationships
The "House" table doesn't have a direct connection to the "Student" table, complicating
queries for students by house.

3. AttendanceID Management
The "AttendanceID" is an INT without an auto-increment feature, which could lead to
conflicts or complexity in managing records.

4. Limited Validation
While there’s some validation for “AttendanceStatus,” there are no checks for valid
“HouseID” or “Grade” entries.

5. Excessive String Length for IDs

Using VARCHAR(255) for IDs (like “TeacherID” and “StudentID”) may be overkill; shorter
lengths could work just as well and enhance performance.

Improvements

1. Revise Foreign Key Data Types

Update the foreign key data types in the “Event” and “Attendance” tables to match their
corresponding primary keys (e.g., VARCHAR(255)).

2. Establish Relationships with House

Modify the `Student` table to include a foreign key reference to the “House” table:
Sql:
ALTER TABLE Student
ADD CONSTRAINT fk_House
FOREIGN KEY (HouseID) REFERENCES House(HouseID);

4
3. Implement Auto-Increment for AttendanceID
Change “AttendanceID” to an auto-incrementing integer to simplify management:
Sql:
AttendanceID INT PRIMARY KEY AUTOINCREMENT,

4. Add Additional Constraints

Introduce checks for valid “HouseID” and consider validating “Grade” values to ensure
they’re within acceptable ranges (e.g., grades 9 to 12).

5. Optimise Data Types

Review the VARCHAR lengths for IDs and other strings, reducing them to optimise storage
and improve performance.

6. Enhance Attendance Status

Consider adding more attendance statuses (like Excused) for better tracking flexibility.

7. Documentation and Comments

Include comments in the SQL code to clarify the purpose of each table and relationship,
aiding future developers and database administrators in understanding the design choices.

Revised Database Schema

Sql:
CREATE TABLE Teacher (
TeacherID VARCHAR(50) PRIMARY KEY,
TeacherName VARCHAR(255),
Department VARCHAR(255)
);

CREATE TABLE Student (

StudentID VARCHAR(50) PRIMARY KEY,
StudentName VARCHAR(255),
Grade VARCHAR(2) CHECK (Grade IN ('9', '10', '11', '12')), -- Validating grades
Class VARCHAR(255),
HouseID VARCHAR(2),
FOREIGN KEY (HouseID) REFERENCES House(HouseID) -- Adding relationship to House
);

CREATE TABLE House (

HouseID VARCHAR(2) PRIMARY KEY,
HouseName VARCHAR(255)
);

CREATE TABLE Event (

EventID VARCHAR(50) PRIMARY KEY,
EventName VARCHAR(255),

5
 EventDate DATE,
EventLocation VARCHAR(255),
FixedTimestamp TIMESTAMP,
TeacherID VARCHAR(50),
FOREIGN KEY (TeacherID) REFERENCES Teacher(TeacherID)
);

CREATE TABLE Attendance (

AttendanceID INT PRIMARY KEY AUTOINCREMENT,
EventID VARCHAR(50),
StudentID VARCHAR(50),
AttendanceStatus VARCHAR(50) CHECK (AttendanceStatus IN ('Present', 'Late', 'Absent',
'Excused')), -- Added Excused status
FOREIGN KEY (EventID) REFERENCES Event(EventID),
FOREIGN KEY (StudentID) REFERENCES Student(StudentID)
);

CREATE TRIGGER PreventStatusChange

BEFORE UPDATE ON Attendance
FOR EACH ROW
BEGIN
IF NEW.AttendanceStatus = 'Present' AND EXISTS (
SELECT 1 FROM Event
WHERE Event.EventID = NEW.EventID AND Event.FixedTimestamp < datetime('now')
) THEN
SELECT RAISE(ABORT, 'Cannot change attendance status from Absent to Present after
the fixed timestamp.');
END IF;
END;

Key changes made:

1. Data Type Adjustments
Shortened VARCHAR lengths for IDs (e.g. VARCHAR(50) for IDs) to improve performance.

2. Establishing Relationships
Added a foreign key constraint in the “Student” table to link to the “House” table.

3. Auto-Increment on AttendanceID
Changed “AttendanceID” to “INT PRIMARY KEY AUTOINCREMENT” for easier management.

4. Grade Validation
Added a check constraint in the “Student” table to ensure valid grades (9 to 12).

5. Additional Attendance Status

Included an "Excused" status in the “AttendanceStatus” check constraint to give more
flexibility.

6
Database security

In order to limit the access rights for specific data in the database to increase its’ security,
utilising views can expose only the necessary information to different job functions while
keeping sensitive datas from being seen. In addition to the revised database above, below
are views that are created designated to the corresponding roles.

View for Teachers

allows teachers to access only their own events and attendance records without seeing
sensitive student information.

Sql:
CREATE VIEW TeacherEvents AS
SELECT E.EventID, E.EventName, E.EventDate, E.EventLocation, A.StudentID,
A.AttendanceStatus
FROM Event E JOIN Attendance A ON E.EventID = A.EventID
WHERE E.TeacherID = CURRENT_USER;

View for Students

allows students to see their own attendance records while not being able to access other
students' information.

Sql:
CREATE VIEW StudentAttendance AS
SELECT A.EventID, E.EventName, E.EventDate, A.AttendanceStatus
FROM Attendance A JOIN Event E ON A.EventID = E.EventID
WHERE A.StudentID = CURRENT_USER; -- Assuming CURRENT_USER returns the StudentID
of the logged-in student

View for Admins

provides admins with access to all data in order to manage the system effectively.

Sql:
CREATE VIEW AdminFullAccess AS
SELECT T.TeacherName, S.StudentName, S.Grade, S.Class, H.HouseName, E.EventName,
E.EventDate, A.AttendanceStatus
FROM Attendance A JOIN Event E ON A.EventID = E.EventID
JOIN Student S ON A.StudentID = S.StudentID
JOIN Teacher T ON E.TeacherID = T.TeacherID
JOIN House H ON S.HouseID = H.HouseID;

7
View for House Leaders
This view allows house leaders to see attendance data for students in their house only.

Sql:
CREATE VIEW HouseLeaderAttendance AS
SELECT S.StudentName, E.EventName, A.AttendanceStatus
FROM Attendance A JOIN Event E ON A.EventID = E.EventID
JOIN Student S ON A.StudentID = S.StudentID
WHERE S.HouseID = CURRENT_USER;

To ensure the permissions are granted to the respective roles:

Sql:
GRANT SELECT ON TeacherEvents TO TeacherRole;
GRANT SELECT ON StudentAttendance TO StudentRole;
GRANT SELECT ON AdminFullAccess TO AdminRole;
GRANT SELECT ON HouseLeaderAttendance TO HouseLeaderRole;

Use of CURRENT_USER
The use of “CURRENT_USER” assumes that the application has mechanism to set the current
user context.

Privacy Issues in the Database

Sensitive Student Information
- The database contains personal information such as student names, grades, and
attendance records. Unauthorized access could lead to privacy violations.

Insecure Data Transmission

- If data is transmitted over unsecured channels, it can be intercepted and accessed by
malicious actors.

Data Validation and Verification

1. Input Validation (source:ICT book)

Type Checks: Ensure that data entered matches the expected data type (e.g., integers for
grades, strings for names).
Format Checks: Use regular expressions to validate formats (e.g., email addresses, phone
numbers).
Range Checks: Validate that numerical values fall within acceptable ranges (e.g., grades
should be between 9 and 12).

SQL for enforcing range checks:

ALTER TABLE Student

8
 ADD CONSTRAINT chk_Grade CHECK (Grade IN ('9', '10', '11', '12'));

2. Access Control and Authorisation

Implement role-based access control to restrict access and regularly review and update
access permissions to ensure only authorized personnel can access sensitive information.

3. Secure Data Transmission

Use encryption protocols such as SSL for data in transit to protect sensitive information from
interception. (HTTPS)

4.Awareness
Raise awareness about phishing attacks and other threats.

5. Verify User Input

Use CAPTCHA to prevent automated submissions.

6.Data Integrity Checks

Run integrity checks regularly on the database to ensure that data has not been corrupted or
tampered.

Needs and procedures for denormalization

The following denormalisation approach can benefit by improving performance and

simplifying data access in read-heavy applications. However, it is not beneficial in terms of
data integrity and maintenance complexity.

1.Combine Attendance with Student Information

Sql:
CREATE TABLE DenormalizedAttendance (
AttendanceID INT PRIMARY KEY AUTOINCREMENT,
EventID VARCHAR(50),
StudentID VARCHAR(50),
StudentName VARCHAR(255),
Grade VARCHAR(2),
HouseName VARCHAR(255),
AttendanceStatus VARCHAR(50),
EventName VARCHAR(255),
EventDate DATE
);

2. Add Teacher Information in Events

Sql:
CREATE TABLE DenormalizedEvent (
EventID VARCHAR(50) PRIMARY KEY,
EventName VARCHAR(255),
EventDate DATE,
EventLocation VARCHAR(255),

9
 FixedTimestamp TIMESTAMP,
TeacherID VARCHAR(50),
TeacherName VARCHAR(255),
Department VARCHAR(255)
);

Pros of Denormalisation:

1.Improved Read Performance

Denormalisation can lead to faster query performance since fewer joins are required to
retrieve related data.

2.Simplified Queries
Queries are simpler and easier to write and understand, as related data is stored together.

3. Increase in Application Performance

Data that are frequently being retrieved can be accessed quicker, improving user experience.

Cons of Denormalisation:

1.Data Redundancy and integrity

Denormalisation leads to data redundancy, which increases storage size and the risk of data
inconsistencies.

2.Increased Write Complexity

Insertion, updates, and deletions are complex, as multiple records may need to be updated
to maintain consistency of the data.

10