Chap 3.

PL/SQL Security

3. PL/SQL SECURITY
1.

What are the different types of transactions in Oracle?

1. An Oracle table can be manipulated through SQL or PL/SQL statements.
2. An Oracle transaction can be made up of a single SQL sentence or several SQL sentences.
3. This gives rise to Single Query Transactions (SQT) and Multiple Query Transactions
(MQT).
4. Both these transactions access Oracle tables. Since Oracle works on a multi-user platform,
it is likely that many users will access the data either for viewing or for manipulating it (by
using UPDATE, DELETE, INSERT commands) from the same table at the same time.
Thus, the Oracle table is a global resource i.e., it is shared by many users.

2.

What is concurrency control and how is it implemented?

1. An Oracle table can be manipulated through SQL or PL/SQL statements.
2. These transactions can be Single Query Transactions (SQT) or Multiple Query
Transactions (MQT). These transactions access Oracle tables.
3. Since Oracle works on a multi-user platform, it is likely that many users will access the
data either for viewing or for manipulating it (by using UPDATE, DELETE, INSERT
commands) from the same table at the same time. Thus, the Oracle table is a global
resource i.e., it is shared by many users.
4. Therefore it is essential that data integrity is maintained and Oracle should permit
simultaneous access to the tables without causing damage to the data.
5. The technique employed by Oracle to protect table data when several people are accessing
it is called Concurrency Control. This technique is implemented through a method called
locking.
6. A lock is a variable associated with a data item that describes the status of the item with
respect to the various operations that can be performed on it. Generally, there is one lock
for each data item in a database.

What are locks? Explain Oracles default locking strategy (Implicit locking).
1. Oracle is a multi-user system and several users may access a table at the same time for
either viewing it or for manipulating it through INSERT, UPDATE and DELETE
commands.
2. In order to maintain the integrity of the database, Oracle uses a technique of concurrency
control through the mechanism of locking.
3. Thus, locks are mechanisms to ensure data integrity while allowing maximum concurrent
access to data.
4. This locking mechanism is fully automatic and does not require user intervention.
5. The Oracle engine automatically locks table data while executing SQL statements. This
type of locking is called Implicit locking.
Implicit Locking:
Implicit Locking is Oracles default locking strategy. Oracle has to decide on two issues:
1. Types of locks to be applied,
2. Level of lock to be applied.
Types of Locks:
The type of lock to be placed on a resource depends on the operation being performed on that
resource. The two types of operations on tables are:

mukeshtekwani@hotmail.com

Prof. Mukesh N. Tekwani

Chap 3. PL/SQL Security

Read Operations (SELECT statement)

Write Operations (INSERT, UPDATE, DELETE statements)
Read operations do not change the underlying table and hence simultaneous read operations
can be performed on a table without causing any damage to the table data. Oracle engine
places a Shared lock on a table when its data is being viewed.
Write operations cause a change in table data due to the INSERT, UPDATE and DELETE
commands. Hence, simultaneous write operations can adversely affect the table integrity.
Simultaneous write operations will cause loss of data consistency in the table. Therefore,
Oracle places an Exclusive lock on a table or parts of a table when data is being written in a
table.
The rules for locking are as follows:
Data that is being changed cannot be read (write and read cannot be performed
concurrently)
Writers wait for other writers if they attempt to update the same rows at the same time.
Types of Locks supported by Oracle are:
Shared Locks:
This lock is placed on a resource whenever a read operation is being performed.
Multiple shared locks can be placed simultaneously on a resource.
Exclusive Locks:
This lock is placed on a resource whenever a write operation
(INSERT/UPDATE/DELETE) is being performed.
Only one exclusive lock can be placed on a resource at a time. The first user who acquires
an exclusive lock will continue to be the sole owner of the resource and no other user can
acquire an exclusive lock on that resource.
Levels of Locks:
A table can be decomposed into rows and a row can be decomposed into fields. So we can
design a locking system which can lock the individual fields of a record. Thus, more than one
user can work on a single record in a table i.e., each user can be working on a different field
of the same record, at the same time. However, Oracle does not provide a field level lock.
The three levels of locking provided by Oracle are:
Row level
Page level
Table level
The level of locking to be used is decided by the Oracle engine; this depends on the presence
or absence of the WHERE condition in the SQL statement. The rules are as follows:
If the WHERE clause evaluates to only a single row in the table, a row level lock is used.
If the WHERE clause evaluates to a set of data, a page level lock is used.
If there is no WHERE clause (i.e., the entire table is being accessed by the query), a table
level lock is used.

Prof. Mukesh N Tekwani

mukeshtekwani@hotmail.com

Chap 3. PL/SQL Security

What is Exclusive locking? What is the need for exclusive locking? What are the various
techniques for exclusive locking?
Exclusive Locks:
This lock is placed on a resource whenever a write operation
(INSERT/UPDATE/DELETE) is being performed.
Only one exclusive lock can be placed on a resource at a time. The first user who acquires
an exclusive lock will continue to be the sole owner of the resource and no other user can
acquire an exclusive lock on that resource.
Need for exclusive locking:
Although the Oracle engine has a default locking strategy, explicit locking is often needed.
The following example explains the need for explicit locking:
Consider two client computers (Client A and Client B) are entering sales orders. Each time a
sales order is prepared, the QOH of the product must be updated in the PRODUCTS_MSTR
table. If client A fires an UPDATE command on a record of the PRODUCTS_MSTR table,
then Oracle will implicitly lock the record so that no further data manipulation can be done by
any other user till the lock is released. The lock will be released only when Client A fires a
COMMIT or a ROLLBACK command.
In the mean time, if Client B tries to view the same record, the Oracle engine will display the
old data for the record as the transaction for that record has not been completed by Client A.
Thus, Client B is viewing wrong information.
In such a situation, Client A must explicitly lock the record so that no other user can access the
record even for viewing purposes till client A completes his transaction.
Such a lock that is applied by the user on a row, page or the entire table is called an explicit
lock. Explicit locking is user-defined strategy and it always overrides Oracles default locking
strategy.
Tables and rows can be explicitly locked by using either the SELECTFOR UPDATE
statement or the LOCK TABLE statement.
The SELECTFOR UPDATE statement:
This statement is used for acquiring exclusive row-level locks. This statement informs the
Oracle engine that data currently being used needs to be updated. It is followed by UPDATE
statements with a WHERE clause.
Example 1:
Two clients A and B are recording the transactions performed in a bank for a particular
account number simultaneously.
Client A fires the statement:
Client A> SELECT * FROM ACCT_MSTR WHERE ACCT_NO = SB7 FOR UPDATE;
When the above SELECT statement is fired, Oracles engine locks the record SB7. This lock
will be released only when Client A issues the COMMIT or ROLLBACK command.
Now Client B fires a SELECT statement which points to record SB7 which has already been
locked by Client A.
Client B> SELECT * FROM ACCT_MSTR WHERE ACCT_NO = SB7 FOR UPDATE;

mukeshtekwani@hotmail.com

Prof. Mukesh N. Tekwani

Chap 3. PL/SQL Security

The Oracle engine ensures that Client Bs SQL statement waits for lock to be released on
ACCT_MSTR by a COMMIT or ROLLBACK statement. In order to avoid unnecessary
waiting time, a NOWAIT option can be used to inform Oracle engine to terminate the SQL
command if the record has already been locked. In this case Oracle engine generates a
message for Client B stating that the resource is busy. So in order not to wait for an uncertain
period, Client B can issue the following query:
Client B> SELECT * FROM ACCT_MSTR WHERE ACCT_NO = SB7 FOR UPDATE
NOWAIT;
The SELCT FOR UPDATE clause cannot be used with the following:
DISTINCT and GROUP BY clauses.
SET OPERATORS and GROUP functions.
Using the LOCK TABLE statement:
Oracles default locking strategy can be overridden by creating a lock in a specific mode. This
is done with the LOCK TABLE clause:
LOCK TABLE <tablename> [,<tablename>]
In {ROW SHARE | ROW EXCLUSIVE | SHARE UPDATE | SHARE | SHARE ROW
EXCLUSIVE | EXCLUSIVE }
[NOWAIT ]
In this syntax:
<tablename> indicates the names of the tables / views to be locked.
IN decides what other locks on the same resource can exist simultaneously. E.g., if there is
an exclusive lock on the table, no other user can update rows on the table. It can have the
following values:
o EXCLUSIVE Query is allowed on the locked resource but other activities are not
permitted
o SHARE Queries are allowed on the table but does not allow updates on the table
o ROW EXCLUSIVE this lock is acquired when using the commands UPDATE,
INSERT, or DELETE.
o SHARE EXCLUSIVE they are used to look at the whole table, to carry out
selective updates, and to allow other users to look at rows in the table but not lock
the table or update the rows.
NOWAIT Indicates that the Oracle engine should immediately return to the user with a
message, if the resources are busy. If this clause is omitted the Oracle engine will wait till
the resources available.
RELEASING LOCKS:
Locks are released under the following circumstances:
The transaction is completed successfully using the COMMIT verb.
A ROLLBACK is performed.
A ROLLBACK to a savepoint will release locks after the specific savepoint. But row-level
locks are not released by rolling back to a savepoint.
5

What are the important properties of a transaction that a DBMS must ensure?
There are four important properties of transactions that a DBMS must ensure to
maintain data in the face of concurrent access and system failures:

Prof. Mukesh N Tekwani

mukeshtekwani@hotmail.com

Chap 3. PL/SQL Security

1. Users should be able to regard the execution of each transaction as atomic: either all
actions are carried out or none are. Users should not have to worry about the effect of
incomplete transactions (say, when a system crash occurs).
2. Each transaction, run by itself with no concurrent execution of other transactions, must
preserve the consistency of the database. This property is called consistency, and the
DBMS assumes that it holds for each transaction. Ensuring this property of a transaction is
the responsibility of the user.
3. Users should be able to understand a transaction without considering the effect of other
concurrently executing transactions, even if the DBMS interleaves the actions of several
transactions for performance reasons. This property is sometimes referred to as isolation:
Transactions are isolated, or protected, from the effects of concurrently scheduling other
transactions.
4. Once the DBMS informs the user that a transaction has been successfully completed, its
effects should persist even if the system crashes before all its changes are reflected on disk.
This property is called durability.
The acronym ACID is sometimes used to refer to the four properties of transactions that we
have presented here: atomicity, consistency, isolation and durability.
6

Write a simple program to increase the salary of employees whose salaries are less than
the average salary by 10 percent. The program re-computes and prints out the average
salary if it exceeds 50000 after the above update.
DECLARE
avg_salary NUMBER;
BEGIN
SELECT avg(salary) INTO avg_salary FROM employee;
UPDATE employee SET salary = salary*1.1
WHERE salary < avg_salary;
SELECT avg(salary) INTO avg_salary FROM employee;
IF avg_salary > 50000 THEN
dbms_output.put_line (Average Salary is | | avg_salary);
END IF;
END;
/

Display the employee number for those employees whose salary is greater than their
supervisors salary.
DECLARE
emp_salary NUMBER;
emp_super_salary NUMBER;
emp_ssn CHAR (9);
emp_superssn CHAR (9);
CURSOR salary_cursor IS SELECT ssn, salary, superssn FROM employee;
BEGIN
OPEN salary_cursor;
LOOP
FETCH salary_cursor INTO emp_ssn, emp_salary, emp_superssn;

mukeshtekwani@hotmail.com

Prof. Mukesh N. Tekwani

Chap 3. PL/SQL Security

EXIT WHEN salary_cursor%NOTFOUND;

IF emp_superssn is NOT NULL THEN
SELECT salary INTO emp_super_salary FROM employee
WHERE ssn = emp_superssn;
IF emp_salary > emp_super_salary THEN
dbms_output.put_line(emp_ssn);
END IF;
END IF;
END LOOP;
IF salary_cursor%ISOPEN THEN CLOSE salary_cursor;
IF salary_cursor%ISOPEN THEN CLOSE salary_cursor;
END;
/

Write a program segment that gets a list of all the employees, increments each
employees salary by 10 percent, and displays the old and the new salary.
DECLARE
v_fname employee.fname%TYPE;
v_minit employee.minit%TYPE;
v_lname employee.lname%TYPE;
v_address employee.address%TYPE;
v_salary employee.salary%TYPE;
CURSOR EMP IS SELECT ssn, fname, minit, lname, salary FROM employee;
BEGIN
OPEN EMP;
LOOP
FETCH EMP INTO v_ssn, v_fname, v_minit, v_lname, v_salary;
EXIT WHEN EMP%NOTFOUND;
dbms_output.putline(SSN: | | v_ssn | | Old salary : | | v_salary);
UPDATE employee SET salary = salary*1.1
WHERE ssn = v_ssn;
COMMIT;
dbms_output.putline(SSN: | | v_ssn | | New salary : | | v_salary*1.1);
END LOOP;
CLOSE EMP;
END;
/

Prof. Mukesh N Tekwani

mukeshtekwani@hotmail.com