Anda di halaman 1dari 43

Introduction to SQL

Michael Adesoji Adegunwa, Oracle Certified DBA

At the end of the training, the participants should be able to Understand structured query language Understand database management system Understand oracle SQL Extract and analyze data with SQL Interrogate data using SQL Audit and query the database Use real online monitoring of database.

Introduction SQL The Query Language statements The Data Manipulation Language (DML) Statements. The Data Control Language (DCL) statements.

Introduction - SQL
What is SQL? SQL is a database special-purpose language used to: Retrieve data from a database e.g. Select statement. Manipulate data that is stored in a database e.g. Insert, update, delete statements. Define objects that will be stored in the database e.g. create table, create view statements. Control access to data in a database e.g. create user, grant <privileges> statements.

Introduction SQL contd

The Relational database. SQL is the standard language that is used to work with a relational database. Example of relational databases are Oracle, Microsoft SQL server and MS Access. A relational database is a database that has is data stored in tables (Relation). A table consist of rows and columns. A column represents attributes/properties of an entity. e.g. A customers table will have columns like customer id, customer name, phone, address e.t.c. Each column must have a data type to indicate the type of data it can take e.g. Number, text, varchar2 A row represents a particular entitys record for which data is stored. A relational database does not only contain tables, it contains other database objects like views, indexes and the data dictionary.


Attributes/Fields correspond to a column in a table. Tuples/Records correspond to a row in a table Primary key uniquely identifies each row in a table and assists with indexing of the table by the DBMS. Foreign key is an attribute or combination in one table whose value must match those of a primary key in another table other wise the value is null. It keeps link tables together. Schema A collection of database objects that belongs to a particular user.

Views- filters the data available in a table so that the user only sees what they need to see or what they are allowed to see. An index is a database structure designed to reduce the amount of time necessary to retrieve one or more rows from a table. Data Dictionary: Contains information about the entire database. Data type A type of allowed data. Every table column has an associated data type that restricts (or allows) specific data in that column

2. The Query Language statements (QL)

Query language statements are used to retrieve data from the database. The principal query language clause is the SELECT clause, which is used to retrieve the data. other QL clauses that can be used in conjunction with a SELECT clause are where, order by, having and group by clauses.

The SELECT statement

Its purpose is to retrieve information from one or more tables. The most basic SELECT syntax can be described as follows:
SELECT {* | [DISTINCT] column1,column2,.. | expression [alias], ...} FROM tablename; you use the * character to view all columns in tablename. Example 1: Select * from emp; Example 2: Select empID,ename,job From emp;

The SELECT statement contd

The WHERE clause
Within a SELECT statement, data is filtered by specifying a search condition in the WHERE clause. The WHERE clause is specified right after the table name (the FROM clause) as follows: Example:
Select empNo, ename, job from emp where ename = KING;

The SELECT statement contd

The ORDER BY clause
Within a SELECT statement, data is sorted by specifying a sort condition in the ORDER BY clause. The ORDER BY clause is specified right after the table name (the FROM clause) or after the where clause if it is used. The asc for ascending and the desc for descending can be used with the order by clause to specify the sort order of the returned result. Example 1:
Select empno, ename, job from emp order by ename asc;

Example 2:

Select empno, ename, job from emp where job = Auditor order by empno desc;

Using Aggregate functions

Aggregate Functions are Functions used in a Select statement that operate on a set of rows and return a single value for all the rows. Examples are:

AVG(Column_name) COUNT(*), COUNT(Column_name) MAX(Column_name)

Returns a column's average value Returns the number of rows in a table. Returns the number of rows in a column ignoring null values. Returns a column's highest value


Returns a column's lowest value

Returns the sum of a column's values

Using Aggregate functions contd

Examples: 1. SELECT AVG(prod_price) AS avg_price FROM Products; 2. SELECT COUNT(*),COUNT(sale_price) FROM cust_order; 3. SELECT SUM(sal) AS sal_total FROM emp;

Using the GROUP BY Clause

The GROUP BY clause, along with the aggregate functions, groups a result set into multiple groups, and then produces a single row of summary information for each group. For example, if you want to find the total number of orders for each customer, execute the following query:

SELECT cust_nbr, COUNT(order_nbr) FROM cust_order GROUP BY cust_nbr;

Using the HAVING Clause

The HAVING clause is closely associated with the GROUP BY clause. The HAVING clause is used to put a filter on the groups created by the GROUP BY clause. If a query has a HAVING clause along with a GROUP BY clause, the result set will include only the groups that satisfy the condition specified in the HAVING clause. Example: SELECT COMM, COUNT(COMM) FROM BONUS GROUP BY COMM HAVING COMM < 50000;

Using Joins
A join query extracts information from two or more tables or views. A join query differs from a regular query in at least the following two ways: The FROM clause of a join query refers to two or more tables or views. A condition is specified in the join query (known as join condition) that relates the rows of one table to the rows of another table. The following example illustrates a simple join query: SELECT EMPNO, JOB, DEPTNO FROM EMP DEPT

3. The Data Manipulation Language (DML) Statements.

DML commands are the SQL statements that can change the values in database tables, as opposed to merely reading them, as SELECT statements do. The common DML statements are the INSERT, UPDATE and DELETE statements.

The INSERT statement

An insert statement will insert one row into a database table. The basic INSERT syntax: INSERT INTO tablename [(column1 [, column2 ...])] VALUES (value1 [, value2 ... ]); Example: insert into emp (EMPNO, ENAME, JOB, MGR, HIREDATE, SAL, COMM, DEPTNO) values (7878, QUEEN, PRESIDENT, NULL, 15-AUG-2004,7500, NULL, 10);

You can also use this syntax Insert into DEPT values ( 59, NULL, JOS) Then a row will be inserted as you view with Select * from dept;

The UPDATE statement

An UPDATE statement will change one or more rows in a database table. The basic form of an UPDATE statement must specify which table to update, which to change, and, optionally, whether to change all the rows in the table or just a few. The syntax is as follows: UPDATE tablename SET column = value [ , column = value, ...] [WHERE condition]; Example: update EMP set ENAME = bola where ENAME = SCOTT;

The DELETE statement

The DELETE statement will remove rows from a database table. You can delete all rows or use a WHERE clause to specify rows, similar to the UPDATE statement. Heres the syntax: DELETE [FROM] tablename [WHERE condition]; The FROM keyword is optional. Example: DELETE FROM emp WHERE empNO = 7499;

4. The Data Control Language (DCL) statements.

DCL statements are used to create users, grant, alter or take away privileges to database objects or privileges to perform certain actions by the users. Some DCL statements are: Create user, grant <privileges> to, revoke <privileges> from, drop user.

A user can be created for a database with the following syntax: CREATE USER userid IDENTIFIED BY password; eg create user bayo identified by bayo; A users password can be altered for a database with the following syntax: ALTER USER userid IDENTIFIED BY NEW password; eg Alter user bayo identified by mark; A user can be dropped from a database with the following syntax: DROP USER userid cascade; The cascade keyword is used to ensure that all the objects already in the users schema are dropped as well. Without this only the user will be dropped.

Create, Alter and drop user statements

The right to perform a specific action in the database, granted by the DBA or other database users. Privileges are rights to execute specific SQL statements. The DBA grants privileges to user accounts to control what users can do in the database. Not all relational databases support the use of privileges e.g. MS Access. However Oracle supports two kinds of privileges : system privileges and object privileges.

Granting and Revoking Privileges

The GRANT command is used to assign system and object privileges to a user. The REVOKE command removes privileges from a user. Roles provide an easy way to group privileges together and assign them to one or more users in the database.

System Privileges (Oracle) They allow users to perform a specific action on one or more database objects or users in the database. There are more than 160 system privileges available in the Oracle 10g database. Typically, system privileges will fall into two general categories: DBA privileges and user privileges. There is no distinction at the database level between these two types of system privileges. In general, system privileges that can affect the database as a whole are considered to be DBA privileges while the ones that can affect only a users schema are user privileges. System privileges are granted with the GRANT command, which has the following syntax: GRANT create user, audit any to mami with admin option;

System Privileges

System Privileges contd

The following are typical Oracle DBA privileges:

System Privilege

Create a new database user


Remove a database user Create a new table in any schema Turn on or turn off database auditing

System Privileges contd

The following are typical Oracle user privileges:

System Privilege

Establish a connection to the database Create a table in the users schema Create a stored function or procedure


System Privileges contd

System privileges can be revoked using the SQL statement REVOKE. The syntax for revoking system privileges is:REVOKE {system_privilege|role} [, {system_privilege|role} ]... FROM {user|role|PUBLIC} [, {user|role|PUBLIC} ]... Eg revoke create session from temi;

Object Privileges
Object Privileges Privileges that allow users to manipulate the contents of database objects in other users schemas. Object privileges are granted on schema objects such as tables and stored procedures. They are granted to a username in a different schema. In other words, the owner of an object in a schema has all privileges on the object and can grant privileges on the object to another user.

Object Privileges contd

The following are typical Oracle object privileges:

Object Privilege

Read (query) access on a table Update (change) rows in a table or view Delete rows from a table or view Add rows to a table or view


Create an index on a table

Run (execute) a stored procedure or function

Object Privileges contd

Object privileges are granted with a GRANT statement similar to that for granting system privileges: GRANT obj_privilege [(column_list)] [, obj_privilege ...] ON schema.object TO user [, user, role, PUBLIC ...] [WITH GRANT OPTION]; eg Grant Select Update Delete on Schema To Mami with admin option; The column_list parameter is used if the object is a table and only certain columns of the table are made available for updating by other users. The WITH GRANT OPTION clause allows the grantee to pass the privilege on to yet another user.

Object Privileges contd

The REVOKE statement is used to revoke object privileges. The syntax for revoking object privileges is: REVOKE { object_privilege [, object_privilege ]... | ALL [PRIVILEGES] } ON [schema.] object FROM {user|role|PUBLIC} [, {user|role|PUBLIC} ]... Note that the syntax requires an ON keyword unlike the syntax for revoking system privileges.

Creating and Assigning Roles

A role is a named group of privileges. Using roles makes it easy for the DBA to grant groups of privileges to users. Granting a role takes a lot fewer steps than granting individual privileges. The privileges granted to the role can be a combination of system and object privileges. A user may be granted more than one role in addition to any system or object privileges granted directly. Roles are created with the CREATE ROLE statement. The basic syntax for CREATE ROLE is as follows: CREATE ROLE <rolename>; The role can then be granted to a user with the syntax: Grant <rolename> to user;

Obtaining Privileges Information

Information about privileges can be obtained from the following oracle data dictionary views:


lists system privileges granted to users and roles lists the privileges that are currently available to the user lists all grants on all objects in the database


describes all object column grants in the database.

Obtaining Privileges Information contd

To check the roles granted to the USER1 user, we can run the following query against the DBA_ROLE_PRIVS data dictionary view: select grantee, granted_role from dba_role_privs where grantee = USER1'; To find out which privileges are assigned to the role RESOURCE, We run another query against the ROLE_TAB_PRIVS data dictionary view: select role, owner, privilege from role_tab_privs where role=RESOURCE';

Preliminary Audit Steps

Gain an understanding of the Database environment. a) Obtain the following important information about the Database environment: Version and release of the Database software and related tools (Oracle Enterprise Manager, Oracle Advanced Security Option, etc.) that are implemented Version and release of the underlying operating system Total number of named users (for comparison with logical access security testing results) Number of database instances Applications and related versions accessing the database (e.g., ERP, web, custom) Utilities used to logon and manage the database

Preliminary Audit Steps

Details of the risk assessment approach taken in the organization to identify and prioritize risks Copies of the organizations key security policies and standards Organization charts identifying system owners and maintainers Outstanding audit findings, if any, from previous years b) Interview database administrators (DBA) to determine the following: The level of overall security awareness and knowledge of corporate policies and procedures The skillset of the DBAs and the training programs in place to keep their technical skills up-to-date Current processes and tools in place to maintain the security of the database

Security Monitoring
Processes are in place to regularly monitor security on the system.
Discuss with the DBAs their processes for monitoring key database functions and security-related events to determine if system activity is regularly monitored. Obtain from the DBAs any reports or queries that are used to monitor the system. Discuss with the DBAs the level of auditing that is performed on users actions. Review the setting for the AUDIT_TRAIL parameter in the init<SID>.ora file to determine if auditing is enabled. Review the retention policy on audit trails and logs. Discuss with the DBAs procedures for monitoring sensitive accounts and privileges. Review the output of the following query to determine if updates made by the DBAs account are monitored: SELECT * FROM SYS.DBA_STMT_AUDIT_OPTS;

Security Monitoring
Review the output of the following query to determine auditing in place for all system-level privileges: SELECT * FROM DBA_PRIV_AUDIT_OPTS; Review the output of the following query to determine if statement-level auditing is enabled: SELECT * FROM DBA_STMT_AUDIT_OPTS; Review the output of the following query to determine auditing in place for database objects: SELECT * FROM DBA_OBJ_AUDIT_OPTS; Discuss with the DBA where audit trails are stored and how that location is secured from tampering.

Security Monitoring
Discuss with the DBA the process for monitoring errors in the alert log and the process for monitoring the creation of trace files. Determine the procedures used for reviewing inactive profiles. Verify the process by reviewing the last login dates of a user list to determine if any accounts have been inactive for more than 60 days or the maximum required by corporate policy. Review the process for monitoring unexpected database start ups and shutdowns. Obtain a list of triggers in the database and discuss with the DBA how they are used to monitor the database.

Logical Security
Appropriate account and password controls in place
Discuss with the DBA procedures used to log onto the system. Ensure that DBA does not use the CONNECT INTERNAL option to connect to the database. Ensure that each DBA uses a unique account to log on and administer the database. Obtain a list of users by executing the following command: SELECT * FROM DBA_USERS; Obtain the settings for the default profile (obtain settings for customized profiles if they are used): SELECT * FROM DBA_PROFILES; Review the list of users to ensure that generic accounts are not used (e.g., test, guest or shared accounts).

Logical Security
Review the list to ensure that default accounts and passwords are not used. Verify this by attempting to log onto the database using the default accounts and passwords. Review the list of users to ensure that profiles are appropriately assigned to accounts. Discuss with the DBA the process for establishing an initial password. Ensure that generic or passwords that can be easily guessed are not used. Review the following profile settings to ensure that password controls and resource limits are in place:

Logical Security