“This is a little rough, but I want to get the code out there.”
That's how security expert Dan Kaminsky starts out his Install.txt file that accompanies his brand-new security tool, Interpolique, released in a hurry on Monday to fight recent SQL injection attacks such as those that compromised the Web sites of The Wall Street Journal and others.
Interpolique, available for download for examination by experts, was described Monday by DarkReading.com as “a tool for application developers that helps prevent pervasive string injection-type attacks, such as SQL injection and cross-site scripting (XSS).”
DarkReading said the tool is designed to relieve developers from much of the burden of providing security measures in their code. Kaminsky told the site: “Security development tends not to care how inconvenient it is for developers. [This is] about meeting developers halfway."
But don't try using it quite just yet -- DarkReading reported the tool was released for experts to investigate and provide feedback, and not for operational use. Kaminsky is expected to share the feedback at next month's BlackHat USA security conference in Las Vegas.
And you'd better know what you're doing if you want to fool around with Interpolique, produced by the Kaminsky-headed Recursion Ventures. The skimpy install file, which comes with a bunch of C, SQL, PHP and JavaScript files, includes directions like:
Compile the MySQL Base64 UDF with:
gcc -Wall -I/usr/include/mysql -shared lib_mysqludf_str.c -olib_mysqludf_str.so
But if you are an expert, feel free to join the fight and help. Kaminsky himself issued the invitation in the Install file: “Let's figure out what's up,” he said.
If you check out the code, let us know what you think. Comment here or send me an e-mail.
Posted by David Ramel on 06/17/2010 at 11:42 AM1 comments
Microsoft hinted at some amazing new capabilities coming to its BI products in yesterday’s Business Intelligence Conference keynote, including an "engine of the devil" that allows instant analysis of more than 2 billion rows of data.
Microsoft BI engineer Amir Netz joined senior exec Ted Kummert to demo new technology the company is working on to go beyond current capabilities of its recently released PowerPivot "BI for the masses" application. I previously wrote about a demo I attended that showed how easily PowerPivot could handle 44 million rows of data.
Netz had upped the ante Monday at Microsoft’s TechEd conference in New Orleans with a 100-million-row example. Yesterday, using a server with more memory than the desktops used before, he seamlessly tackled the 2-billion-row demo with the same storage technology used in PowerPivot. "You know, we talked about wicked fast yesterday," he said. "This is beyond wicked fast; this is the engine of the devil, right?"
The crowd loved it, but Kummert wasn’t so sure about the characterization. Microsoft senior leadership probably isn’t too keen on branding its products with references to Satan. "You said that, I didn’t," Kummert said, before joking about Netz’s upcoming performance review.
Netz said the company had received great feedback on PowerPivot, but some BI pros wanted more capabilities and functionality. His demo connected the PowerPivot technology that can be used in Excel to SQL Server Analysis Services for some incredible performance metrics.
He explained the demo: "We have 10 widgets on the screen, six slicers and four charts. And each one of those sends two queries to the data source in order to render itself. So we have about 20 queries being sent. Every one of those queries is a full table-scan of the 2 billion rows. So all together whenever I click, we are scanning 40 billion rows, and it takes about two and a half seconds to do that. So if you just do the math in your head, we are seeing here a scan rate of a trillion rows per minute. That's kind of what we're talking about."
Then he jokingly countered Kummert by saying "Performance review!"
Netz also shows some striking PowerPivot data visualization capabilities that reportedly will be available in the next 30 days.
In another tidbit, Kummert said the company was working on bringing the full capabilities of SQL Server to SQL Azure, its cloud-based "set of relational features oriented toward application development scenarios." That mismatch of features has been a point of contention in the SQL Server community.
"We're hard at work on that now," Kummert said. "I'm not announcing the specific release timeframe for that, but this is something you're going to hear from us shortly in the future."
Check out the video of the keynote and weigh in with your thoughts in the comment section below or send me an e-mail.
Posted by David Ramel on 06/09/2010 at 3:31 PM1 comments
While perusing my daily Google Alerts I found this heading:
"Do newer versions of SQL Server support read consistency equivalent to Oracle?"
I was surprised to see this question was asked--and answered quite ably--in LinkedIn.com Answers. I don't use LinkedIn as much as I should (not enough hours in the day), so I was unaware of this service. Of course, there are many like it (including Yahoo! and "expert" services, where answers cost you money), but I was struck by the quality of the answers on LinkedIn.
A database expert named Victor (DBA and developer) provided the "best" answer to that question: "Yes." But the original poster had included a second part to his question:
"I have no experience with SQL Server and have only read in various forums that 'writers block readers and readers block writers.' Is that true? Or is it true just for older versions and not 2008?"
To this, Victor supplied a detailed, well-written explanation full of links for further information. I'm pretty sure you couldn't find a better answer on those pay-as-you-go "expert" services. LinkedIn also provided four or five other answers, some from DBAs, providing information and links to follow for further details (and of course, the mandatory MySQL shill).
I decided to try out LinkedIn Answers and asked a question to get info for an article I'm researching (topic categories, such as "software development," help target your query). I almost immediately got some great stuff.
So I'm sold. I know there are myriad support sites, forums, groups and such all over the Web, but if you haven't tried it, you should think about LinkedIn Answers the next time you need a tech question answered. I don't know where these guys find the time, but there are plenty of experts out there willing to help you out.
What's your experience with LinkedIn Answers? What other sources do you use to get answers to your dev questions? We'd love to share. Comment here or send me an e-mail.
Posted by David Ramel on 06/02/2010 at 12:45 PM0 comments
There's a new kid on the block: VoltDB, a "next-generation" DBMS released yesterday that's the brainchild of database pioneer and brilliant iconoclast Mike Stonebraker.
Or maybe it should characterized as a new sheriff in town, because this newcomer to the database market has some serious backing, stemming from a joint project by MIT, Brown University, Yale University and HP Labs.
VoltDB is an open-source, in-memory OLTP database system designed to handle serious transaction numbers in gaming, SaaS, financial, online and other high-performance systems.
And guess what? In addition to eschewing more traditional relational models, VoltDB is also spurning the NoSQL movement. It even accommodates SQL. Parent company VoltDB LLC said that "unlike NoSQL key-value stores, VoltDB can be accessed using SQL and ensures transactional data integrity (ACID)."
The company's news release quoted gaming company CEO Henning Diedrich as saying "VoltDB is faster than MySQL with Memcached, and always returns valid data. It's more useful than key-value stores and even allows for cleaner SQL schemas than MySQL or Oracle."
It further stated "VoltDB has also been benchmarked against a NoSQL key-value store, and VoltDB executed a variety of key-value store workloads with equal or better performance."
In case there's any doubt about the intent of those potshots, The Register's VoltDB article is titled "Database daddy goes non-relational on NoSQL fanbois."
Ouch.
I can't wait to see how the "fanbois" react to this.
Take a look at this supposed game-changer and get back to me with your opinion. Is it revolutionary? Is it a flash-in-the-pan? Who's it going to hurt the most? Comment here or send me an e-mail.
Posted by David Ramel on 05/26/2010 at 4:13 PM1 comments
A reader has prompted Microsoft to launch a vast new resource for easing the SQL Server set-up process.
Okay, just maybe it's a coincidence. Anyway, reader Brian M.'s complaint about the difficulties of installing SQL Server seems to have hit the nail on the head. Last week he commented on my post concerning a "SQL Meme" circulating the 'Net, gathering gripes about SQL Server.
Brian's contribution started out with this: "Obviously an installer written by a bunch of CompSci PhD's. Ridiculous."
Just as obvious: Ballmer & Co. hang on every word printed here (Hi Steve--call me!).
Yesterday, just six days later, Microsoft announced the "The SQL Server Setup Portal," described as "a one-stop-shop for everything you need to know about planning and setting up SQL Server." They may as well have put "Hey, Brian..." in the portal title.
Buck Woody, a Microsoft database specialist, admitted in his Carpe Datum blog announcing the portal that the set-up process can be difficult. Pointing out the myriad hardware/software driver combinations supported by Microsoft, he said, "Making all of that work together is a small miracle, so things are bound to arise that you need to deal with."
You don't need to tell Brian M. He said he's been trying for a week to set up R2, with at least a dozen attempts, with no success. He even hinted at shooting himself in the foot, while waiting for the "R2 Pre-install Cleanup/Fixit Package."
Well Brian, hold your fire. Here's help: "whitepapers, videos, and multiple places to search on everything from topic names to error codes."
And no thanks needed; that's what we're here for. Just please let us know how it turns out.
What SQL Server installation nightmares have you encountered? Does the new portal help? Comment here or send me an e-mail.
Posted by David Ramel on 05/18/2010 at 2:50 PM2 comments
Paul S. Randal stirred up the SQL Server community this week with a blog post titled "What 5 things should SQL Server get rid of?"
He tagged five friends and started a chain reaction--or SQL Meme--of bellicose bombast across the blogosphere.
Randal's No. 1 complaint? "Auto-shrink." The CEO of SQLskills.com said, "I tried to have it removed during SQL 2005 and SQL 2008 development, but to no avail. It needed to stay for backwards compatibility."
While he makes good arguments for his choices, others seem somewhat surprising. For example, Adam Haines wants to delete PRINT and SELECT * from SQL Server.
Some are pretty broad in their scope, such as Aaron Bertand's desire to drop "syntax inconsistencies" and "the current setup program."
Some nuance the nitty-gritty. Denis Gobo volunteered "Unique constraints with one NULL value" and "Restrictions on Indexed Views" while providing explanations, screenshots and recommended substitutions.
Some targeted specific tools. Jamie Thomson, the SSIS Junkie, tackled SQL Server Integration Services. His suggestions included the Web Service and ActiveX Script tasks. Todd McDermid followed this foray into SSIS with the "Properties Window" and "Data Profiling Task."
Brent Ozar has some rambling, inchoate ("Any feature described using the phrase ‘down payment' ")
gripes about SQL Server Management Studio, including database diagrams and "Every SSMS UI designer."
Of course, readers were all over the subject, contributing their own colorful comments. One said the Web Service Task "should die. Horribly. Painfully."
By the time this is posted, I'm sure there will be dozens more. So let's board the bandwagon. Let it all out. Give Redmond an earful. (after all, so many people on TV say Windows 7 was their idea, why can't you claim that the next SQL Server edition was your idea?)
Weigh in here or drop me an e-mail (just don't start any memes about bloggers who should be banished from the Web!).
Posted by David Ramel on 05/12/2010 at 2:58 PM4 comments
Way back in November,Rapid SQL XE, Embarcadero's integrated development environment for SQL coders, now includes support for Windows 7, the company announced recently.
Microsoft developers will also be glad to hear that the new IDE has enhanced object management capabilities for SQL Server, along with Oracle and DB2.
Also, it "includes support for all database platforms with a single product, interface and license," the company news release states. (Really, all database platforms? That’s a pretty strong statement. OK, the PR people just got carried away there -- other company sources indicate it works with the "major" databases: DB2, Firebird, InterBase, SQL Server, MySQL, Oracle and Sybase.)
Other enhancements include Unicode support, SQL syntax alerts, new object filtering capabilities and more. The tool, which costs $1,495, is available for a 14-day trial.
Posted by David Ramel on 05/07/2010 at 11:35 AM0 comments
Microsoft continued to cater to the PHP community last week, announcing a Community Technology Preview of SQL Server Driver for PHP 2.0.
For the first time, PHP developers can use PHP Data Objects (PDO) with the SQL Server driver.
"For PHP developers, this will reduce the complexity of targeting multiple databases and will make it easier to take advantage of SQL Server features (like business intelligence & reporting) as well as SQL Azure features (like exposing OData feeds)," said Microsoft's Ashay Chaudhary, program manager for the driver project.
The move was especially welcomed by developers working with Drupal, the popular open-source content management system that's written in PHP and powers Web sites around the world, including whitehouse.gov.
"This driver allows you to install and run Drupal 7 using an SQL Server database, and it makes it possible to deploy Drupal on a full Microsoft stack (Windows Server, IIS, and SQL Server)," said a spokesman for Commerce Guys, an e-commerce company that works extensively with Drupal and worked on the driver project with Microsoft. In conjunction with Microsoft's announcement, the company presented a beta version of Drupal 7 running on SQL Server at the DrupalCon conference in San Francisco.
Chaudhary said the driver's support for PDO was developed as "a direct result of the feedback we received from the PHP community." Much of that feedback came in a survey Microsoft conducted last October. The new driver is the latest in a series of moves Microsoft has made to accommodate that PHP community.
The strategy seems to be working. "This is a great achievement, PDO support was much requested for the longest time by many in the PHP community, particularly Drupal folks," said one comment on the blog post that announced the new driver.
Another said, "WISP (Windows, IIS, SQL Server, and PHP) application development has been an interest of mine lately, and this definitely looks promising."
The driver CTP is available for download, with the final version expected later this year.
Posted by David Ramel on 04/28/2010 at 3:25 PM0 comments
A lot of people believe that Oracle last week left no doubt that it will wield MySQL as a potent weapon to fight Microsoft for database market share. The company announced several new MySQL products at a conference in California and reaffirmed its commitment to the open-source software it acquired from Sun Microsystems earlier this year.
As reported by Reuters, "In a bid to woo customers from rival Microsoft Corp, Oracle Corp will boost investment in the widely used MySQL open-source database."
A ZDNet blogger said Oracle MySQL head honcho Edward Screven noted that "more customers deploy MySQL on Windows than on any other platform. That certainly gives Microsoft SQL Server a run for its money."
InformationWeek believes that Screven was "trying to lay apprehensions to rest" on the part of MySQL backers when he said: "We will make MySQL better. We plan to continue this level of investment. A lot of people questioned what motivation Oracle had in acquiring MySQL (as part of Sun Microsystems)."
In the ongoing database wars among the top vendors, this might give pause to database programmers who are choosing which technology to focus on, with Microsoft's SQL Server already being in second place behind Oracle's flagship product.
Or will it? Others aren't so sure.
Ken Hess wrote on DaniWeb.com that: "In essence, Oracle will continue on the same path with the commercial and community versions of MySQL just as MySQL AB and Sun did."
Or not!
He followed that up with:
"Uh huh. And I have some lovely beach front property in Arizona that I'd love to sell you. It isn't that I don't believe that Oracle will continue to support the MySQL Community version, it's that I don't think they'll continue to support it at the same level as they do the commercial version. The Oracle database doesn't need community support so why should MySQL?"
Expert analyst Laura DiDio, principal at ITIC, was even more skeptical when she told this site:
"Clearly the open-source community at large and the open-source developer community were hoping for specific reassurances from Oracle that it would continue to support, refresh and develop MySQL. Additionally, developers were also keen for Oracle to offer specific details regarding which MySQL features and functions, if any, will require a commercial license. The latter point is crucial for any organization building an in-house custom application or any third-party ISV developer contemplating whether to build a MySQL application or an application for Microsoft's SQL Server.
"Oracle did state it would continue to develop and promote MySQL to compete against rival Microsoft SQL Server, but many corporate developers, enterprises and industry watchers remain unconvinced and will take a wait and see approach before committing to put their development monies and R&D efforts behind MySQL. Oracle's announcement was long on promises and short on specifics on the all important open-source code vs. commercial licensing aspects of MySQL. Oracle still has a long way to go to quell developers' well-founded fears."
So, as with a lot of open-source issues, this one has polarized much of the IT community.
What do you think? Was it a stiff tilt at Microsoft or just a lot of smoke and mirrors? Weigh in here or send me an e-mail.
Posted by David Ramel on 04/19/2010 at 3:18 PM1 comments
The buzz today is all about Visual Studio 2010 finally being released, of course, but you data hounds may be more interested in next month's launch of SQL Server 2008 R2.
Some of the more interesting features of R2 are the emphasis on "self-service BI" that comes through the new PowerPivot plug-ins for Excel and SharePoint and new Datacenter and Parallel Data Warehouse editions.
Speaking of the former: some users of the CTP version of PowerPivot for Excel were victims of a kind of April Fools' joke that I found out about when I was tinkering with PowerPivot and a new data visualization tool last week. PowerPivot wouldn't work for me. I discovered that a bug in the November CTP made the add-in expire on April 1. That made a lot of people quite irate. "You are really killing me here," said one. "This expiration is a complete disaster that really pulled the rug out from under us," said another.
Comments like that make me wonder about the wisdom of using prerelease software for real-world business apps in which you are heavily invested and dependent upon.
I got around the bug by following one user's advice and setting my PC's system clock back—and it worked! (Which reminds me, I have to set that back to normal….) I used that trick long ago in my youth when I was trying to, uh, borrow certain software packages for testing and evaluation purposes only, but somewhere along the line developers got wise to it and it no longer worked.
Anyway, if you really want to sink your teeth into R2, another Microsoft announcement today may just be your ticket: The SQL Server 2008 R2 Update for Developers Training Kit - April 2010 Update was released, according to an 11:16 a.m. blog post by Roger Doherty.
The training kit was first released in February. The April update features a bunch of new presentations, demos, hands-on labs and videos focused on Reporting Services. Last month's update tackled StreamInsight, which is described as "Complex Event Processing technology to help businesses derive better insights by correlating event streams from multiple sources with near-zero latency."
So get all trained-up on the new version and stay tuned for more details to be released during the PASS European Conference 2010 next week in Germany. Should be interesting.
What streaming insights do you have? What about tricks to let you use games and apps for evaluation purposes only? How has prerelease software victimized your business in the past? Comment here or send me an e-mail.
Posted by David Ramel on 04/12/2010 at 3:10 PM0 comments
Continuing my exploration of new ways of using data from the cloud, I have found a nifty tool chock full of features that you wouldn't expect for its price: free!
It's called Tableau Public by its maker, Tableau Software.
It's called a step toward "the holy grail of data" by Microsoft's MSDN blog on Dallas, which is the new cloud data repository.
I previously wrote about how Microsoft's new PowerPivot tool for Excel lets you download huge amounts of data and present it in tables and charts. Tableau Public goes even further. Its data visualization options are incredibly extensive, letting you build all kinds of flashy interactive presentations.
Following the 1-2-3 steps of Open, Create and Share, you can even put these interactive visualizations into your blog or other Web page. It opens up countless story-telling scenarios for bloggers, journalists, researchers and students, examples of which are on Tableau's How It Works page. The site's Gallery page shows that Tableau is being used by companies such as The Wall Street Journal and CBS Sports.
In less than 10 minutes, I downloaded a free Dallas data feed--InfoUSA New, Out-Of-Business and Historical Businesses--and set up the following visualization of failed businesses near my home in Massachusetts. Even with such a simple data set, it's easy to see that businesses near the city of Brockton are struggling more than other areas, which jives with local knowledge. Tableau Public also lets you overlay various demographics. I chose population growth, which shows failed businesses tend to occur in areas with lower population growth, which is logical.
It took another couple of easy steps to generate the HTML to let me host the project right here.
This is an extremely bare-bones example, but you get the idea. Note the interactive options at the bottom (not all applicable to this example) that let viewers manipulate and even download the data.
Give it a try and let us know what you think. And please point out any interesting examples of data visualization that you've come across. Comment here or send me an e-mail.
Posted by David Ramel on 04/07/2010 at 10:44 AM1 comments
Ever wonder what all these new-fangled data-based technologies coming from Microsoft can do for you? Who can keep track of everything? There's ADO.NET, LINQ to SQL, ASP.NET MVC, Entity Framework and OData, to name a few. Not to mention the code names and name changes: Oslo is now SQL Server Modeling; Gemini is now PowerPivot; ADO.NET Data Services is now WCF Data Services; and of course, my personal favorite, ADO Data Services v1.5 is now Data Services Update for .NET Framework 3.5 SP1. The list goes on.
Well, for you Web devs, I found a great primer from last week's MIX10 conference in Las Vegas. It was in a session called Accessing Data in a Microsoft .NET-Connected Web Application.
A great service from Microsoft was putting the MIX10 sessions on video for those of us who couldn't go to Vegas because of outstanding warrants, etc. (JK; never been there).
Shayam Pather provides an excellent, step-by-step, hands-on demo starting out with the most basic .NET data access and ending with the new darling debutante, OData.
He writes some simple code, then looks at the patterns used in the code and shows you how to simplify/improve things by using new, "fancier" approaches and patterns.
For example, he starts with an empty ASP.NET MVC project in Visual Studio 2010 and quickly shows "the simplest way we can get data access going" with a connection string, select command, data reader and a little HTML.
After he does "the MVC dance" over this inline code, he points out the advantages of using model, view and controller to separate the data from the presentation from the mediator between the two. Any one can be changed without affecting the others.
He goes on to tackle a basic feature of the ADO.NET Entity Framework (ExecuteStoreQuery) that gets you into simple EF stuff by retrieving strongly typed objects out of your queries without having to deal with ORM or other modeling.
It proceeds in complexity from there. One of the better parts of the video shows how a model can reduce a complicated SQL query with an inner join, left outer join, filter, etc., to some simpler code that even I can understand (the best part is actually a joke commemorating St. Patty's Day: "An Irishman walks into a bar..."). At the same time, he shows how much easier it is to deal with the results of the query and bounce from one slice to another.
That, my friends, is what these new-fangled data-based technologies from Microsoft can do for you.
It can be intimidating to tackle new technologies and abandon the tried-and-true tools you've used for years. But when you do, the rewards can be great. Check out the video. (That's the only way you'll see the punchline of the Irish joke.)
Have you tried some of this new data stuff? Has it helped? Tell me your story. Comment here or send me an e-mail.
Posted by David Ramel on 03/25/2010 at 1:46 PM0 comments