CSE 190: Internet E-Commerce Sample Final Exam Questions SQL, DB Design 1. Given these tables, write an appropriate SQL query: real_estate_agent (id, name, region) sales (id, agent_id, property_id, price, date) property (id, address) 1. Show who sold what property during the last month. select a.name, p.address from real_estate_agent a, sales s, property p where s.agent_id = a.id and s.property_id = p.id and s.date >= ’02/01/2002’ 2. Show total sales by region after ’01/01/2002’ select a.region, sum(s.price) from real_estate_agent a, sales s where s.agent_id = a.id and s.date > ’01/01/2002’ group by a.region SQL, DB Design 2. Put the following table design in 3-NF. Workflow_event (document_name, source_name, source_email, destination_name, destination_email, date) ‘Source’ and ‘destination’ are the people, with names and email addresses. Document_name is a name identifying a document being passed between people, usually unchanged through a multi-step transaction. workflow_events(document_id,source_id,dest_id,date) documents(document_id, document_name) people(source_id, source_name, source_email) DB Coding 3. Write ADO code to query the preceding design for all of today’s work flow events. See lecture notes 4. Write JSP code to query the preceding design for all of today’s work flow events. See lecture notes Operations 5. What is the purpose of robots.txt? Exclude automated programs from accessing certain pages or sections of your web site. This is done for efficiency (pages may be soon obsolete), security (pages may have sensitive content), and operational reasons (access may be being abused by the robot). Of course, automated programs might ignore the file, as this cannot be automatically enforced. 6. What is the purpose of a data center? Provide facilities to host the servers of a web site. The data center may be owned by the firm or be a third-party to whom data center services are outsourced. Generally, data centers provide security, power, bandwidth, and monitoring services. Security 7. Sketch how to write a buffer overflow attack on the following code: char body[ BUFSIZ ]; int bodyByteCount = parseHeader( header ); int rc = recv( sock, body, bodyByteCount ); The receiving end writes code similar to this: for( 1..n ) { // n is much greater than BUFSIZ send( sock, 0x90 ); // send NOP code character // which depends on the platform } char hostileCode[] = “\xEB……./bin/sh\”…….”; /* hostileCode = byte codes for this code: execve( “/bin/sh”, args ); return; */ send( sock, hostileCode ); Security 8. Explain the difference between the entropy of a session key and its length. How do you exploit a session key with low entropy? The entropy of a session key is the negative log of the inverse of the probability of predicting the session key. The length of the session key is the count of bits representing the key. The length is always greater than the entropy. A good session key has a high entropy, and is compact if the session key length is close to the entropy. If the session key has a low entropy, then regardless of the length of the session key, it is vulnerable to the following attack: generate random session keys using some predictive model. Test the generated key; if it works, as expected with a low entropy, then you now have a valid session. Repeat until you have a valid session. This is why generating a random session key from a user’s password gains no security advantage over storing a one way hash of the password; the entropy of the key is the same as the entropy of the password, which is low. Performance 9. Why might you use client IP affinity instead of no affinity for load balancing? What is the trade off? If you have resources which are cached at the server (e.g. an SSL session) which are expensive to re-establish at a fresh server, you may use client IP affinity to insure that requests from the same client are repeatedly satisfied by the same server during this session. The trade off is that the load may be unevenly distributed. This organization is still robust to failure though. 10. What is the difference between network and application load balancing? Application load balancing chooses the least loaded server to handle the newest incoming request. Network load balancing treats all servers as equal, regardless of their load, and assigns requests in a round-robin or random manner. In other words, application load balancing uses some knowledge about the application’s run-time behavior and network load balancers limit their knowledge to the network layer. XML, XSL 11. How is XML different from HTML? Both are an application of SGML. However, XML is similar to SGML because it allows the document author to invent their own tags. Both XML and HTML may be validated against their DTD (document type definition.) 12. What’s the result of applying this stylesheet to this XML document? See lecture example Xml: <?xml version="1.0" encoding="ISO-8859-1" ?> <!-- Edited with XML Spy v4.2 --> - <CATALOG> - <CD> <TITLE>Empire Burlesque</TITLE> <ARTIST>Bob Dylan</ARTIST> <COUNTRY>USA</COUNTRY> <COMPANY>Columbia</COMPANY> <PRICE>10.90</PRICE> <YEAR>1985</YEAR> </CD> - <CD> <TITLE>Hide your heart</TITLE> <ARTIST>Bonnie Tyler</ARTIST> <COUNTRY>UK</COUNTRY> <COMPANY>CBS Records</COMPANY> <PRICE>9.90</PRICE> <YEAR>1988</YEAR> </CD> </CATALOG> XSL: XSL: <?xml version="1.0" encoding="ISO-8859-1" ?> - <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> - <xsl:template match="/"> - <html> - <body> - <table border="1"> - <tr> <th>Title</th> <th>Artist</th> </tr> - <xsl:for-each select="catalog/cd"> - <tr> - <td> <xsl:value-of select="title" /> </td> - <td> <xsl:value-of select="artist" /> </td> </tr> </xsl:for-each> </table> </body> </html> </xsl:template> </xsl:stylesheet SOAP 13. Show the function call that corresponds to this SOAP request, in any programming language. <soap:Envelope> <soap:Body> <xmlns:m= "http://www.amzn.org/books"/> <m:GetBookPrice> <m:BookName>Fast Food Nation</m:BookName> </m:GetBookPrice> </soap:Body> </soap:Envelope> In Java: float GetBookPrice( String BookName ); WML 14. What is WML for? What criticism could you offer for representing web content this way? WML = Web Markup Language. Used to communicate online content to mobile devices (wireless) through the WAP protocol. It was designed to be a simpler, more constrained subset of HTML, with more limited display capabilities. Arguably WML should not exist, and wireless devices should read HTML and render it using its more limited display capabilities, as was originally intended by HTML’s authors. WML asks content authors to effectively create a second web, parallel to the HTML web, which is possibly an expensive proposition.