Microsoft Word - COMP440_Proj_Spring2022- Phase 1.docx
For all parts of this project, your system must be application or web-based. Some simple GUI interfaces are required for each functionality. All functionality must be performed via the interface of your system; direct SQL statement execution via any tools (MySQL workbench) is not allowed.
Use Java/C#/PHP/Python and SQL, implement the following functionality:
1. (5 pts) Create a database schema and implement a user registration and login interface so that only a registered user can login into the system. The schema of the user table should be: user(username, password, firstName, lastName, email)
username is the primary key, and email should be unique. You have to prevent the SQL injection attack. There is an attached pdf file about SQL injection attacks.
2. (5 pts) Sign up for a new user with information such as: username, password, password confirmed, first name, last name, email. Duplicate username, and email should be detected and fail the signup. Unmatching passwords should be detected, as well.
3. (10 pts) Implement a button called “Initialize Database.” When a user clicks it, all necessary tables will be created (or recreated) automatically. You should use the username “comp440” and possibly password “pass1234”.
Hint:
1) For step 2, you can use the attached university.sql for now. Later you will replace this .sql script file with the SQL file of your project database. Open the university.sql file in any text editor and change the database name in line 20. Make sure the database name is the same as the database of step 1 (user registration and login).
2) In this project. You are allowed to find and reused codes; however, make sure to refer to the original source.
Submit your work with the last two steps below:
1. The source code package. All files (source codes, class files, bat, and txt) should be contained in a war or zip file called comp440_xx_part1.zip for a team whose team name is xx submit it.
2. create slides for your presentation Use a recorder: https:
www.apowersoft.com/free-online-screenrecorder. And send me your video. I only need you to record your screen and your voice for the project demo, not your face. If you are not comfortable recording your voice please create slides for project demo with speaker notes so that I can do the presentation by myself.
CS327E: Elements of Databases - Cybersecurity and SQL Injection
CS327E: Elements of Databases
Cybersecurity and SQL Injection
Dr. Bill Young
Department of Computer Sciences
University of Texas at Austin
Last updated: October 31, 2016 at 12:21
CS327E SQL Injection Slideset: 1 SQL Injection
What I’d Like to Discuss
Why cyber security is
Important
Why cyber security is hard
SQL Injection
CS327E SQL Injection Slideset: 2 SQL Injection
From the Headlines
Silent War, Vanity Fair, July 2013
On the hidden battlefields of history’s
first known cyber-war, the casualties are
piling up. In the U.S., many banks have
een hit, and the telecommunications
industry seriously damaged, likely in
etaliation for several major attacks on
Iran.
Washington and Tehran are ramping up their cyber-arsenals, built
on a black-market digital arms bazaar, enmeshing such high-tech
giants as Microsoft, Google, and Apple.
CS327E SQL Injection Slideset: 3 SQL Injection
From the Headlines
U.S. Not Ready for Cyberwar Hostile Attackers Could
Launch, The Daily Beast, 2/21/13
Leon Panetta says future attacks could
plunge the U.S. into chaos. We’re not
prepared. If the nightmare scenario
ecomes suddenly real ... If hackers shut
down much of the electrical grid and the
est of the critical infrastructure goes with
it ...
If we are plunged into chaos and suffer more physical destruction
than 50 monster hu
icanes and economic damage that dwarfs the
Great Depression ... Then we will wonder why we failed to guard
against what outgoing Defense Secretary Leon Panetta has termed
a “cyber-Pearl Ha
or.”
CS327E SQL Injection Slideset: 4 SQL Injection
The U.S. at Risk?
Experts believe that U.S. is perhaps particularly vulnerable to
cyberattack compared to many other countries. Why?
CS327E SQL Injection Slideset: 5 SQL Injection
The U.S. at Risk?
Experts believe that U.S. is perhaps particularly vulnerable to
cyberattack compared to many other countries. Why?
The U.S. is highly
dependent on technology.
Sophisticated attack tools
are easy to come by.
A lot of critical information
is available on-line.
Critical infrastructure may
e accessible remotely.
Other nations exercise more
control over information and
esources.
CS327E SQL Injection Slideset: 6 SQL Injection
How Bad Is It?
Cyberwarfare greater threat to US than te
orism, say
security experts, Al Jazeera America, 1/7/14
Cyberwarfare is the greatest threat
facing the United States — outstripping
even te
orism — according to defense,
military, and national security leaders in
a Defense News poll.
45 percent of the 352 industry leaders polled said cyberwarfare is
the gravest danger to the U.S., underlining the government’s shift
in priority—and resources—toward the burgeoning digital arena of
warfare.
CS327E SQL Injection Slideset: 7 SQL Injection
Is Cyber Security Particularly Hard?
Why would cybersecurity by any harder than other technological
problems?
CS327E SQL Injection Slideset: 8 SQL Injection
Is Cyber Security Particularly Hard?
Why would cybersecurity by any harder than other technological
problems?
Partial answer: Most technological
problems are concerned with ensuring
that something good happens.
Security is all about ensuring that bad
things never happen.
To ensure that, you have to know
what all the bad things are!
CS327E SQL Injection Slideset: 9 SQL Injection
Cyber Defense is Asymmetric
In cybersecurity, you have to defeat an actively malicious adversary.
The defender has to find and
eliminate all exploitable
vulnerabilities; the attacker only
needs to find one!
CS327E SQL Injection Slideset: 10 SQL Injection
Cyber Security is Tough
Perfect security is unachievable
in any useful system. We
trade-off security with othe
important goals: functionality,
usability, efficiency,
time-to-market, and simplicity.
CS327E SQL Injection Slideset: 11 SQL Injection
Is It Getting Better?
“The three golden rules to ensure compute
security are: do not own a computer; do not
power it on; and do not use it.” –Robert H.
Mo
is (mid 1980’s), former chief scientist of
the National Computer Security Cente
“Unfortunately the only way to really protect
[your computer] right now is to turn it off,
disconnect it from the Internet, encase it in
cement and bury it 100 feet below the
ground.” –Prof. Fred Chang (2009), forme
director of research at NSA
CS327E SQL Injection Slideset: 12 SQL Injection
Some Sobering Facts
There is no completely reliable
way to tell whether a given piece
of software contains malicious
functionality.
Once PCs are infected they tend
to stay infected. The median
length of infection is 300 days.
“The number of detected information security incidents has
isen 66% year over year since 2009. In the 2014 survey, the
total number of security incidents detected by respondents
grew to 42.8 million around the world, up 48% from 2013—an
average of 117,339 per day.” (CGMA Magazine, 10/8/2014)
CS327E SQL Injection Slideset: 13 SQL Injection
The Cost of Data Breaches
The Privacy Right’s
Clearinghouse’s Chronology of
Data Breaches (January, 2012)
estimates that more than half
a billion sensitive records have
een
eached since 2005.
This is actually a very
“conservative estimate.”
The Ponemon Institute estimates that the approximate cu
ent
cost per record compromised is around $318.
“A billion here, a billion there, and pretty soon you’re talking real
money” (attributed to Sen. Everett Dirksen)
CS327E SQL Injection Slideset: 14 SQL Injection
How Bad Could it Be?
Some security experts warn that a
successful possible widespread attack
on U.S. computing infrastructure
could largely shut down the
U.S. economy for up to 6 months.
It is estimated that the destruction from a single wave of cybe
attacks on U.S. critical infrastructures could exceed $700 billion
USD—the equivalent of 50 major hu
icanes hitting U.S. soil at
once. (Source: US Cyber Consequences Unit)
CS327E SQL Injection Slideset: 15 SQL Injection
CyberAttacks: An Existential Threat?
Cyberattacks an ’Existential Threat’ to U.S., FBI Says,
Computerworld, 3/24/10
A top FBI official warned today that
many cyber-adversaries of the U.S. have
the ability to access virtually any
computer system, posing a risk that’s so
great it could “challenge our country’s
very existence.”
According to Steven Chabinsky, deputy assistant director of the
FBI’s cyber division: “The cyber threat can be an existential
threat—meaning it can challenge our country’s very existence, o
significantly alter our nation’s potential.”
CS327E SQL Injection Slideset: 16 SQL Injection
Structure of an SQL Injection?
CS327E SQL Injection Slideset: 17 SQL Injection
What is SQL Injection?
An SQL Injection is a vulnerability that
esults when you give an attacker the
ability to influence the SQL queries that
you pass to the database.
They’ve been around a long time. In 1998, Rain Forest Puppy wrote
an article for Phrack titled “NT Web Technology Vulnerabilities”
that first highlighted SQL injection attacks.
CS327E SQL Injection Slideset: 18 SQL Injection
Web Application Structure
Most Web applications are interactive,
accepting input from the user.
Many are also database driven, meaning
that they query a database in response
to user input.
Web applications often have three tiers:
1 presentation tier: interface (e.g. web
owser) accepting
user inputs;
2 middle (logic) tier: services user requests by presenting
queries to the database;
3 data tier: database processing queries from the logic tier.
CS327E SQL Injection Slideset: 19 SQL Injection
Web Application Structure
CS327E SQL Injection Slideset: 20 SQL Injection
Accepting User Input
Many web applications accept user input from online forms, search
oxes, etc. The user is free to type in any ASCII text.
The application interprets that text to generate an appropriate
esponse.
CS327E SQL Injection Slideset: 21 SQL Injection
Simple SQLi Example
Scenario 1: an online retailer provides an option to search fo
products of interest, including those less than a given price.
E.g. to view all products of cost less than $100, the user inputs:
Products: all
Cost below: 100
In response, the interface produces URL:
ht tp :
www. dupe . com/ p roduc t s . php? v a l =100
CS327E SQL Injection Slideset: 22 SQL Injection
Simple SQLi Example
In response, to this http request
ht tp :
www. dupe . com/ p roduc t s . php? v a l =100
the middle layer code (products.php) generates a query to the
data layer:
SELECT ∗
FROM Product s
WHERE P r i c e < ’ 100 ’
ORDER BY Produ c tDe s c r i p t i o n ;
CS327E SQL Injection Slideset: 23 SQL Injection
Simple SQLi Example (Continued)
But suppose the attacker types:
Products: all
Cost below: 100’ OR ’1’=’1
The system generates the following http request:
ht tp :
www