Databases Reference
In-Depth Information
7
Using the Database To Do Too Much
For many years Sun's tagline was “the network is the computer.” Looking at
some of the latest database products, you can't help but wonder if the ven-
dors think that “the database is the computer.” Well, it's not, and it should
not be used as such. The database is not an operating system. It is not a
Web server. It is not an application server. It is not a Web services provider.
It is a database, and managing data is hard enough.
In this chapter you'll see many of the advanced features that databases
have today—features that allow you to call functions deployed on the
operating system through the databases, to call stored procedures using a
Web interface, and more. These functions will become increasingly main-
stream—even though from a security perspective they introduce addi-
tional problems and complexities. The goal of this chapter is to make you
aware of potential risks, convince you to stay away from some of the more
dangerous ones, and give you enough information so that if you decide to
enable these features anyway, you will pay more attention to the security
aspects of these features.
7.1
Don't use external procedures
All databases have a query language and a procedural language (well,
almost all of them—MySQL before version 5 actually doesn't have the lat-
ter). Each of the procedural languages of the main database servers is
highly functional and robust. In addition, all of the databases have a large
set of built-in procedures that you can use when writing programs. How-
ever, the database vendors often go an extra step and provide you with
mechanisms for invoking functions that reside outside the database runt-
ime. This can cause many problems that are related to elevated privileges,
as you'll see in the next few sections.
Search WWH ::
Custom Search