Idea for “pure” mysqlnd interface

When I first heard about the mysqlnd project at the MySQL Camp in 2006, somehow I thought it was going to be 100% PHP code. I can’t remember now if I was making an incorrect assumption or if they planned to write it in PHP but changed their mind.

What we have today is a DLL that is a drop-in replacement for libmysql. This has a few nice advantages. It means the replacement library will be API-compatible with all three PHP extensions for MySQL, (mysql, mysqli, and pdo_mysql) so it requires no one to change their PHP application code. The libmysqlnd is licensed under the PHP license, so it can be distributed with PHP core without any license conflict. All in all a good solution that will help both PHP and MySQL.

But what about my (mistaken) impression of a MySQL client written in PHP, instead of implemented as a DLL? Essentially this would implement in PHP code the MySQL client/server protocol.

It’s certainly possible that implementing this protocol in a language like PHP would be hopelessly inefficient and not suitable for any real world development. But it would have a few nice advantages:

  • Providing a platform-independent MySQL client.
  • Deploying easily in hosting environments with no access to configure php.ini.
  • Allowing PHP debugging tools to inspect at the protocol level.
  • Serving as a model for similar drivers for Perl, Ruby, Python, etc.
  • Licensing with the same license as the respective language, e.g. PHP License, Artistic License, or GPL.

Writing a driver in the host language has precedent. A JDBC type 4 driver is supposed to implement the vendor’s client/server protocol in 100% Java code, so as to appear to the RDBMS server as indistinguishable from the vendor’s own client library.

So for now, this is just an idle idea. Please don’t anyone ask me where to download this imaginary software, it doesn’t exist as far as I know!

In Support of the Relational Model

Every few years, a wave of people claim that the relational model falls short of modeling data structures of modern applications. This includes some really smart people recently such as:

Jim Starkey
Brian Aker
MIT researchers

This trend of criticizing the relational model started almost immediately after E. F. Codd published his seminal paper, “A Relational Model of Data for Large Shared Data Banks” in 1970.

Some data modeling tasks are just complex by nature, and it is necessarily a difficult, time-consuming analysis to figure out how to structure the storage for a given application in a manner that is both logically complete and also efficient.

The complexity does not originate from the technology; the complexity originates from nontrivial real-world scenarios, which are full of complexity, inconsistency, and special-case exceptions. It isn’t that the database modeling technology is insufficient, it’s that the job is genuinely hard.

This is an example of what I call a Waterbed Problem. When you’re lying on a waterbed, and you push down with your hand to make part of the bed lower, the water inside is displaced and rises in some other area. Even if you get a lot of friends to help you with the waterbed (okay this is starting to get racy but don’t worry), the water is still mostly non-compressible, so naturally no matter how hard you push, you only displace the water, you can’t make it shrink.

The waterbed analogy applies when we try to simplify a computer organization problem. We “push down” on the complexity of the task by inventing new methods for describing the problem. Sometimes this leads to nifty things like domain-specific languages. But generally there is a trade-off. We make one part of the problem easier to solve, at the cost of making another part of the problem less flexible, or harder to solve. The analogy is that the complexity rises in some other area, in response to our attempt to push the complexity down in the area we’re working on currently.

We might even create a simple solution for the problem at hand, but the new solution is simply unable to address some related problems. This might be analogous to a leak in the waterbed, but probably I’ve exhausted this analogy by now.

Flexibility of the data modeling solution is not the only criterion. It must also support rigidity where needed. If you can’t define the structure of your data model enough to disallow invalid data, then you’re asking for trouble. If the data management is just a pool of data elements and relationships, and any enforcement of structure is dependent on application logic, then your data integrity is at risk of bugs in that application, or susceptible to invalid changes made via a different client application.

I believe the relational model strikes a good balance between flexibility and rigidity, and that’s why it has been a good choice for general-purpose data modeling for so long. Other techniques have advantages in certain areas, but they always have a balance of disadvantages in other areas.

There is no magic bullet that can make the data modeling process easier. Not object databases, not hierarchical databases, not semantic databases, not network databases. Different data modeling paradigms can describe the data relationships differently, but they can’t make the problem simpler.

To respond to the smart folks who say that the relational model is inadequate, I concede that the relational model is the worst form of DBMS except for all those other forms that have been tried from time to time (with apologies to Winston Churchill).

Proposals for MySQL Conference

I submitted proposals for the MySQL Conference & Expo.

SQL AntiPatterns II

I thought it would be a no-brainer to do a sequel of my 2007 talk, “SQL AntiPatterns”. That talk was very well attended, thanks to Jay Pipes’ endorsement in his guide to the conference. It’s not hard to come up with all-new content for a sequel!

Topics in this presentation:
* Corrupt your data by storing images in files instead of BLOB fields.
* Kill your query performance using the HAVING clause.
* Use the FLOAT datatype and lose money.
* Add an “id” column to every table — whether it needs one or not.
* Prepare queries using parameters for identifiers and keywords.

Designing Models and Such: using MySQL in MVC Applications

I just recently finished working for Zend Technologies, spending a year developing the database access components for the Zend Framework.

A database like MySQL is an integral part of virtually every web application. This talk describes practical ways to leverage MySQL in your project, to meet goals of development productivity, application performance, and security.

Model-View-Controller (MVC) is a popular architecture pattern for web applications, but it may be novel to PHP developers. Designing Models in an MVC application is the subject of many questions, so this talk will focus on these issues.

Examples use the Zend Framework web application library for PHP 5.

* Designing database-backed Model classes for MVC applications
* Caching data and metadata appropriately
* Storing authentication credentials in a database
* Configuration management and testing issues
* Logging application events to a database

The audience for this talk is assumed to know object-oriented programming concepts in PHP 5.

SHA2() patch for MySQL 5.0

I’ve created a patch for MySQL 5.0.33 to provide a function SHA2().
Download it here:

It really just calls out to the OpenSSL library for the digest functions. So you have to build MySQL from source with OpenSSL support enabled.

You can use the function in SQL syntax like:

SELECT SHA2(‘message’, 256);

The second argument is 224, 256, 384, or 512, depending on what digest algorithm you want to use. If you pass 0 as the second argument, it uses SHA-256.

This is my first code contribution to MySQL. I’d be grateful if someone wants to review it and let me know if it needs any changes.

UPDATE 2/5/2007: I re-packaged the patch, excluding more of the MySQL generated files. Thanks to Stewart Smith @ MySQL for the suggestion.

UPDATE 12/3/2010: MySQL 5.5.8 has been released for General Availability, including my SHA2() patch. Happy day!

Change == Opportunity

Bob Field posted his reactions to the recent MySQL announcement to offer two versions of the MySQL Server product: Enterprise Server and Community Server.

I feel somewhat similarly; the change has the potential to give greater value to both the corporate customers of MySQL and their community users. It will be interesting to see how this develops as we go forward.

By making less frequent releases of MySQL, the company could put more work into quality control, and this could enable them to provide an overall better product. Not that they aren’t quite healthy and competitive in that area, but QC that can always be improved.

This would be good of course for MySQL’s Enterprise customers, because the product will become an even better technology for stable, secure, performant data management.

But it could also benefit the open source community. The improvements that go into MySQL Enterprise will still be available for download in source form. Anyone can build the MySQL server to get these improvements at any time. Well, almost anyone. 🙂 It’s not that easy to build the sources. But recent documentation (tutorial 1, tutorial 2, tutorial 3) and tools have made it a lot easier to build MySQL from source.

I don’t mind the reduction in frequency of prebuilt binaries. The number of people who eagerly upgrade to the latest binaries is a tiny percentage of the most dedicated power users, based on the types of questions I see online. Most people upgrade once every two or three years. The few who stay current can check out the code and build it, so they’ll be even more current than they have been in the past. There is a school of thought that power users of open-source software should be building from source anyway.

I usually recommend to newbies to use XAMPP or a similar prebuilt software stack. It will be interesting to see if XAMPP adopts MySQL ES or CS.

How the division of the code develops over time is largely in the hands of community developers. One area that could benefit form contributions is the MySQL build tools.

MySQL Server also needs support for popular IDE tools like Visual Studio and Eclipse. Also the Build Farm Initiative has started to address continuous integration systems. These are areas where the community can help greatly.

But it’s also in the hands of MySQL AB, because they still control both the ES and CS code trees. There needs to be a more reliable process for community contributions to be integrated into the official code.

Catch-22 of the Active Database

People frequently ask if they can do fancy things in triggers, such as writing to the filesystem, sending an email, or notifying other applications of data changes.

I always recommend against doing things like this. Calling an external processes from a trigger or UDF is very difficult to get right, and it is very easy to cause serious problems with your application.

Say for instance that you want to send an email from within a trigger, to notify someone of a data change.

An operation that spawned the trigger may be rolled back, or it may fail for another reason (violated a constraint, etc.). But the call out to the external process occurs anyway. So the email is sent, but then the database change turns out not to be committed. Thus someone has been notified of a change that effectively hasn’t happened.

Even if the operation is successful, it may not be committed immediately. But triggers fire at the time of the operation, not the time of the commit. So the email could be received and the recipient goes to look for the new data. They might not find it, because it’s still pending a commit.

It’s better to perform notifications to external processes in your application code. After you have confirmed that the database change happened successfully, and the transaction was committed, you can notify other external applications directly.

This doesn’t quite work for secondary operations, though. For instance, your app does an UPDATE, and the update trigger does another SQL operation, like INSERT. That INSERT operation is the one about which you want to notify some person or application. How can the application know that the INSERT was successful? How can your app know the values that were inserted, so that it can include those in the notification?

Another similar example is if your app does an operation which affects other data via a foreign key declared with cascading referential integrity rules. For instance, your app does a DELETE, and a dependent table which refers to that table cascades the delete. The deletes on the dependent table are the changes about which you want to notify some person or application. How does the calling application know which tables were affected by cascading operations?

I don’t have answers to these latter problems yet. But in most cases, your application does know the tables and rows on which it operates. In those cases, the application should generate notification events or perform other actions outside the database.

Working on SHA-2

Several months ago, it became clear that one could crack a SHA-1 message digest. It was still a nontrivial problem, but it could be done thousands of times faster than brute-force guessing. So SHA-1 has become undesirable as a secure message digest, and U.S. federal software security standards now call for software to use SHA-256 (one of the group of algorithms which comprise SHA-2).

MySQL currently has a builtin function to produce message digests with the SHA-1 algorithm, but not with SHA-2. There’s a bug #13174 logged at the MySQL site, but they seem like they’re deprioritizing it.

So I thought it would be nice to contribute some code to MySQL. I’ve been using it for about six years, and helping answer questions on newsgroups and forums, and I’ve also logged a few decent bugs. But I’ve never contributed code. How hard could it be? I’m no expert on implementing cryptography code, so I don’t want to write the code and get it wrong.

Fortunately MySQL uses OpenSSL, which qualifies on NIST’s list of Validated FIPS 140-1 and 140-2 Cryptographic Modules. MySQL already relies on the OpenSSL library for the DES encryption and decryption algorithms.

I’ve made good progress. I checked out the sources with BitKeeper, and built the MySQL 5.0 and 5.1 sources. I kept an unmodified copy of the tree so I could create diffs after I added my code. I followed the documentation on adding native functions to MySQL. I could have implemented it as a UDF, but I thought the proper fix for the lack of functionality would be a built-in function.

I now have it working. One can apply a patch to the MySQL sources, and build the tree. If you configured MySQL with “–with-openssl“, then the SHA-2 function calls into the OpenSSL library to get the SHA-224, SHA-256, SHA-384, and SHA-512 message digest algorithms. Here’s an example demonstrating the usage:

SELECT SHA2(‘plaintext string’, 256);

The first argument is a string expression. The second argument is one of 224, 256, 384, or 512, according to the bit length of the desired message digest. Other values cause the function to return an error.

I ran tests using sample test vectors available from NIST. This is of course not a certification, but I can at least perform unpublishable validation. The test vectors include sample strings, and the expected hash values for SHA-1 through SHA-512. I wrote some shell scripts to help run through the tests, submitting the strings to SQL statements using “mysql -e“, and comparing the result to the test vector data, and also running the same data through standard command-line utilities like “sha256sum” as a double-check. Everything passes except the simplest case: a short, 8-bit value “00”. I suspect I just have the length of the input set wrong.

The next step is to figure out how to convert these tests to integrate with MySQL’s own test framework.