DB2 Blog

When you try to run ./setup with Data Studio 1.2 you get an anoying error:

This launchpad is not intended to run on the current platform. Check the product documentation or contact your vendor for more information about supported platforms.

Information about your machine
Operating System (top.OS) = Linux
Operating System Type (top.OSTYPE) = unix
Processor Architecture (top.ARCHITECTURE) = unknown
Browser/version (top.BROWSER/top.BROWSERVERSION) = Firefox/1.9
Locale (top.LOCALE) = en
Launchpad compatibility version =

Compatibility checks defined for this launchpad
version = 1.2
top.OS = Windows.*|Linux
top.ARCHITECTURE = x86|AMD64
top.OSTYPE = windows|unix

To get around it simply go to the disk1/InstallerImage_linux directory and run ./install.

Comment (0)

Just started playing around with the next release of MySQL. Version 6.0 has reworked the falcon engine to look exactly what Oracle, DB2 have for a design. http://www.mysql.com/mysql60/.

Comment (0)

Why does the installer always seem to give me so many install problems?

Comment (0)

After a busy month of conferences, it's good to be home. It was fascinating to see Warsaw for IDUG Europe; it was my first trip there.

From my limited knowledge of history, Poland has the unfortunate placement of being on the way to other destinations. When Napoleon, and later Hitler, want to go to Russia with a few hundred thousand soldiers, Poland was on the way and was invaded each time. Chopin wrote many sad songs about what was happwning to his beloved country. Of course, the Russian came through again when they later attacked Hitler.

We took time off on the last day of the conference to visit Warsaw's old town and the Royal Palace. We were told that it wasn't the original palace; the original palace was completely destroyed by the Nazis, and then the rubble was mined for other construction. There were few buidlings left standing in Warsaw.

It took Polish volunteers ten years to reconstruct the palace. My hat is off to them. The palace is as close to perfect as it can be, and it is lovingly maintained. I spent a few minutes watching an artisan repair a small section of gold leaf. It is painstaking work.

My second trip was  back to Mandalay Bay in Las Vegas for IOD and the Gold Consultant briefing. I felt in somewhat better shape for the 5+ miles of walking required.

If you are ever looking for a quiet spot on the Vegas strip, I highly recommend a small pond in the middle of the Wynn Hotel. The bar serves a nice riesling and you can pretty much forget the bustle around you. It's a short 1 1/4 hour walk from Mandalay Bay.

Home time is limited by IDUG regional events. I'm now off to San Ramon CA and the following week is Harrisburg PA and Kansas City KS. 

Comment (0)

Everyone who uses DB2 is used the db2sampl command. It provides a basic relational database for people to play around with and verify that DB2 is working. On Infosphere editions of DB2 there is also a DWESAMP database which ships with an example warehouse database.

Most people don't know about the dwesamp database as there is no command in your path such as db2sampl. It is extremly easy to setup the DWESAMP database just go to:C:Program FilesIBMdwesamplesdata

or

/opt/ibm/dwe/samples/data

and run setupolapandmining.bat or setupolapandmining.sh and you have the DWESAMP database

 

Comment (0)

Through the years, I've been fortunate to work on a number of successful projects.

Success can be measured in a number of ways. It may include technical elegance, on-time delivery, user satisfaction, functional correctness, and good performance. While all of these qualities may be needed in successful IT projects, there is a bigger element that overlies everything else.

Looking back, every successful project had a sponsor or leader with vision. The leader must also be able to communicate and lead the project by sharing this vision with the project members. The entire vision does not have to be shared with the team; but certainly enough to ensure that the goal of the project is achieved.

If there is not a clear vision known by the sponsor, or there is a problem communicating enough of it to others, it is likely that the goal will never be reached. That's the catch, you have to know where you want to go before you set out.

The leader can be consultive, to learn more as the project starts, but the vision must be there, and while the vision may change over time, it should remain strong.

If it is necessary to do a survey or hire consultants to determine what to do, in a macro sense, chances are you're doomed before you start. You may end up with "something", but chances are it won't be unique, it will cost more than you expected, and you won't be happy. Without a clear vision, you might not even be able to identify why it didn't work out. You may even rationalize the outcome to call it a success, but hopefully, if you understand where I'm coming from, you'll know the difference.

The vision does not have to be unique or revolutionary. As I understand it, Jergens had the first hand cream before the very similar Vaseline Intensive Care came to the market. I would suggest that somebody in the Vaseline brand had a better marketing vision. The execution of this plan I'm sure also required vision, of the kind that would get the product to market.

In my opinion, the great companies and organizations of the world were all formed by people with a vision and a passion that alloweed them to become great. Hopefully, when it is time for each of us to lead, we all have the vision needed and the passion to succeed.

Comment (0)

When using SQL/PL you need to be careful about implicit truncation when using scalar function calls. DB2 developers write stored procedures to handle logic that is accessible to all applications. Often to protect against an SQL injection attack, as we discussed in previous blog entries, developers will use functions such as REPLACE(var, ‘''', ‘''''') to secure their SQL. This looks annoying, but all this call does is to replace a single quote with a two quotes. One of the problems can occur though, is an overflow to the assigned variable, for which db2 will implicitly truncate the string. Consider the following call:

CALL CREATE_USER("' WHERE 1=1 ","a ‘")

 

CREATE TABLE USER(username varchar(255), password varchar(255))@
 
CREATE PROCEDURE UPDATE_PASSWORD(IN username CHAR (25), IN password CHAR(25)) 
BEGIN 
DECLARE ESCAPED_USERNAME CHAR(25); 
DECLARE ESCAPED_PASSWORD CHAR(25); 
DECLARE STATEMENT CHAR(250);
SET ESCAPED_USERNAME = REPLACE(username, '''',''''''); 
--ESCAPED_USERNAME = "'' OR 1=1    "
SET ESCAPED_PASSWORD = REPLACE(password, '''','''''');
--ESCAPED_PASSWORD = "a                       ‘"
SET STATEMENT = 'UPDATE user SET password=''' || ESCAPED_PASSWORD || ‘''
WHERE username = ‘'' || ESCAPED_USERNAME || ‘''' ; 
--STATEMENT = UPDATE USER SET 
--PASSWORD = ‘a               
--        ‘' WHERE                    --USERNAME = ‘'' WHERE 1=1    ‘
EXECUTE IMMEDIATE STATEMENT;
END@
 

In this example, REPLACE automatically casts from a 26 CHAR string after the replace to a 25 character string. Other DBMSs issue a warning, but DB2 is silent in this situation. This means that the double quote REPLACE call to prevent the injection fails to guard against the injection.

Other variants of attacks include padding extra space to the end of parameters in hopes of bypassing checking and creating a duplicate entry. For example:

 --------------------------------------------------

--INPUT
--username = ‘root      x'
--password = ‘'newpw'
 
--TABLE USER
USERNAME       PASSWORD
---------------------------------------------------
Root		Some_Very_Secure_Password
User1		password
User2		123456
-- In the application look to see if the user exists
SELECT * FROM USER WHERE username = ‘root      x'
-- 0 Rows returned. It's ok to create the user!
CALL CREATE_USER (‘root      x','newpw');
CREATE PROCEDURE CREATE_USER (IN username CHAR (25), IN password CHAR(25)) 
BEGIN
DECLARE STATEMENT CHAR(250); 
DECLARE ESCAPED_USERNAME CHAR(10) = REPLACE(username, '''','''''');
-- Silent truncation happens here as ESCAPED_USERNAME is too small
-- ESCAPED_USERNAME = ‘root      ‘
DECLARE ESCAPED_PASSWORD CHAR(25) = REPLACE(password, '''','''''');
SET STATEMENT = 'INSERT INTO user (password,username)
 VALUES(''' || ESCAPED_PASSWORD || ‘'',‘'' || ESCAPED_USERNAME || ‘'')' ; 
EXECUTE IMMEDIATE STATEMENT;
END@
 

In this case we were able to create two users with the same username root. This potentially creates a security hole in the application if administrator authority is based off the username.

 

How to protect against truncation injections?

1)Ensure that your variables are always sized to the maximum output of the scalar function even if the string is larger than the table's column. DB2 LUW will generate an error if you try to insert or update a column with a value that is larger than the column definition.

2)Make use of static SQL as much as possible as it prevents this type of attack and other types of injections

3)Consider putting checks in your code to check the length of a variable against the length of the corresponding column.

4)In cases where select statements are making use of a variable that could be larger than the column, add checks to log column overflows as someone could be snooping around your network.

Comment (0)

I received an email last night from someone who was trying to performance tune a Linux DB2 installation. He was concerned about receiving a large variance in his results, even though he was stopping and starting DB2 between runs.

I suspect the largest contribution to this variance is the result of file system caching (9.1 default for tablespaces), inode caching, and dentries caching. This is enabled in Linux by default. When benchmarking DB2 with cold bufferpools, make sure you clear the operating system cache between runs. To do this, execute the following command as root:

sync;echo 3 > /proc/sys/vm/drop_caches

This clears all the caches that Linux keeps in memory and makes results more uniform and less susceptible to skews.

Comment (0)

If you have known me for a while, you will know that I am a huge hardware buff. While this blog is supposed to be about DB2, I figured I would post some interesting hardware stuff about Intel's new Nehalem core, as it directly affects XML processing and string operations. Intel's latest 45nm Nehalem core implements SSE 4 but adds 7 new extensions over its previous implementations, which Intel dubs SSE 4.2. The new extensions are Application-Targeted Accelerators (ATAs) that focuses on string operations.

It's a break from general CPU architecture as these instructions are quite general but they allow for up to 256 byte comparisons in a single instruction! Now, you're probably thinking, so what it's just more microcode. WRONG! This is an actual separate piece of silicone. This will give you dramatically faster strlen, strcmp, memcmp, etc. Which means that parsing of XML files, which is string comparison intensive will run more quickly. Unfortunately, you can't take advantage of the instructions below unless you recompile your application with an up-to-date compiler. Perhaps future editions of DB2 and pureXML will take advantage of these instructions.

The new instructions are listed below (Thanks Wikipedia -www.wikipedia.org/wiki/SSE4)

CRC32 -Accumulate CRC32C value using the polynomial 0x11EDC6F41 (or, without the high order bit, 0x1EDC6F41).

PCMPESTRI - Packed Compare Explicit Length Strings, Return Index

PCMPESTRM -Packed Compare Explicit Length Strings, Return Mask

PCMPISTRI -Packed Compare Implicit Length Strings, Return Index

PCMPISTRM -Packed Compare Implicit Length String, Return Mask

PCMPGTQ - Compare Packed Data For Greater Than

POPCNT -Population count (count number of bits set to 1) - bit manipulation; shares the same opcode for JMPE, the instruction used in Itanium CPUs to escape from IA-32 mode. POPCNT instruction may also be implemented in some processors that do not support the other SSE4 instructions and a separate bit can be tested to confirm POPCNT presence.

Comment (0)

OK, so I have been "blog tagged" by Phil Nelson, who is an extremely talented DBA and programmer. The rules state that I now must post 5 things you don't know about me. So here it goes...

1.In my teenage years I used to run the largest Blizzard game hacking website on the net. If you ever typed "Diablo II hacks" into Google you were surfing my site. When I was working on the site I learned C++ development/hacking and Web Development. It was common to have 1000 concurrent users just on the message boards alone. MySQL was locking up big time and I asked Martin Hubel for help. This is how I got started on DB2.

2.My first job was in grade 2 as a file sysop manager of a local BBS. My pay was free unlimited BBS access!!!

3.In the 1x series of PHPBB an internet friend and I developed a fork of PHPBB called PHPBB Mod on source forge. It was reasonably successful and it even powered the forum of my favorite Chinese martial artist Jet Li.

4.When the Warcraft III beta leaked, I developed a server selector and modification tool to make Warcraft III work with a new project bnetd that was reverse engineering battlenet. The server selector had over 120k downloads by the time Warcraft III was released.

Interestingly, bnetd was one of the first cases of the DMCA act taking out an internet service. It ended up in court for a number of years. All I can say is I was glad I was Canadian and didn't get pulled into that whole mess.

5.I have a level 70 Horde Warrior, CrimsonBane, in World Of Warcraft that I rarely play

Comment (0)