The document is a presentation by Connor McDonald discussing performance and security in SQL database operations. It emphasizes the challenges of memory access, latch contention, and the importance of binding user inputs to ensure fast and secure applications. The author shares personal insights and offers references to additional resources related to database and development topics.

1. 18/09/2019
1
Slower and less secure in 20minutes
Connor McDonald
Database Advocate
Copyright © 2019 Oracle and/or its affiliates.
2
Connor McDonald
1
2

2. 18/09/2019
2
3 3
4 4
3
4

3. 18/09/2019
3
6
Stuff
youtube bit.ly/youtube-connor
blog bit.ly/blog-connor
twitter bit.ly/twitter-connor
400+ posts mainly on database & development
250 technical videos, new uploads every week
rants and raves on tech and the world :-)
5
6

4. 18/09/2019
4
7
etc...
facebook bit.ly/facebook-connor
linkedin bit.ly/linkedin-connor
instagram bit.ly/instagram-connor
slideshare bit.ly/slideshare-connor
9
the secret to achieving true crappiness
7
9

5. 18/09/2019
5
10
It all comes down to...
11
too much work or ...
10
11

6. 18/09/2019
6
12
... not being able to do work
12
14

7. 18/09/2019
7
15
how to ensure excessive work when processing SQL
16
terminology
15
16

8. 18/09/2019
8
17
cursorsdeclare
cursor C(p number) is
select * from DEPT
where DEPTNO = p;
begin
for rec in C loop
…
end loop;
end;
select *
from EMPLOYEE
where EMPNO > 1234;
delete from MY_TABLE;
drop table MY_TABLE;
begin
MY_PROCEDURE(1,2,3);
end;
18
3 phases
17
18

9. 18/09/2019
9
19
open
process
close
gimme some memory
do some stuff using that memory,
maybe access other memory
here's your memory back
20
memory access = controlled access
19
20

10. 18/09/2019
10
21
a quick primer on (database) memory
22
21
22

11. 18/09/2019
11
23 23
metaphor
24 24
23
24

12. 18/09/2019
12
25
25
26

13. 18/09/2019
13
28
limited resource
lots of people want it
concurrent access causes problems
it's a complex system
27
28

14. 18/09/2019
14
30
same with memory
29
30

15. 18/09/2019
15
31
SGA
32
SGA
protected by
31
32

16. 18/09/2019
16
33
SGA
protected by
1) get latch
34
SGA
protected by
2) access memory
33
34

17. 18/09/2019
17
35
SGA
protected by
3) release latch
36
latch contention
35
36

18. 18/09/2019
18
37
someone must wait ...
SGA
protected by
38
active wait
37
38

19. 18/09/2019
19
39
spinning
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
can I have the latch ?
39
40

20. 18/09/2019
20
41
42
latch contention....
41
42

21. 18/09/2019
21
43
hurts CPU...
43
44
hurts concurrency
43
44

22. 18/09/2019
22
YOU
GET
45
46

23. 18/09/2019
23
NOTHING
DONE
47
48

24. 18/09/2019
24
54
"Errrr.... weren't we talking SQL?"
55
to run a SQL statement
54
55

25. 18/09/2019
25
56
Syntax
Validity
Optimization
Rowsourcing
Execution
(Fetch)
SQL> select *
2 frmo emp;
frmo emp
*
ERROR at line 2:
ORA-00923: FROM keyword not found where expected
57
Syntax
Validity
Optimization
Rowsourcing
Execution
(Fetch)
SQL> select empnoo
2 from emp;
select empnoo
*
ERROR at line 1:
ORA-00904: invalid column name
56
57

26. 18/09/2019
26
58
PLAN
-------------------------------------
SELECT STATEMENT
TABLE ACCESS BY INDEX ROWID EMP
INDEX RANGE SCAN EMP_PK
Syntax
Validity
Optimization
Rowsourcing
Execution
(Fetch)
59
EMP_PK EMP
Syntax
Validity
Optimization
Rowsourcing
Execution
(Fetch)
58
59

27. 18/09/2019
27
60
Syntax
Validity
Optimization
Rowsourcing
Execution
(Fetch)
61
Syntax
Validity
Optimization
Rowsourcing
Execution
(Fetch)
60
61

28. 18/09/2019
28
62
lots of preliminaries
63
parsing
62
63

29. 18/09/2019
29
64
lots of memory access
65
lots of latching !
64
65

30. 18/09/2019
30
66
impossible to avoid ?
67
two mechanisms
66
67

31. 18/09/2019
31
68
1) library cache
69
previously executed statements
68
69

32. 18/09/2019
32
70
parse statement
already in library cache ?
reuse optimizer info
reuse row source info
select * from emp where empno = 123
syntactically, semantics OK
71
2) binding
70
71

33. 18/09/2019
33
72
select surname, firstname from emp where empno = 123
select * from dept where dname = 'SALES'
probability of reuse low ?
73
many queries are “nearly the same”
select surname, firstname from emp where empno = 123
select surname, firstname from emp where empno = 456
72
73

34. 18/09/2019
34
74
binding
parse this...
now run it with ? = 123
now run it with ? = 456
select surname, firstname from emp where empno = ?
75
demo
ParseDemo
ParseDemoBind
74
75

35. 18/09/2019
35
76
"performance still looks ok"
77
let's make it real
ParseDemo2 nn
ParseDemo2Bind nn
76
77

36. 18/09/2019
36
78
much more serious
79
78
79

37. 18/09/2019
37
80
building SQL by concatenation
81
you'll get hacked
80
81

38. 18/09/2019
38
82
select ename
from emp
where empno = 6543
select ename
from emp
where empno = 6543
and 1=0
union all
select table_name
from all_tables
where table_name like '%SECURITY%'
select ename
from emp
where empno = 6543
and 1=0
union all
select username
from app_security
where ...
83
#1 hacking app .... Google
82
83

39. 18/09/2019
39
84
85

40. 18/09/2019
40
86
it takes 5 minutes to hack you
87
86
87

41. 18/09/2019
41
88
for slow and insecure applications...
89
no binding, no SQL reuse
88
89

42. 18/09/2019
42
90
for fast, secure SQL ...
91
... hence fast, secure applications
90
91

43. 18/09/2019
43
92
... always bind user input
93
if time permits...
sqlfree
92
93

44. 18/09/2019
44
94
The Best Oracle Database Feature Ever Invented [THT4798]
Wednesday, September 18, 10:15 AM - 10:35 AM, The Exchange - Theater 3
Flashback - Not Just for DBAs
Wednesday, September 18, 04:00 PM - 04:45 PM, Moscone South - Room 306
PL/SQL: Still the Best Data Access Language
Thursday, September 19, 12:15 PM - 01:00 PM, Moscone South - Room 155A
95
Have a great OpenWorld!
youtube tinyurl.com/connortube
blog connor-mcdonald.com
twitter @connor_mc_d
94
95