Академический Документы
Профессиональный Документы
Культура Документы
Case Study
Database Principles
Overview
The Snooty Cat Festival Company organises many festivals around the UK. As of 2017 they
have been in business for seven years and have built a large client base in this time. They
organise many types of festivals, which may be music festivals, folk festivals, steam engine
festivals, car festivals or food festivals to name but a few. They use their organisational skills
and contacts to address the needs of their clients.
There is a large Music Festival at Stonehenge next year (Summer 2018) which they have
won the bid to organise and manage.
The site and site arrangements including camping, fencing and security
Provide the stage, lights, sound equipment for the bands
Site amenities such as toilets and showers
The bands that will play at the festival
On site vendors providing food, drinks, trinkets, camping equipment, wellies, t-shirts,
souvenirs etc. etc.
Marketing the event, both traditionally and through social media
Ticket sales.
Many of the functions are outsourced to other companies such as security firms, fencing
contractors, vendors and agents of the bands that are playing. However it is the Snooty Cat
Company that have to ensure that all these people have been contacted, dates are agreed,
arrangements are made and requirements are clear.
The clients pay Snooty Cat to organise the festival and this payment has to cover all the
costs incurred in setting up the event. It is the client who gets the money from the ticket
sales, not Snooty Cat – they just facilitate the sales. The only other money Snooty Cat
makes is from charging the vendors (food and supplies) a site pitch at the festival.
Previously, events have been managed using Excel Spreadsheets, letters, emails, diaries,
post it notes and a very large Gantt chart on the office wall. As they are growing they are
starting to find that they are managing multiple festivals at the same time. The main
spreadsheet is now 10,000 rows and has started to get very slow and it is becoming difficult
to find information easily. They now would like one integrated information system to help
them manage their work and provide instant information available to everyone in the
company. They have had problems in the past when a member of staff has gone off sick and
nobody else knows where the information is or how much of the job is still left to do.
The main driver for Snooty Cat Festivals is to have is an information system in place to
manage the Stonehenge event in 2018.
The Staff
There are two directors of the company. They are the guys who make contacts with
potential clients, bands and land owners. Their main role is overall management of
the company and bringing in new business.
There are ten other staff who work in the office and are responsible for the day to day
organisation of the business and the events
There are two Finance Managers who are responsible for all the accounts, takings,
expenditure and paying the staff.
Local Authorities
Content of the advertising
Actual payment info (e.g. the database should not store credit card numbers)
Anything that would be better handled by other systems, e.g. by telephone, email or
by using a calendar or a website. It is your responsibility to scope this project and
decide what should and should not be included in the database system. This will form
part of the assumptions that you make and needs to be clearly stated.
There is not enough information here to get your requirements absolutely clear and
as you cannot ask the client you are going to have to make some assumptions about
how the system should do things and what should or should not be included. You
must document these as everyone will think different things and what I am looking for
is that your design follows your logic as stated in your assumptions.
Analysing The Snooty Cat Festival Company, I have identified the following entities.(see Figure 1).
First Aid – I am assuming that the arrangements for first aid will be done over the phone/email and the Snooty Cat Company just
need to record if that arrangement was made or not and the details of the arrangement are kept in a signed contract form.
Therefore, I decided to not include a First Aid entity but the arrangement to be recorded under FESTIVAL as an attribute as First
Aid Available (boolean) with the values of YES/NO. However, if more details are required to be recorded for arrangements I may
want to clarify with Snooty Cat Company.
Tickets Sale – Because the CLIENT gets the money from the tickets sales and Snooty Cat Company just facilitate the sales and
assuming that the tickets will have a series number to identify each particular ticket, I will assign a table for tickets where the sold
tickets will be recorded along with their sale price (e.g. Festival-1 were sold 320 tickets at £25 each; Festival-2 were sold 100
tickets at £18 each etc.). The payment method of tickets I am assuming will be done through a specialised website such as PayPal
or handled by a payment processing company (e.g. Sage) and Snooty Cat Company will record only the number of tickets sold per
festival In the database.
Contractors / Vendors / Suppliers / Land Owners – Over time the Snooty Cat Company may have other different types of
participants (e.g. Animators, Entertainers) not mentioned in this case study. Therefore, instead of sticking with these entities I
have decided to use one entity as Partner and one as Partner Groups, where partner_group_ID is a foreign key in Partners entity
and the company would have the flexibility to add more types of partners without need to redesign the database.
Band Payments – I am assuming that an Agent may have several bands under his/her management and they have their own
arrangements/contracts. The payment for band/s would go to the Agent rather than each band and the Agent may use their own
payment system based on what agreement they have. I would contact Snooty Cat Company to clarify who receives the payment.
Site Pitch – I am assuming that Snooty Cat Company would have digital/hard copies of the land layout and they would allocate a
predefined space (e.g. Stand A1, A2, B1, B2 etc.) at the festival for each vendor. I decided to not use Site Pitch as an entity. The
vendor location would be recorded as an attribute in a new entity Festival Details where vendors would be recorded with what
services they offer, location at the festival along with arriving and departure date/time.
Staff – I am assuming that the staff payment will be handled by the company payroll system therefore I will not include any staff
payment records.
- I am assuming that the directors will make contact with potential clients, agents and/or land owners through phone/email and
they will have their own contact details. Once an agreement of participation is made between Snooty Cat Company and client,
agent or land owner the directors will record the details in database.
Festival Advertising – They are not enough information regarding the festival advertising. I am assuming that the Marketing
Department, have own tracking methods, unless the Snooty Cat Company specifies otherwise and I would clarify with them to
include Advertising to the database.
Other – The local authority’s approval, special permits or any other contracts requirements are not specified in the case study and
they are not part of the database system.
AGENT
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_agent PK TINYINT UNSIGNED auto increment Agent ID, Auto generated
ID_partner SMALLINT UNSIGNED NOT NULL partner.ID_partner
covering_area VARCHAR(50) Area covered by the agent (e.g. International, South London etc.)
AMENITY
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_amenity PK SMALLINT UNSIGNED unsigned; auto increment; Amenity ID, Auto generated
amnity_name VARCHAR(100) NOT NULL Name of the facility available at festival
amnity _note TINYTEXT Descriptive note if is required
BAND
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_band PK SMALLINT UNSIGNED auto_increment; Band ID, Auto generated
ID_agent TINYINT UNSIGNED agent.ID_agent
b_name VARCHAR(50) NOT NULL Name of the band
b_genre VARCHAR(30) Music genre played by the band
b_members_no TINYINT(2) Number of members in the band
CLIENT
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_client PK TINYINT UNSIGNED auto_increment; Client ID, Auto generated
c_company AK VARCHAR(100) Client company name
c_name VARCHAR(20) NOT NULL First name of person of contact or individual client
c_surname VARCHAR(20) Last name of person of contact or individual client
c_address1 VARCHAR(50) NOT NULL Client address field 1
c_address2 VARCHAR(50) Client address field 2
c_postcode CHAR(8) NOT NULL Client address postcode
FESTIVAL
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_festival PK SMALLINT UNSIGNED auto_increment; Festival ID, Auto generated
ID_client TINYINT UNSIGNED NOT NULL client.ID_client
ID_festival_type TINYINT UNSIGNED festival_type.ID_festival_type
ID_amenity SMALLINT UNSIGNED amenity.ID_amenity
f_name AK VARCHAR(100) NOT NULL Name of the festival
f_date DATE NOT NULL Date of the festival
NOT NULL DEFAULT
f_first_aid ENUM('YES','NO') Arrangements for First Aid service
'NO'
f_budget DECIMAL(6,2) NOT NULL The money paid by the client per festival
FESTIVAL_TYPE
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_festival_type PK TINYINT UNSIGNED auto_increment; Festival Type ID, Auto generated
ft_name VARCHAR(100) NOT NULL Festival type name (e.g. music festival, folk festival etc.)
ft_notes TINYTEXT Descriptive note if is required
FESTIVAL_DETAILS
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_festival PK SMALLINT UNSIGNED NOT NULL festival.ID_festival
ID_venue PK TINYINT UNSIGNED NOT NULL venue.ID_venue
ID_service MEDIUMINT UNSIGNED NOT NULL service.ID_service
contract_date DATE NOT NULL Agreement date
pitch_location VARCHAR(20) Location at the event
arriving_time DATE/TIME NOT NULL Arriving date and time of service
departing_time DATE/TIME NOT NULL Departing date and time of service
fd_note TINYTEXT Descriptive note if is required
FESTIVAL_PERFORMERS
LANDOWNER
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_landowner PK SMALLINT UNSIGNED auto_increment; Landowner ID, Auto generated
ID_partner SMALLINT UNSIGNED NOT NULL partner.ID_partner
PARTNER
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_partner PK SMALLINT UNSIGNED auto_increment; Client ID, Auto generated
ID_partner_group TINYINT UNSIGNED NOT NULL partner_group.ID_partner_group
p_company VARCHAR(100) Client company name
p_name VARCHAR(20) NOT NULL First name of person of contact or individual client
p_surname VARCHAR(20) Last name of person of contact or individual client
p_address1 VARCHAR(50) NOT NULL Client address field 1
p_address2 VARCHAR(50) Client address field 2
p_postcode CHAR(8) NOT NULL Client address postcode
p_city VARCHAR(30) Client address city
p_email AK VARCHAR(60) NOT NULL Client contact email address
p_phone AK VARCHAR(15) NOT NULL Client contact phone number
PARTNER_GROUP
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_partner_group PK TINYINT UNSIGNED auto_increment; Partner Group ID, Auto generated
p_group_name VARCHAR(50) NOT NULL Name of the group (e.g. Vendor, Contractor, Supplier)
PAYMENT
SERVICE
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_service PK MEDIUMINT UNSIGNED auto_increment; Service ID, Auto generated
ID_partner SMALLINT UNSIGNED NOT NULL partner.ID_partner
service_name VARCHAR(50) NOT NULL Name of the service (e.g. Lights, Musical Instruments etc)
service_price DECIMAL(6,2) NOT NULL Price of the service
service_description TEXT Description of the service
STAFF
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_staff PK TINYINT UNSIGNED auto_increment; Staff ID, Auto generated
ID_staff_role TINYINT UNSIGNED NOT NULL staff_role.ID_staff_role
s_name VARCHAR(20) NOT NULL Staff personel first name
s_surname VARCHAR(20) NOT NULL Staff personel last name
s_address1 VARCHAR(50) NOT NULL Staff personel address field 1
s_address2 VARCHAR(50) NOT NULL Staff personel address field 2
s_postcode CHAR(8) NOT NULL Staff personel address postcode
s_city VARCHAR(30) NOT NULL Staff personel address city
s_email VARCHAR(60) NOT NULL Staff personel contact email address
s_phone VARCHAR(15) NOT NULL Staff personel contact phone number
STAFF_ROLE
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_staff_role PK TINYINT UNSIGNED auto_increment; Staff role ID, Auto generated
TICKET_SALE
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_sale PK MEDIUMINT UNSIGNED auto_increment; Sale of tickets ID, Auto generated
ID_festival SMALLINT UNSIGNED NOT NULL festival.ID_festival
ticket_start_series VARCHAR(20) NOT NULL Starting series number of tickets (e.g. F123456)
ticket_end_series VARCHAR(20) NOT NULL Ending series number of tickets (e.g. F654321)
ticket_sold SMALLINT UNSIGNED NOT NULL Number of tickets sold
ticket_price DECIMAL (4,2) NOT NULL Price of the tickets
VENUE
PK
Attribute Name Data Type & Size Domains and constraints FK Reference Description
AK?
ID_venue PK MEDIUMINT UNSIGNED auto_increment; Venue ID, Auto generated
ID_landowner SMALLINT UNSIGNED NOT NULL landowner.ID_landowner
venue_name VARCHAR(50) NOT NULL Name of the venue
venue_address1 VARCHAR(50) NOT NULL Venue location field 1
venue_address2 VARCHAR(50) Venue location field 2
venue_postcode CHAR(8) NOT NULL Venue location postcode
venue_city VARCHAR(30) Venue location city
venue_capacity SMALLINT UNSIGNED NOT NULL Total of people capacity of venue
venue_rent_price DECIMAL(5,2) NOT NULL The price of renting the venue
In our digital era probably the security term, is one of the most used terms. Security can vary from a country
security to a device security or personal security and under the broad term of security databases are included as well.
The most used term is hacking but it is only one of the many security
risks that a database is exposed along with physical damage, data corruption,
natural disasters, hardware failure, 3rd party integrated software, users (regular
users and administrators) or even design flaws. Some of the results of the security
breaches of a database would be: loss of privacy, integrity, availability,
confidentiality or theft and fraud (Connolly & Begg, 2015).
As any other database system, Snooty Cat Festival Company (I will refer
from now on as SCFC) database is vulnerable to many security issues, and as any Figure 1 - General type of users
other organisation these potential threats must be taken into account.
Unauthorised Access
Probably unauthorised access to a database is the starting point of any security issue. The access to the SCFC
database needs to be limited and only the person with the right authorisation needs to be able to input/edit or delete
data. We must not confuse the authentication with authorization. Authentication will allow the user to login to the
system where authorization will constrain what to access into the system (privileges). Privileges are issued via the
GRANT command and are taken away via the REVOKE command where DENY will forbidden access to a certain
privilege and the group privileges are controlled through ROLES (reduce security maintenance by not having to grant
explicit privileges directly to a user but to a group). As an example related to the SCFC database would be the staff
users (STAFF table). A staff with the accountant role (defined by STAFF_ROLE table), it should not have access to
input data to the festivals (FESTIVAL table) but will have access to generate invoices (PAYMENT table). SCFC
database users’ needs to be given specific roles and privileges necessary to accomplish their job but they should not
have access that extends beyond the scope of his or her job duties also known as “principle of least privilege”. I must
mention a common “mistake” done by the DBAs is the fact that, when a user no longer requires access to the database,
the account remain active longer than necessary. Therefore, the user account should be deleted/disabled immediately.
For SCFC database only the DBA should have direct access to the database root and run queries. The database
root access must be protected with a password where all other users should access the database inputs/outputs through
forms and reports.
As an extra measure of control and prevention, for the database a database connection session should be
recorded (creating a new table with a user session) and “DBA can use database roles and resource limits to minimize
the impact of rogue users in the system” (Coronel & Morris, 2017).
Note: For a full understanding of user roles in the company and what they need to access and what not, I need to
clarify with Snooty Cat Company.
As any other digital system databases are vulnerable to data corruption or data loss (due to various reasons
such as hardware failure, user mishandling or natural disasters). Therefore, a Backup & Recovery policy must be in
place. This policy must be enforced by SCFC if the database is located on their facility (or if they are responsible for
database deployment/maintenance) otherwise the company, handling the database service; (please see a draft of a
proposed policy as Appendix B). As a DBA I must consider all the time that the data loss may be total, therefore all
data must be recovered in full at any time. This will include regular backups policies and off-site storage location. In
my opinion, for the SCFC database a daily backup will probably be enough, but with databases running millions of
queries per second (e.g. Amazon DB) a real-time backup is required. The backup procedure can include a full backup
(a complete copy of entire database, ensuring a full recovery of all data after a database integrity failure or physical
disaster), an incremental backup (backup only of data changed from last complete or incremental backup) and a
concurrent backup (similar with real time backup, where the backup is take place when one or more users are
working on the database) (Coronel & Morris, 2017). The backups must be performed at regular intervals and as a note
it worth to be mentioned that the backed-up data must be regularly checked for data corruption and if they can be used
at any time.
Any data in a database should be secured using a combination of public, private, and symmetric keys to
encrypt and decrypt data and the encryption can be implemented at different levels (tables, columns, rows and cells)
(Hwang & Yang, 1997). However, we must note that it may be a degradation in performance because of the time
taken to decode it, but for database backup I would recommend a full encryption. One of the sensitive information in
SCFC database are the financial information therefore, the
[FESTIVAL<budget>]; [PAYMENT<pmt_ammount>] must be
encrypted at and only the users with appropriate authorisation will be
able to see that particular information (e.g. staff from finance dept.). A
new USER table will contain the user’s login credentials along with
their passwords (a password attribute) and this field needs to be stored
Figure 2 - MariaDB password Encryption Example
as one-way hashing algorithm (e.g. for MariaDB would be
PASSWORD() function) (MariaDB, n.d.).
A more complex way of encryption would be a full level database encryption supported by many vendors but
like I previous said this will have a big impact over performance. Each vendor has own syntaxes for encryption and a
good understanding of the those is a must.
SQL Injections
An SQL injection usually is performed through a web application with a connection to the database, by
inputting the malicious code into user input field and executed in the database. The first step to tackle an sql injection
threat is to ensure that the application validates data before submitting to the database. In order to increase security
against sql injections, for SCFC database two techniques must be combined: validation (to check if the input meets
criteria) and sanitization (modify the input to ensure that is valid). Oracle states that an effective defence against sql
injections is a must “to avoid SQL injection, all inputs that are to be concatenated in dynamic SQL must be correctly
filtered and sanitized” (Oracle Corporation, n.d). For SCFC database as an example would be to validate that the
postcodes with the specific UK postcodes format. Other examples are to convert the single string (') to double quotes
(") before inserting any information to database, in FESTIVAL table as f_date, no backdate of current date can be
inserted, or the f_budget attribute will validate positive integer inputs where any string input consists only of the digits
0 through 9.
In order to reduce the risk of SQL injections as much as possible a thigh collaboration between the DBA,
application developer and network administrator is a must, for a bespoke configuration, form validations, input masks
and system compatibility.
Note: For a summary of the general security vulnerabilities and the typical countermeasure please see Appendix A.
Web Database
Figure 5 - Add a new festival form mock-up Figure 5 - Financial report with profit/loss calculation
Connolly, T., & Begg, C. (2015). Database Systems: A Practical Approach to Design, Implementation and Management. Essex:
Pearson Education Limited.
Coronel, C., & Morris, S. (2017). Database Systems: Design, Implementation and Management (12th Edition). Boston: Cengage.
EUGDPR. (n.d.). The EU General Data Protection Regulation . Retrieved from eugdpr.org:
https://www.eugdpr.org/eugdpr.org.html
Foster, E. C., & Godbole, S. (2016). Database Systems: A Pragmatic Aproach (Second Edition). New York: Apress.
Hwang, M.-S., & Yang, W.-P. (1997). Multilevel secure database encryption with subkeys. Data&Knowledge Engineering, 117-
131. Retrieved from http://isrc.asia.edu.tw/www/myjournal/P007.pdf
Netsparker. (n.d). What is the SQL Injection Vulnerability & How to Prevent it? Retrieved from Netsparker:
https://www.netsparker.com/blog/web-security/sql-injection-vulnerability/#PreventingSQL
Oracle Corporation. (n.d). What Is Input Validation and Sanitization? Retrieved from Oracle.com:
http://download.oracle.com/oll/tutorials/SQLInjection/html/lesson1/les01_tm_ovw3.htm