CSE 412 Database Management

Lecture 11
SQL
Jia Zou
Arizona State University

1
Agenda
• Data Definition Language
• Data Manipulation Language
• Basic Queries (SELECT-FROM-WHERE)
• ORDER BY
• Set Operations
• Null Values
• Aggregation
• Nested Queries
• Data Modification Languages
• Views
2
INSERT
• Insert one row
• INSERT INTO Member VALUES (789, 'dps’);
• User 789 joins Dead Putting Society
• Insert the result of a query
• INSERT INTO Member
(SELECT uid, 'dps’
FROM User
WHERE uid NOT IN
(SELECT uid FROM Member WHERE gid = 'dps'));
• Everybody joins Dead Putting Society!

3
Update
• Example: User 142 changes name to “Barney”
• UPDATE User
SET name = 'Barney’
WHERE uid = 142;
• Example: We are all popular!
• UPDATE User
SET pop = (SELECT AVG(pop) FROM User);
• But won’t update of every row causes average pop to change?
ØSubquery is always computed over the old table

4
Delete
• Delete everything from a table
• DELETE FROM Member;
• Delete according to a WHERE condition
Example: User 789 leaves Dead Putting Society •
• DELETE FROM Member
WHERE uid = 789 AND gid = 'dps’;
• Example: Users under age 18 must be removed from United Nuclear
Workers
• DELETE FROM Member
WHERE uid IN
(SELECT uid FROM User WHERE age < 18)
AND gid = 'nuk';

5
Example

6
Import from csv file or text file

Much faster
than
executing a
large batch of
insertion
statements.
7
Agenda
• Data Definition Language
• Data Manipulation Language
• Basic Queries (SELECT-FROM-WHERE)
• ORDER BY
• Set Operations
• Null Values
• Aggregation
• Nested Queries
• Data Modification Languages
• Views
8
Views
• A view is like a “virtual” table
• Defined by a query, which describes how to compute the view contents on
the fly
• DBMS stores the view definition query instead of view contents
• Can be used in queries just like a regular table

9
Creating and dropping views
• Example: members of Jessica’s Circle
• CREATE VIEW JessicaCircle AS
SELECT * FROM User
WHERE uid IN (SELECT uid FROM Member
WHERE gid = 'jes’);
• Tables used in defining a view are called “base tables”
• User and Member above
• To drop a view
• DROP VIEW JessicaCircle;

10
Using views in queries
• Example: find the average popularity of members in Jessica’s Circle
• SELECT AVG(pop)
FROM JessicaCircle;
• To process the query, replace the reference to the view by its definition
• SELECT AVG(pop)
FROM (SELECT * FROM User
WHERE uid IN
(SELECT uid FROM Member WHERE gid = 'jes’))
AS JessicaCircle;
11
Why using views
• To hide data from users
• To hide complexity from users
• Logical data independence
• If applications deal with views, we can change the underlying schema without
affecting applications
• Recall physical data independence: change the physical organization of data
without affecting applications
• To provide a uniform interface for different implementations or
sources
ØReal database applications use tons of views
12
Modifying views
• Does it even make sense, since views are virtual?
• It does make sense if we want users to really see views as tables
• Goal: modify the base tables such that the modification would appear
to have been accomplished on the view

13
A simple case
• CREATE VIEW UserPop AS
SELECT uid, pop FROM User;

DELETE FROM UserPop WHERE uid = 123;

translates to:

DELETE FROM User WHERE uid = 123;

14
An impossible case
• CREATE VIEW PopularUser AS
SELECT uid, pop FROM User
WHERE pop >= 0.8;

INSERT INTO PopularUser

VALUES(987, 0.3);
• No matter what we do on User, the inserted row will not be in
PopularUser

15
A case with too many possibilities
• CREATE VIEW AveragePop(pop) AS
SELECT AVG(pop) FROM User;
• Note that you can rename columns in view definition

UPDATE AveragePop SET pop = 0.5;

• Set everybody’s pop to 0.5?
• Adjust everybody’s pop by the same amount?
• Just lower Jessica’s pop?

16
SQL92 updateable views
• More or less just single-table selection queries
• No join
• No aggregation
• No subqueries
• Arguably somewhat restrictive
• Still might get it wrong in some cases
• See the slide titled “An impossible case”
• Adding WITH CHECK OPTION to the end of the view definition will make
DBMS reject such modifications

17
Example

18
Agenda
• Data Definition Language
• Data Manipulation Language
• Basic Queries (SELECT-FROM-WHERE)
• ORDER BY
• Set Operations
• Null Values
• Aggregation
• Nested Queries
• Data Modification Languages
• Views
• Indexes

19
Indexes
• An index is an auxiliary persistent data structure
• Search tree (e.g., B+-tree), lookup table (e.g., hash table), etc.
Ø More on indexes later in this course!
• An index on R.A can speed up accesses of the form
• R.A = value
• R.A > value (sometimes; depending on the index type)
• An index on (R.A1, …, R.An) can speed up
• R.A1 = value1∧ … ∧ R.An = valuen
• (R.A1 , …, R.An) > (value1, …, valuen)(again depends)
Ø Ordering of index columns is important—is an index on (R.A, R.B)
equivalent to one on (R.B, R.A)?
Ø How about an index on R.A plus another on R.B?

20
Examples of using indexes
• SELECT * FROM User WHERE name = 'Bart’;
• Without an index on User.name: must scan the entire table if we store User as a flat
file of unordered rows
• With index: go “directly” to rows with name='Bart’
• SELECT * FROM User, Member
WHERE User.uid = Member.uid
AND Member.gid = 'jes’;
• With an index on Member.gid or (gid, uid): find relevant Member rows directly
• With an index on User.uid: for each relevant Member row, directly look up User rows
with matching uid
• Without it: for each Member row, scan the entire User table for matching uid
• Sorting could help

21
Creating and dropping indexes in SQL
CREATE [UNIQUE] INDEX indexname ON
tablename (columnname1,…,columnnamen);
• With UNIQUE, the DBMS will also enforce that
(columnname1,…,columnnamen) is a key of tablename
DROP INDEX indexname;

• Typically, the DBMS will automatically create indexes for PRIMARY KEY
and UNIQUE constraint declarations

22
Example
• Without Indexing on l_quantity

23
Example
• Creating Index

24
Example
• With Indexing on l_quantity

25
Choosing indexes to create
• More indexes = better performance?
• Indexes take space
• Indexes need to be maintained when data is updated
• Indexes have one more level of indirection
ØOptimal index selection depends on both query and update workload
and the size of tables
• Automatic index selection is now featured in some commercial DBMS

26
Agenda
• Data Definition Language
• Data Manipulation Language
• Basic Queries (SELECT-FROM-WHERE)
• ORDER BY
• Set Operations
• Null Values
• Aggregation
• Nested Queries
• Data Modification Languages
• Views
• Indexes
• Transaction
• Discretionary Access Control

27
Transaction
• To guarantee the atomicity of multiple modification queries

BEGIN;
UPDATE accounts SET balance = balance - 100.00 WHERE
name = 'Alice’;
UPDATE accounts SET balance = balance + 100.00
WHERE name = 'Wally’;
COMMIT;

28
Example

29
Agenda
• Data Definition Language
• Data Manipulation Language
• Basic Queries (SELECT-FROM-WHERE)
• ORDER BY
• Set Operations
• Null Values
• Aggregation
• Nested Queries
• Data Modification Languages
• Views
• Integrity Constraints
• Indexes
• Transaction
• Discretionary Access Control

30
GRANT Command
• GRANT privileges ON object TO users [WITH GRANT OPTION]
• The following privileges can be specified:
• SELECT: Can read all columns (including those added later via ALTER TABLE command).
• INSERT(col-name): Can insert tuples with non-null or non-default values in this column.
• INSERT means same right with respect to all columns.
• Update (col-name): similar to INSERT
• DELETE: Can delete tuples.
• REFERENCES (col-name): Can define foreign keys (in other tables) that refer to this column.
• Object can be a table or a view
• User can be a user or a role of user
• If a user has a privilege with the GRANT OPTION, can pass privilege on to other
users (with or without passing on the GRANT OPTION).
• Only owner can execute CREATE, ALTER, and DROP.
Revoke Command
• Revoke privileges ON object FROM users [CASCADE]
• When a privilege is revoked from X with CASCADE is specified, , it is
also revoked from all users who got it solely from X.
Example

33
Examples: GRANT and REVOKE of Privileges
• GRANT INSERT, SELECT ON Sailors TO Horatio
• Horatio can query Sailors or insert tuples into it.
• GRANT DELETE ON Sailors TO Yuppy WITH GRANT OPTION
• Yuppy can delete tuples, and also authorize others to do so.
• GRANT UPDATE (rating) ON Sailors TO Dustin
• Dustin can update (only) the rating field of Sailors tuples.
• GRANT SELECT ON ActiveSailors TO Guppy, Yuppy
• This does NOT allow the ‘uppies to query Sailors directly!
• REVOKE SELECT ON Sailors FROM Yuppy CASCADE;
• This will revoke the authorization for querying Sailors from Yuppy and all users who
got this privilege solely from Yuppy
Agenda
• Data Definition Language
• Data Manipulation Language
• Basic Queries (SELECT-FROM-WHERE)
• ORDER BY
• Set Operations
• Null Values
• Aggregation
• Nested Queries
• Data Modification Languages
• Views
• Integrity Constraints
• Indexes
• Discretionary Access Control
• Programming Interfaces

35
Working with SQL through an API
• E.g.: Python psycopg2, JDBC, ODBC (C/C++/VB)
• All based on the SQL/CLI (Call-Level Interface) standard
• The application program sends SQL commands to the DBMS at
runtime
• Responses/results are converted to objects in the application
program

36
Working with SQL through an API
https://pypi.org/project/psycopg2/

• E.g.: Python psycopg2, JDBC, ODBC (C/C++/VB)

• All based on the SQL/CLI (Call-Level Interface) standard
• The application program sends SQL commands to the DBMS at
runtime
• Responses/results are converted to objects in the application
program

37
Example API: Python psycopg2

38
More psycopg2 examples

39
Prepared statements: motivation

• Every time we send an SQL string to the DBMS, it must perform parsing,
semantic analysis, optimization, compilation, and finally execution
• A typical application issues many queries with a small number of patterns
(with different parameter values)
• Can we reduce this overhead?

40
Prepared statements: example

• The DBMS performs parsing, semantic analysis, optimization, and compilation

only once, when it “prepares” the statement
• At execution time, the DBMS only needs to check parameter types and validate
the compiled plan
• Most other API’s have better support for prepared statements than psycopg2
• E.g., they would provide a cur.prepare() method 41
Agenda
• Data Definition Language
• Data Manipulation Language
• Basic Queries (SELECT-FROM-WHERE)
• ORDER BY
• Set Operations
• Null Values
• Aggregation
• Nested Queries
• Data Modification Languages
• Views
• Integrity Constraints
• Indexes
• Discretionary Access Control
• Programming Interfaces
• SQL injection

42
“Exploits of a mom”

• The school probably had something like:

cur.execute("SELECT * FROM Students " + \ "WHERE (name = '" + name +
"')")
where name is a string input by user
• Called an SQL injection attack
43
SQL comments
• https://www.postgresql.org/docs/current/sql-syntax-
lexical.html#SQL-SYNTAX-COMMENTS

44
SQL Injection

45
 Guarding against SQL injection
• Escape certain characters in a user input string, to ensure that it
remains a single string
• E.g., ', which would terminate a string in SQL, must be replaced by '' (two
single quotes in a row) within the input string
• Luckily, most APIs provide ways to “sanitize” input automatically (if
you use them properly)
• E.g., pass parameter values in psycopg2 through %s’s

afe fe
s Sa
Un = 'SELECT * FROM
sql_query sql_query = 'SELECT * FROM %s'
{}'.format(user_input) cur.execute(sql_query) cur.execute(sql_query,
(user_input,))
46