10 most valuable

SQL skills to have

1. Security. This should always be the first. Understand
SQL injection and parameterized queries.
• SQLi is a web security vulnerability that allows an attacker to interfere with
the queries that an application makes to its database.
• Parameterized queries are SQL queries that contain parameters that can be
set at runtime. For example:
Select Order_Number, Customer_Number, SalesPerson_ID, Order_Date
from Order Where SalesPerson_ID = ? And Order_Date > ?
This query has 2 parameters represented by the “?” parameter markers. The
parameters' values can be set at runtime by calling SQLSetParameter.

2. Restoring a database. making a backup is obviously

the necessary step, but it's far more important to know
how to restore, otherwise your backups is nothing.
3. Query load monitoring. identify which queries account for
the greatest share of your database load?
With Applications Manager's database query monitor, you can keep an eye on
critical SQL queries that impact the availability and performance of your business
application.
4. Query optimization. Once you find the bad queries, improve
them by.
 Creating indexes
 Rewriting query logic
 Partitioning
 Denormalization
 Using caches in your application
5. DBMS tuning. Most databases have many options to tune
resource use. For example, allocating as much RAM as possible
to cache data and indexes.
6. Capacity planning.
• Know the limits of your server platform.
• how many queries per second can it execute.
• how much IO do those queries demand of your disk array.
• how much space do you have for data, indexes, and logs.
• Is your resource usage increasing? How long will it be
before you run out of capacity?
7. SQL types. Understand the characteristics of
different SQL types as they pertain to logic,
performance, and storage.
8. Transactions. is a series of database operations,
carried out by a single user or application program,
which accesses or changes the contents of the
database.
• Understand the importance of transaction in DB and how to
optimize the performance.
9. Set-based data operations. Many developers think
of a database as a collection of individual rows, and fail
to use powerful features of SQL to update sets of data
in one query. Developers who use object-relational
mapping (ORM) tools are especially guilty of this.
10. High availability. What happens
when your database server shuts
down, or needs to be upgraded?
Does your application handle this
gracefully?
Can you queue data changes temporarily
until the database is back online?
Do you have a spare database instance for
failover?
SQL (Structured Query
Language)
• SQL stands for Structured Query
Language which is a computer language for
storing, manipulating and retrieving data stored
in a RDB. SQL was developed in 1970s by IBM
Computer Scientists and became a standard of
the American National Standards Institute (ANSI)
in 1986, and the International Organization for
Standardization (ISO) in 1987.
•SQL is the standard language to
communicate with Relational
Database Systems. All the (RDMS)
like MySQL, MS Access, Oracle,
Sybase, Informix, PostgreSQL and
SQL Server use SQL as their
Standard Database Language.
• Why SQL?
Because it offers the following advantages −
Allows
• Users to access data in the relational database
management systems.
• Users to describe the data.
• Users to define the data in a database and manipulate
that data.
• To embed within other languages using SQL modules,
libraries
• To create view, stored procedure, functions in a database.
• To users to set permissions on tables, procedures and
views.
How SQL Works?
• When you are executing an SQL command for any RDBMS, the system
determines the best way to carry out your request and SQL engine
figures out how to interpret the task.

The various components included in this process are −

• Query Dispatcher
• Optimization Engines
• Classic Query Engine
• SQL Query Engine, etc.

• Following is a simple diagram showing the SQL

Architecture −
SQL Basic Commands
The standard SQL commands to interact with relational databases are
CREATE, SELECT, INSERT, UPDATE, DELETE and DROP. These commands
can be classified into the following groups based on their nature −
• DDL - Data Definition Language

S. Command & Description

N.
CREATE
1 Creates a new database, table, a view of a table, or other
object in the database.
ALTER
2
Modifies an existing database object, such as a table.
DROP
3 Deletes an entire database, table, a view of a table or other
objects in the database.
DML - Data Manipulation Language
S.N. Command & Description

SELECT
1 Retrieves certain records from one or more tables.

INSERT
2 Creates a record.

UPDATE
3 Modifies records.

DELETE
4 Deletes records.
DCL - Data Control Language
S.N. Command & Description

GRANT
Gives a privilege to user.
1

REVOKE
Takes back privileges granted from user.
2
GRANT AND REVOKE
Grant Privileges on Table
•You can grant users various
privileges to tables. These
permissions can be any combination
of SELECT, INSERT, UPDATE, DELETE,
REFERENCES, ALTER, or ALL.
Syntax

GRANT privileges ON object TO user;

Privileges
The privileges to assign. It can be any of the following values:

Privilege Description
SELECT Ability to perform SELECT statements on the table.
INSERT Ability to perform INSERT statements on the table.
UPDATE Ability to perform UPDATE statements on the table.
DELETE Ability to perform DELETE statements on the table.
REFERENCES Ability to create a constraint that refers to the table.
Ability to perform ALTER TABLE statements to change
ALTER
the table definition.
ALL does not grant all permissions for the table.
ALL Rather, it grants the ANSI-92 permissions which are
SELECT, INSERT, UPDATE, DELETE, and REFERENCES.
Object
• The database object that you are granting permissions for. In
the case of granting privileges on a table, this would be the
table name.
User
• The name of the user that will be granted these privileges.
Example
• if you wanted to grant SELECT, INSERT, UPDATE, and DELETE
privileges on a table restaurant to a user name Michael, The
SQL GRANT statement is:
• GRANT SELECT, INSERT, UPDATE, DELETE ON restaurant TO
Michael;
• You can also use ALL keyword to indicate
that you wish to grant the ANSI-92
permissions (ie: SELECT, INSERT, UPDATE,
DELETE, and REFERENCES) to a user
named aliyu.
Example:
• GRANT ALL ON restaurant TO aliyu;
Revoke Privileges on Table

• Once you have granted privileges, you may revoke

some or all of these privileges.
• You can revoke any combination of SELECT, INSERT,
UPDATE, DELETE, REFERENCES, ALTER, or ALL.
Syntax
• The syntax for revoking privileges on a table in SQL
Server is:
REVOKE privileges ON restaurant FROM aliyu;
 Privileges
The privileges to revoke can be any of the following values:

Privilege Description
SELECT Ability to perform SELECT statements on the table.
INSERT Ability to perform INSERT statements on the table.
UPDATE Ability to perform UPDATE statements on the table.
DELETE Ability to perform DELETE statements on the table.
REFERENCES Ability to create a constraint that refers to the table.
Ability to perform ALTER TABLE statements to change
ALTER
the table definition.
ALL does not revoke all permissions for the table.
ALL Rather, it revokes the ANSI-92 permissions which are
SELECT, INSERT, UPDATE, DELETE, and REFERENCES.
Object
• The name of the database object that you are revoking privileges for.
User
The name of the user that have these privileges.

Examples.
• If you wanted to revoke DELETE privileges on a table
called employee from a user named anderson, the REVOKE statement
is:
REVOKE DELETE ON employee FROM anderson;
• If you wanted to revoke ALL ANSI-92 permissions (ie: SELECT, INSERT,
UPDATE, DELETE, and REFERENCES) on a table for a user named anderson,
you could use the ALL keyword as follows:

REVOKE ALL ON employee FROM anderson;

• If you had granted SELECT privileges to users/customers on

the restaurant table and you wanted to revoke these privileges, the SQL
REVOKE statement is:

REVOKE SELECT ON customers FROM restaurant;

MySQL Joining Tables
• A JOIN clause is used to combine rows from two or more tables,
based on a related column between them.
• Supported Types of Joins in MySQL
• INNER JOIN: Returns records that have matching values in both tables
• LEFT JOIN: Returns all records from the left table, and the matched records from the right table
• RIGHT JOIN: Returns all records from the right table, and the matched records from the left table
• CROSS JOIN: Returns all records from both tables
MySQL INNER JOIN Keyword

• The INNER JOIN keyword selects records that have matching values in
both tables.
Order Table

OrderID CustomerID EmployeeID OrderDate ShipperID

10308 2 7 1996-09-18 3
10309 37 3 1996-09-19 1
10310 77 8 1996-09-20 2

Customer Table

CustomerID CustomerName ContactName Address City PostalCode Country

1 Alfreds Futterkiste Maria Anders Obere Str. 57 Berlin 12209 Germany

2 Ana Trujillo Emparedados y Ana Trujillo Avda. de la Constitución México D.F. 05021 Mexico
helados 2222

3 Antonio Moreno Taquería Antonio Moreno Mataderos 2312 México D.F. 05023 Mexico
The following SQL statement selects
all orders with customer
information:

SELECT Orders.OrderID, Customers.CustomerName

FROM Orders
INNER JOIN Customers ON Orders.CustomerID =
Customers.CustomerID;
Result
OrderID CustomerName
10248 Wilman Kala
10249 Tradição Hipermercados
10250 Hanari Carnes
10251 Victuailles en stock
10252 Suprêmes délices
10253 Hanari Carnes
10254 Chop-suey Chinese
10255 Richter Supermarkt
10256 Wellington Importadora
10257 HILARIÓN-Abastos
LEFT JOIN Keyword
The LEFT JOIN keyword returns all records from the left
table (table1), and the matching records (if any) from the
right table (table2).
Customer
Table
CustomerID CustomerName ContactName Address City PostalCode Country

1 Alfreds Futterkiste Maria Anders Obere Str. 57 Berlin 12209 Germany

2 Ana Trujillo Emparedados y Ana Trujillo Avda. de la Constitución México D.F. 05021 Mexico
helados 2222

3 Antonio Moreno Taquería Antonio Moreno Mataderos 2312 México D.F. 05023 Mexico

Order Table

OrderID CustomerID EmployeeID OrderDate ShipperID

10308 2 7 1996-09-18 3
10309 37 3 1996-09-19 1
10310 77 8 1996-09-20 2
The following SQL statement will select all
customers, and any orders they might have:

Example
SELECT Customers.CustomerName,
Orders.OrderID
FROM Customers
LEFT JOIN Orders ON Customers.CustomerID =
Orders.CustomerID
ORDER BY Customers.CustomerName;
Result
RIGHT JOIN Keyword
• The RIGHT JOIN keyword returns all records from the right table
(table2), and the matching records (if any) from the left table (table1).
Order Table

OrderID CustomerID EmployeeID OrderDate ShipperID

10308 2 7 1996-09-18 3
10309 37 3 1996-09-19 1
10310 77 8 1996-09-20 2

Employee Table

EmployeeID LastName FirstName BirthDate Photo

1 Davolio Nancy 12/8/1968 EmpID1.pic
2 Fuller Andrew 2/19/1952 EmpID2.pic
3 Leverling Janet 8/30/1963 EmpID3.pic
• The following SQL statement will return all employees,
and any orders they might have placed:

SELECT Orders.OrderID, Employees.LastName,

Employees.FirstName
FROM Orders
RIGHT JOIN Employees ON Orders.EmployeeID =
Employees.EmployeeID
ORDER BY Orders.OrderID;
Result
CROSS JOIN Keyword
• The CROSS JOIN keyword returns all records from both tables (table1
and table2).
"Customers" table:
CustomerID CustomerName ContactName Address City PostalCode Country
1 Alfreds Futterkiste Maria Anders Obere Str. 57 Berlin 12209 Germany

2 Ana Trujillo Ana Trujillo Avda. de la Constitución México D.F. 05021 Mexico
Emparedados y 2222
helados
3 Antonio Moreno Antonio Mataderos 2312 México D.F. 05023 Mexico
Taquería Moreno

Order table:

OrderID CustomerID EmployeeID OrderDate ShipperID

10308 2 7 1996-09-18 3
10309 37 3 1996-09-19 1
10310 77 8 1996-09-20 2
• SELECT Customers.CustomerName, Orders.OrderID
FROM Customers
CROSS JOIN Orders;
RESULT
• Note: CROSS JOIN returns all matching records from both tables whether
the other table matches or not. So, if there are rows in "Customers" that do
not have matches in "Orders", or if there are rows in "Orders" that do not
have matches in "Customers", those rows will be listed as well.

• If you add a WHERE clause (if table1 and table2 has a relationship),
the CROSS JOIN will produce the same result as the INNER JOIN clause:
Example
SELECT Customers.CustomerName, Orders.OrderID
FROM Customers
CROSS JOIN Orders
WHERE Customers.CustomerID=Orders.CustomerID;

The Result is
 Database Security
• Database security includes a variety of measures
used to secure database management systems
from malicious cyber-attacks and illegitimate use.
• Database security programs are designed to
protect not only the data within the database, but
also the data management system itself, and every
application that accesses it, from misuse, damage,
and intrusion.
Database Security Threats
•Many software vulnerabilities,
loophole, misconfigurations or
carelessness could result in
breaches.
•Example of the most known causes
and types of database security
cyber threats.
Insider Threats
An insider threat is a security risk from one of the following
three sources, each of which has privileged means of entry to
the database:
• A malicious insider with ill-intent (industrial espionage)
• A negligent person within the organization who exposes the
database to attack through careless actions
• An outsider who obtains credentials through
social engineering and gains access to the database’s
credentials
An insider threat is one of the most typical causes of database security breaches
and it often occurs because a lot of employees have been granted privileged user
access.
Human Error
• Weak passwords, password sharing, accidental erasure or
corruption of data etc. are causes of almost half of
data breaches .
Exploitation of Database Software Vulnerabilities
Attackers constantly attempt to target vulnerabilities and
database management software is a highly valuable target.
New vulnerabilities are discovered daily, open source and
commercial database software vendors issue security patches
regularly. However, if you don’t use these patches quickly,
your database might be exposed to attack.
• Even if you do apply patches on time, there is always the risk of zero-day attacks, when attackers
discover a vulnerability, but it has not yet been discovered and patched by the database vendor.
SQL/NoSQL Injection Attacks
• A database-specific threat involves the use of arbitrary/random
non-SQL and SQL attack strings into database queries.
• Typically, these are queries created as an extension of web
application forms. Any database system is vulnerable to these
attacks, if organization does not carry out regular vulnerability
testing.
Buffer Overflow Attacks
• Buffer overflow takes place when a process tries to write a
large amount of data to a fixed-length block of memory, more
than it is permitted to hold. Attackers might use the excess
data, kept in adjacent memory addresses, as the starting point
from which to launch attacks.
Denial of Service (DoS/DDoS) Attacks
• In (DoS) attack, the cybercriminal overwhelms the target which
is the database server—using a large amount of fake requests.
The result is that the server cannot carry out genuine requests
from actual users, and often crashes or becomes unstable.
Malware/spyware
• Malware is software written to take advantage of vulnerabilities
to cause harm to a database. Malware could arrive through any
endpoint device connected to the database’s network. Malware
protection is important on any endpoint, especially on database
servers, because of their high value and sensitivity.
An Evolving IT Environment
• The evolving IT environment is making databases more
susceptible to threats. Here are trends that can lead to new
types of attacks on databases:
• Growing data volumes—storage, data capture, and
processing is growing exponentially across almost all
organizations.
• Distributed infrastructure—network environments are
increasing in complexity, especially as businesses transfer
workloads to hybrid cloud or multi-cloud architectures,
making the deployment, management, and choice of
security solutions more difficult.
• Increasingly tight regulatory requirements—the
worldwide regulatory compliance landscape is
growing in complexity, so following all mandates
are becoming more challenging.
• Cybersecurity skills shortage—there is a global
shortage of skilled cybersecurity professionals,
and organizations are finding it difficult to fill
security roles. This can make it more difficult to
defend critical infrastructure, including
databases.
How Can You Secure Your Database Server?

• A database server is a physical or virtual machine running the

database. Securing a database server, also known as “hardening”, is a
process that includes physical security, network security, and secure
operating system configuration.
Ensure Physical Database Security
• Refrain from sharing a server for web applications and
database applications, if your database contains
sensitive data. Although it could be cheaper, and easier,
to host your site and database together on a hosting
provider, you are placing the security of your data in
someone else’s hands.
If you do rely on a web hosting service to manage
your database, you should ensure that it is a
company with a strong security track record.
Lock Down Accounts and
Privileges
• It is critical to ensure that every privileged account on a
database server is configured with a strong, unique
password. If accounts are not needed, they should be
deleted or locked.
• For the remaining accounts, access has to be limited to the
absolute minimum required. Each account should only have
access to the tables and operations (for example, SELECT or
INSERT) required by the user. Avoid creating user accounts
with access to every table in the database.
• Regularly Patch Database servers
• Ensure that patches remain current. Effective
database patch management is a crucial security
practice.
• Disable Public Network Access
• Organizations store their applications in databases. In
most real-world scenarios, the end-user doesn’t
require direct access to the database. Thus, you
should block all public network access to database
servers unless you are a hosting provider. Ideally, an
organization should set up gateway servers (VPN or
SSH tunnels) for remote administrators.
• Encrypt All Files and Backups
•Irrespective of how solid your defenses
are, there is always a possibility that a
hacker may infiltrate your system. Also
there is always the possibility that a
malicious or careless insider will gain
access to a file they don’t have
permission to access.
Database Security Best
Practices
The following security measures are recommended:
• Strong passwords must be enforced
• Password hashes must be salted and stored
encrypted
• Accounts must be locked following multiple login
attempts
• Accounts must be regularly reviewed and
deactivated if staff move to different roles, leave
the company, or no longer require the same level of
access
• Test Your Database Security
• Once you have put in place your database
security infrastructure, you must test it
against a real threat. Auditing or performing
penetration tests against your own database
will help you get into the mindset of a
cybercriminal and isolate any vulnerabilities
you may have overlooked.
• Use Web Application and Database Firewalls
• You should use a firewall to protect your database
server from database security threats. By default, a
firewall does not permit access to traffic. It needs to
also stop your database from starting outbound
connections unless there is a particular reason for
doing so.
• As well as safeguarding the database with a firewall,
you must deploy a web application firewall (WAF). This
is because attacks aimed at web applications, including
SQL injection.
• Use Real-Time Database Monitoring
• Continually scanning your database for breach attempts
increases your security and lets you rapidly react to
possible attacks.
• In particular, File Integrity Monitoring (FIM) can help
you log all actions carried out on the database’s server
and to alert you of potential breaches. When FIM
detects a change to important database files, ensure
security teams are alerted and able to investigate and
respond to the threat.