Application Security Testing: An Integral Part of DevOps
By Ziran Sun
Back in the days of classic ASP, if you were building a database-driven web site, your choice was either to invest a lot of money to get a copy of Microsoft SQL Server (or some other enterprise-ready database) or invest a lot of time finding a way to deal with the performance and scalability limitations of Microsoft Access. Luckily these days there's another viable alternative: MySQL.
What is MySQL?
MySQL is an open source database server. While many organizations may choose to purchase a commercial version of the product, the GNU General Public License (commonly known as the "GPL") ensures that the source code will remain available and therefore the software can be used free of charge for those willing to forego official support and support it themselves.
For more information, see the MySQL website.
Step 1 - Download and Installation
As with most any software, the first step to getting up and running with MySQL is to obtain and install the product. You can download the setup file from http://dev.mysql.com/downloads/index.html. As of this writing the current version is MySQL 4.1 so that's the version I'll be using for the rest of this article. Unless you have a reason to do otherwise, I'd recommend just downloading the pre-compiled binaries for you current platform. In this case I'll be installing on a Windows XP machine so I downloaded the normal Windows version which includes the installer. The download is just under 35 MB so over it shouldn't take too long to get via any resonable internet connection.
The installation is straight-forward and caused no problems for the very modest laptop I installed it on. Just so you have an idea of what to expect, I'm including screen captures of several steps of the setup process.
As you can see in the screen capture above, at the end of the setup process the installer asks if you'd like to configure the MySQL Server. If you choose to do so, it will launch the MySQL Server Instance Configuration Wizard which brings us to the next step in the process.
Step 2 - Configuration
The MySQL Server Instance Configuration Wizard makes configuring your server really simple. Configuration is straight forward and I just used the default setting for most everything.
If your're installing on a dedicated database server or a shared server you should obviously select the appropriate choice. Since I'm installing on my laptop, I simply left the server type as "Developer Machine". This setting won't offer the same performance, but it also won't use as many system resources.
I made sure to enable TCP/IP networking in order to allow the web server to connect to the database when we get to building a web page to query the database. If you'll be running the database and web servers on the same physical computer then you can disable this option to prevent access to the database via the network.
Step 3 - MySQL Administrator
While it's certainly not required, I highly recommend you download and install the MySQL Administrator. It's a great little application that provides a GUI to help you manage your new database server. While you can get up and running using only the command line, for users who are used to using Windows applications and wince at the thought of editing configuration files by hand or using a command prompt it's almost a necessity. For the rest of this article, I'll assume you've installed MySQL Administrator and I'll be using it for illustration.
Step 4 - Creating a Database
In order to create our database, we first need to connect to the server. Run MySQL Administrator and login to your server using the password you set during installation.
You'll then want to select the "Catalogs" item at the bottom left of the MySQL Administrator window. This should bring up a list of the current databases on the server (There should be two of them: "mysql" and "test"). If you right-click in the small window where they are listed you should get the option to "Create New Schema".
You'll then be prompted to enter a name for the new database. I'll be using "mydatabase" as the example for the remainder of this article.
Once created, your new database will appear in the Schemata list along with the other databases on the server. Selecting it from this list will bring up its details in the right hand pane.
There's not much to see because the database is still empty... so let's put something in it.
Step 5 - Creating a Table
To create a table simply click on the "Create Table" button. This brings up the following dialog box:
As you can see, I've named the table "mytable" and added 4 fields to it: an auto-incrementing primary key id field, an integer field, a text field, and a date/time field.
When you're done making changes, you simply click the "Apply Changes" button. A window that looks something like the one below will pop up showing you the SQL that will be executed and asking you to confirm that you want to save changes to the table design.
At this point, we've got a database named "mydatabase" that contains a table named "mytable". Now all we need is to add some rows of data to the table.
Step 6 - Adding Data
In the real world, data in your table would probably come in via your application. To get some sample data into our table, I'm simply going to insert a few lines by hand. To do this I'll use the MySQL Command Line Client. If you're still in the MySQL Administrator you can access the command line from the "Tools" menu (Tools
-> MySQL Command Line Client) otherwise you can run it from the MySQL group on the Start Menu.
The first command in the screen above tells the server which database I want to be working in. The second and third commands simple insert some dummy data and are the same except for the the differences in the data being inserted.
Now we've got two sample rows of data in our table. At this point our database server is up and running with a database, a table and even some data.
This article illustrated how to do the following:
- Download and install the MySQL Database Server.
- Configure the server.
- Install MySQL Administrator to make managing the database easier.
- Create a new database named "mydatabase".
- Create a new table named "mytable" in that database.
- Add a couple rows of sample data to that table.
Next time we'll look at adding users to the database server, the different options available for connecting to your new database from .NET, and how to build a basic ASP.NET page that performs queries against the database.