CHAPTER-5

Assignment-3

2Q. Explain the role of data dictionaries in the DBMS.

Ans. A data dictionary is a collection of metadata or information about data. The
data dictionary is important because it provides details such as what is in the
database, who has access to it, and where the database is physically located. The
data dictionary is generally not accessed by database users; it is solely managed by
database administrators. The Data Dictionary is a tool that assists DBAs in
resolving all data disputes. There is no standard format for storing data in Data
Dictionary. However, some characteristics are shared by everybody.
In general, the data dictionary comprises information about the following:
• The names of all database tables, as well as their schemas.
• Details about all of the tables in the database, including who owns them,
what security constraints they have, when they were created, and so on.
• Physical details regarding the tables, such as where and how they are stored.
• Constraints on tables include primary key properties, foreign key
information, and so on.
Types of Data Dictionary :
1. Integrated Data Dictionary.
2. Standalone Data Dictionary.
Integrated Data Dictionary:
A database management system (DBMS) contains an integrated data
dictionary.
For example, every relational database management system (RDBMS) has an
inherent data dictionary or system catalog, which is frequently consulted and
updated by RDBMS. Aside from relational DBMSs, the majority of DBMSs,
especially older ones, do not feature an integral data dictionary. As a result, DBAs
may use stand-alone data dictionary systems as an alternative.
The Data Dictionary is further divided into two categories:
Active:
DBMS automatically updates the active data dictionary when database access
happens in DBMS, keeping each access information up to date.
Stand-alone Data Dictionary :
Stand-alone data dictionary systems are more versatile than Integrated Data
Dictionary systems in DBMS, allowing the DBA to define and manage all of the
administration's data, regardless of whether it is computerized or not. Stand-alone
gives database designers and end-users an improvised capacity to communicate
with one another, regardless of the Data Dictionary's format.
The Data Dictionary is a tool designed to aid Devices to communicate in
addressing data conflicts. The information in Data Dictionary also isn't maintained
in any standard format. Still, some attributes are recognized by us all.
10Q. Define and explain the concept of the user interface. How does the user
interface connect to the DBMS?
Ans. A user interface (UI) is a link between human and computer interaction — it
is the area where a person interacts with a computer or machine to execute tasks. A
UI aims to allow a user to successfully control a computer or machine with which
they are engaging, as well as to receive feedback to indicate effective task
accomplishment. A successful user interface should be straightforward (it should
not require training to use), efficient (it should not cause extra or unnecessary
friction), and user-friendly (be enjoyable to use). A UI Designer will frequently
utilize visualization software to create a UI before it is coded. Every project we
work on involves UI Design, which is a significant part of what we do at Every
Interaction.
A database management system (DBMS) interface is a user interface that allows
you to enter queries into a database without having to use the query language itself.
There are different types of interfaces in DBMS they are,
1. Menu-based interface: These interfaces provide the user with a set of options
known as menus. Pull-down menus are a crucial approach.
2. Forms-based interface: Each user is presented with a form through this
interface. To input new data, the user can fill out all of the entries.
3. Graphical interface: It shows the user a schema in diagrammatic form. The
majority of graphical user interfaces (GUIs) make use of a pointing device,
such as a mouse.
 4. Natural interface: These interfaces accept requests written in English or a
language other than English.
5. Input and Output interface: Bank tellers, for example, frequently conduct a
restricted set of tasks that must be repeated. A modest set of abbreviated
commands is given to reduce the number of keystrokes required for each
request.
6. Interface for DBA: Most database systems have privileged commands that
can only be used by dba employees.
5Q. Define the difference between the attribute and the field. How are they
used in the database management system?
Ans: Attribute is termed as properties that define the entity type.
Employee Detail (Entity):
First name
Last name
Department
Title
First name Last name Department Title
John Heather Computer Manager
Henry Mark HR Recruiter

First name, Last name, Department & Title are called Attributes of Employee
Entity.
Field: Field refers to a combination of one or more characters.
 also termed Column.
 The smallest unit of data is accessed by the user.
 The name of each field is unique.

These attributes would become Fields if linked to relations in tables of database

management systems.
9Q. Define and Explain SQL. How does it differ from other programming
languages and what are the components?
Ans: SQL in simple words defined as Structured Query Language is a
Programming language that can be used to maintain organization information via
tables of rows & columns.
SQL concepts include SELECT, INSERT, UPDATE, DELETE, TRUNCATE,
JOINS, STORED PROCEDURES, MIN, MAX, COUNT & more.
Every Company/Organization needs to have their data aligned properly to view
their employee details. To do this company needs a database management system
& usage of SQL queries.
Unlike other programming languages like Java, Python, C++, and .Net & other
languages, SQL is a completely different language. We can integrate SQL queries
into any of the programming repositories as needed, demonstrating the SQL
language's versatility. In another language we declare data types with variable
names & will make usage into further development as per requirement.
For example:
int i=100;
String s = “Java”;
In a similar fashion to SQL language, we use data types to define the attribute of
any entity.
SQL queries mainly Operate/depend on Rows & Columns.
StudentInfo Entity:
Student_FirstName Student_LastName Student_Age
Albert Nan 25

Student_FirstName is defined as varchar

Student_LastName is defined as varchar
Student_Age is defined as numeric.
SQL Components are:
1) Data Definition Language (DDL): Create, Drop, Alter & Truncate are
commands of DDL.
 2) Data Manipulation Language (DML): Insert, Update & Delete are
commands of DML
3) Data Control Language (DCL): Grant & Revoke are commands of DCL.
4) Transaction Control Language (TCL): Commit & Rollback are commands of
TCL.
5) Data Query language (DQL): Select commands of DQL
By using SQL queries, can perform the following operations:
1) Insert new member details into a table of a database.
2) Update the record of an existing member.
3) Delete the record/set of records in the table.
4) Can get details of a member or documents associated with a member/set of
members by using Select statement.
5) Can join the two tables with a concept named Joins.
6) Grant & revoke permissions from the user.
7) Save all transactions to the database.

4Q. Define the difference between database and database management

systems.
Ans: Database: It is a collection of data (can be Excel sheet data, Paper-based data,
or electronic format)
Database Management System: a platform or software which helps in
organizing/controlling/editing the data stored in a database. It also implements the
Schema concept of data storage/manipulation.
DBMS make sure of the completeness of data transaction & implements ACID
properties which are Atomicity, Consistency, Isolation, and Durability.
The following areas conclude the difference between the Database & DBMS :
The data in the database could be modified in fewer portions, whereas DBMS
covers the data modification in huge portions & multiple people can change data at
the same time.
In terms of access, DBMS evolved to provide access to a large number of people &
who can access multiple users at the same time.
If the Database is created in at Excel sheet & made the connection of SQL then the
information retrieved would be slow. For the DBMS view, as data is stored in the
computer system, the results back process of the search query will be very fast.
The Database maintained would be Excel sheet/Paper-based, the DBMS records
are maintained only on Computers.

Chapter- 6
4Q. Why is it Important to Monitor and Control System Output?
Ans: Consider a system that accepts user input via a web interface, performs
business logic with data in a back-end database, and then displays the output to the
user via the web interface.
 Security:
A user may inadvertently or intentionally enter an input that escapes
validation or was not tested for, triggering business rule logic such as "SELECT
* FROM TABLE CUSTOMER." This is not a semantic error, and SQL will
proceed as expected, passing the whole data set of the customer table (id,
password, credit card number, and so on) to the application programming
interface. If no checks are performed on the created output, the APIs will easily
send the data to the front-end web interface, and the hacker will not have access
to a gold mine. As a result, any output must be monitored and regulated.
 Preventing data scrape bots and denial-of-service attacks :
Bots automate input, and process output quickly, and when done
correctly, can either completely replicate all of the data in your database or
knock your server down with too many resource requests bombarded too
quickly. To preserve resources and private data, checks and restrictions can be
put in place to only send "X" amount of data to a specific IP address in 24
hours.
 Formatting :
It would be helpful to monitor the formatting and display it in a clean
format before dumping the result data on the end user.
9Q. What are the benefits and limitations of using data canaries to prevent
buffer or stack overflow?
Ans: The term "data canary" comes from the canaries used in coal mines. If the air
was potentially poisonous to the miners or contained hazardous substances, The
canary would perish if there was inadequate oxygen. The miners were able to flee
before succumbing due to their observation of the canary. In a computing
environment, the data canary value will "die" before the program overruns.
Observing whether the canary is still alive will indicate whether the system has
been compromised. There are three types of canaries in use: terminator, random,
and random XOR. Stack Guard currently supports all three, while Pro Police
supports terminator and random canaries.
Stack buffer overflow problems arise when an application writes more records to a
stack buffer than is allocated for that buffer. By verifying the canary value, the
execution of the affected program can be terminated, preventing it from
misbehaving or from allowing an attacker to take control of it.
A/B testing: We can do A/B testing with the canary. In other words, we present
two alternatives to users and see which one receives the best response. Capacity
testing: Testing the capacity of a big production environment is impossible.
Capacity tests are built into canary deployments. Any performance issues in our
system will become apparent as we gradually migrate users to the canary. We
receive vital feedback from real users. There will be no cold starts: new systems
may take some time to boot up. Canary deployments gradually gain momentum to
avoid cold-start sluggishness. 
 Easy rollback: If something goes wrong, we can easily revert to the previous
version.
Using automated protection at the language level is the most reliable technique to
avoid or prevent buffer spills. Another solution is run-time bounds-checking,
which eliminates buffer overrun by automatically checking that data supplied to a
buffer is within permitted boundaries.
7Q. Summarize the security issues involved in code deployment for
interpreted languages. What steps should be taken to protect the raw code?
Ans: Securing the web application is a tough & most important task for a company.

A few interpreted languages are JavaScript, Perl & security issues evolve while
code deployment is lacking compile errors. In other object-oriented & traditional
languages compiler plays a vital & vulnerable code detector task, so it can catch
errors and vulnerabilities. Interpreted languages create mismatch errors in code
deployment that might get a chance of attackers. These are scripting-based
languages that could be a security concern.
Interpreted languages run slower and bring more vulnerability to attack. Another
reason for security issues involved in code deployment for interpreted languages is
buffer overflow (which helps in reducing the number of vulnerabilities. The White
Hat issue & Red Hat issues occur in the code deployment view due to the usage of
JavaScript.

The way to secure the raw code is to make use of available tools. Code scanning
tools (SonarQube) ensure the programmers detect the vulnerabilities that occurred
by unfamiliar & easy drops of language code. Another way is to update the code
snippets/packages to help secure the application. Make sure the Code Review is
done by a superior.

10Q. What are the considerations of security you should include in planning
which programming language to use in software development?
Ans: Security concerns of a Firm include Confidentiality, Integrity of the
information.

It should be taken into action from the beginning of the development and this
includes the selection of appropriate tools, database design, security protocols, and
network protocols. If required provide security training & tasks to ensure the
importance of security to a given application.

 The code has to be reviewed by the Lead/Manager before the code push to
the repository.
 Developed code needs to be scanned by client-approved/allowed tools in the
company.
 Code must be examined by the deployment team to avoid vulnerabilities &
security breaches.
 If language is mixed with a database connection string, then make sure the
database queries are technically syntax-based.
 The repository code must be Encrypted with a set of layers & ensure two-
level accessibility.
 Code Standards & Conventions are important to ensure security to start the
development. Practicing to use the inbuilt security features in frameworks &
tools by default. This helps programmers to work the known classes of
issues, rather than the individual.
 Make sure the frameworks/library/component are loosely coupled so that
they could be effectively upgraded if required.
 Data binding prevents data from being interpreted as control logic by
binding to specific data types.

1Q. Explain buffer overflow in your own words. List and briefly explain
three strategies to defend against this in your programming.
Ans: Buffers are memory storage regions that hold data temporarily while it is
transferred from one location to another. A buffer overflow (or buffer overrun)
occurs when the volume of data exceeds the memory buffer's storage capacity.
As a result, the software attempting to write data to the buffer overwrites the
memory addresses next to it. Buffer overflows can occur in any type of
software. They are typically caused by malformed inputs or a failure to allocate
enough buffer space. If the transaction overwrites executable code, the program
may behave erratically, producing inaccurate results, memory access issues, or
crashing.
Furthermore, newer operating systems have runtime protection. Three common
safeguards are:
Address space randomization (ASLR)—moves data regions' address space
locations at random. Buffer overflow attacks often require knowledge of the
location of executable code, which is made nearly impossible by randomizing
address spaces. to employ the SEH overwrite exploitation approach An SEH
overwrite is accomplished at the functional level by using a stack-based buffer
overflow to overwrite an exception registration record stored on a thread's
stack.
Data execution prevention—marks specific sections of memory as executable
or non-executable, preventing an attack from running code in a non-executable
zone.
Structured exception handler overwrites protection (SEHOP) aids in the
prevention of malicious code from attacking Structured Exception Handling
(SEH), a built-in method for controlling hardware and software exceptions. . An
SEH overwrite is accomplished at the functional level by employing a stack-
based buffer overflow to overwrite an exception registration record kept on a
thread's stack.