How to detect SQL type to avoid SQL injection

Hi,
I work in a gsm company and we develop a program to make trend analysis. Users of this program know how to write SQL statements. I want them to write specific sql statements as input statement of my program (SELECT ... from ...). Mostly SELECT statements. I have PL/SQL blocks and dynamic SQL's in my program. I get user defined SQL statements and execute them as Dynamic Sql's.
Here is the problem: I need to understant what type of SQL they give as input parameter of my program to avoid wrong operations (DELETE, TRUNCATE, DROP...)
First i thought about the REGEXP to understant if its a SELECT SQL or DELETE SQL..
Is there any recommend about this problem? Does Oracle have any procedure to detect it?
Thanks

acadet wrote:
BluShadow wrote:
a_yavuz wrote:
I work in a gsm company and we develop a program to make trend analysis. Users of this program know how to write SQL statements. I want them to write specific sql statements as input statement of my program (SELECT ... from ...). What is the specification behind these "specific sql statements"?
This should allow you to define a lexicon of permitted terms within the language and, if it's not too complex, you could then write a lexicon/language parser to validate each of the statements submitted, thus ensuring they cannot permit anything that is not expected. It may not be a simple tasks, depending on how complex your sub-language of SQL is, but if you are wanting to truly allow users to use SQL rather than some user interface that restricts input and prevents injection, then it's one of the safer ways of doing it.Hi,
This is exactly what the database does through the technique of grants. Why reinvent the wheel.
AndreAssuming you're only talking about access to database objects etc. and that the database user shouldn't be able to perform those tasks through a controlled interface. What if they should be able to e.g. delete records, but only through a controlled screen, whereas the selection of data is to be flexible and permit SQL.
The original question sounds more like he wants to permit a certain subset of the SQL language as he says he wants them to write "specific sql statements". If there is a definition of what form those statements should take then a restricted lexicon parser could be written to cater for those.

Similar Messages

How to detect connection type (modem or LAN) in javascript or JS?

Hi,
I need to find out what type of connection (PPP or DSL or cable), user is using to browse the internet. Is there any way in javascript/jsp??
Pleas let me know.
Thanks,
Kinjal

I need to find out what type of connection (PPP or DSL
or cable), user is using to browse the internet. Is
there any way in javascript/jsp??
Pleas let me know.
Using java it would require using JNI and/or Runtime.exec().
And in all likelyhood it would require a variety of different code to detect different types.

SQL injection recon detection

Why are there no vendor provided signatures that detect SQL injection reconnaissance? I recently did an internal pen test and it reminded me again of this deficiency. I've been meaning to write my own for the longest time, but frankly...why should I need to? It is simply amazing to me that I can throw standard SQL injection tests at a web app and our network IDS is "blind" to them.
http://ha.ckers.org/sqlinjection/

I agree in the sense that the SQL Signature set of ASA IPS is a bit poor. If it can help someone, I've wrote my oun signature in order to catch an attacker. It's working fine, and I think that is easy to modify.
signatures 60000 0
alert-severity medium
sig-fidelity-rating 75
sig-description
sig-name CHZ SQL Injection
sig-string-info CHZ SQL Injection
sig-comment SQL Injection written by CHZ
exit
engine string-tcp
event-action produce-alert|deny-packet-inline|reset-tcp-connection
regex-string ([Dd][Ee][Cc][Ll][Aa][Rr][Ee])\%20\@.\%20([Vv][Aa][Rr][Cc][Hh][Aa][Rr])(.*);([Ss][Ee][Tt])\%20\@.=([Cc][Aa][Ss][Tt])
service-ports #WEBPORTS
exit
alert-frequency
summary-mode summarize
exit
exit
status
enabled true
exit
specify-mars-category yes
mars-category DoS/WebServer
exit
exit
Best Regards
Chz

How to get storage type of XMLType through OCI

How can you get the storage type of an XMLType through OCI? An XMLType column can be created as BINARY, CLOB, or OBJECT RELATIONAL type, is there any way to get this information through OCI? SQLPlus seems to know how to detect these types with the DESCRIBE command, is it possible to get this information programmatically?
SQL> describe T_SRC_XML_COL_CLOB_UTF8;
Name Null? Type
COL1 NOT NULL NUMBER(8)
COL2 SYS.XMLTYPE
SQL> describe T_SRC_XML_COL_BINARY;
Name Null? Type
COL1 NOT NULL NUMBER(8)
COL2 SYS.XMLTYPE STORAGE BINARY
SQL> describe T_SRC_XML_COL_OBJECT;
Name Null? Type
COL1 NOT NULL NUMBER(8)
COL2 SYS.XMLTYPE(XMLSchema "http:
//www.oracle.co
m" Element "Parent") STORAGE
Object-relational TYPE "Par
ent808_T"

Hi,
Here's one possible (simplified) way to determine this (assumes all handles allocated, etc):
- get a describe handle for table via OCIDescribeAny
- get parameter handle via OCIAttrGet on the describe handle
- get number of columns in table via OCIAttrGet on the parameter handle
- get column list handle via OCIAttrGet on the parameter handle
- loop for the number of columns
- use OCIAttrGet to get the column data type
- use OCIAttrGet to get if the column is a specific storage type
Here's what the part to determine if the columns is a specific storage type would look like:
** determine if storage type is binary for this xmltype column
rc = OCIAttrGet((void *) p_col,
                OCI_DTYPE_PARAM,
                (void *) &colstorage,
                (ub4 *) 0,
                (ub4) OCI_ATTR_XMLTYPE_BINARY_XML,
                p_err);If the column is declared to have binary xml storage then colstorage will be set to 1 after the call, 0 if not.
OCI_ATTR_XMLTYPE_BINARY_XML is from oci.h (as well as OCI_ATTR_XMLTYPE_STORED_OBJ)
Perhaps that will be enough to get you what you need.
Regards,
Mark

SQL Injection -- DBA role..

Hi all,
I'm working as a SQL Server DBA,Now a days we are facing issue with attacks(SQL Injection),most of attacks are taken care by Firewalls but still some attacks hitting Database.
As a DBA How to check whether database got effected
Please help me by providing hints and tips to analysis SQL injection.
Thanks in advance

There is no easy ways to detect sql injection. You should analyze activity against databases and work with developers to address it.
Basically, you can capture sql_completed/rpc_completed events in XEvent or SQL Trace and review them. Anything, which is not parameterized, could be the subject of injection attach (it depends on Client Code and implementation).
As the side note, script below provides you the list of the databases together with number of cached execution plans that were used just once. SQL Injection targets non-parameterized queries. So the databases with large number of single-used plans are more
likely to be affected. In any case, do not rely on output much - large number of single-used plans could be just the sign of bad design rather than being affected. As I said, you need to review client app code just to be sure.
select
epa.value as [DB ID],
db_name(convert(int,epa.value)) as [DB Name],
count(*) as [Single Use Plans]
from
sys.dm_exec_cached_plans p
cross apply sys.dm_exec_plan_attributes(plan_handle) AS epa
where
p.usecounts = 1 and
p.objtype in ('Adhoc','Prepared') and
epa.attribute = 'dbid'
group by
epa.value
option (recompile)
Thank you!
Dmitri V. Korotkevitch (MVP, MCM, MCPD)
My blog: http://aboutsqlserver.com

Sql injection

What is SQL Injection?
SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (‘) to the parameters, it is possible to cause a second query to be executed with the first.
An attack against a database using SQL Injection could be motivated by two primary objectives:
1. To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced.
2. To gain access to an organisation’s host computers via the machine hosting the database. This can be done using package procedures and 3GL language extensions that allow O/S access.
There are many ways to use this technique on an Oracle system. This depends upon the language used or the API. The following are some languages, APIs and tools that can access an Oracle database and be part of a Web-based application.
* JSP
* ASP
* XML, XSL and XSQL
* Javascript
* VB, MFC, and other ODBC-based tools and APIs
* Portal, the older WebDB, and other Oracle Web-based applications and API’s
* Reports, discoverer, Oracle Applications
* 3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL
* Perl and CGI scripts that access Oracle databases
* many more.
Any of the above applications, tools, and products could be used as a base from which to SQL inject an Oracle database. A few simple preconditions need to be in place first though. First and foremost amongst these is that dynamic SQL must be used in the application, tool, or product, otherwise SQL Injection is not possible.
The final important point not usually mentioned in discussions about SQL injection against any database including Oracle is that SQL injection is not just a Web-based problem. As is implied in the preceding paragraph, any application that allows a user to enter data that may eventually end up being executed as a piece of dynamic SQL can potentially be SQL injected. Of course, Web-based applications present the greatest risk, as anyone with a browser and an Internet connection can potentially access data they should not.
While second article of this series will include a much more in-depth discussion of how to protect against SQL injection attacks, there are a couple of brief notes that should be mentioned in this introductory section. Data held in Oracle databases should be protected from employees and others who have network access to applications that maintain that data. Those employees could be malicious or may simply want to read data they are not authorized to read. Readers should keep in mind that most threats to data held within databases come from authorized users.
Protecting against SQL Injection on Oracle-based systems is simple in principle and includes two basic stages. These are:
1. Audit the application code and change or remove the problems that allow injection to take place. (These problems will be discussed at greater length in the second part of this series.)
2. Enforce the principle of least privilege at the database level so that even if someone is able to SQL inject an application to steal data, they cannot see anymore data than the designer intended through any normal application interface.
The “Protection” section, which will be included in the second part of this series, will discuss details of how to apply some of these ideas specifically to Oracle-based applications.
[http://www.securityfocus.com/infocus/1644]
how oracle prevent sql injections?

mango_boy wrote:
damorgan wrote:
And they do so using bind variables
http://www.morganslibrary.org/reference/bindvars.html
and DBMS_ASSERT
http://www.morganslibrary.org/reference/dbms_assert.html
do you have any suggestion for mysql users??Yes. Install Oracle.

Web and Database Security - SQL Inject info

Web and Database Security - SQL Injection.
Here is a whitepaper on The Dangers of Dynamic Content (SQL Injection)
http://www.issadvisor.com/viewtopic.php?t=125
SQL Injection. 3 parts. The first part discusses the basics of how to test
web applications for SQL injection vulnerabilities. The second part goes into
the specifics of how to manually identify and test for SQL injection
vulnerabilities. And the third part describes how to exploit SQL injection to
retrieve data from the database.
http://www.issadvisor.com/viewtopic.php?t=123
Understanding this critical security issue, helps web developers that leverage
database must design and make their applications more secure.
Hopefully these two links are informative and useful. Please pass them on.

An APEX page can certainly be configured to not require authentication (that's pretty standard for the login/ registration page). There is no need for an "Oracle public password." There are accounts in the Oracle database that APEX uses but that no human needs to know the password for. If that's what you mean by "Oracle public password" then, yes, you do. But that would be the case no matter what authentication and authorization scheme you use in APEX.
A static IP address for your web server is likely a good idea. It's possible to have DNS work with dynamic IP addresses but that's probably not what you want.
Justin

How to migrate sql server image type to oracle BLOB

In SQL Server table I have Image data type field. How to migrate image type field to oracle BOLB type field. I am using SQL server DTS to transfer the data.
If we map, will it care ?
Thanks,
Venkataraman L

Hi you might want to post your question in General Forum.
General Database Discussions
There's very few users visit this forum.

How to install SQL SERVER 2008 r2 in window 7 home premimum 64bit

how to install SQL SERVER 2008 r2 in home premimum 64bit os. can any say that weather it will support or not in window 7 home premimum os.
my server log file:
Final result: SQL Server installation failed.
To continue, investigate the reason for the failure, correct the problem, uninstall SQL Server, and then rerun SQL Server Setup.
Exit code (Decimal): -2068052700
Exit facility code: 1212
Exit error code: 1316
Exit message: SQL Server installation
failed. To continue, investigate the reason for the failure, correct the problem, uninstall SQL Server, and then rerun SQL Server Setup.
Start time: 2014-03-27 00:52:25
End time: 2014-03-27
00:56:09
Requested action: Install
Log with failure: C:\Program Files\Microsoft SQL
Server\100\Setup Bootstrap\Log\20140327_005035\SSCRuntime_Cpu32_1.log
Exception help link: http://go.microsoft.com/fwlink?LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=10.50.1600.1
Machine Properties:
Machine name: SEVALAL-PC
Machine processor count: 4
OS version: Windows 7
OS service pack: Service Pack 1
OS region: United States
OS language: English (United States)
OS architecture: x64
Process architecture: 64 Bit
OS clustered: No
Product features discovered:
Product Instance
Instance ID Feature Language
Edition Version Clustered
Sql Server 2008 R2 MSSQLSERVER MSSQL10_50.MSSQLSERVER
Database Engine Services 1033 Standard Edition 10.50.1600.1 No
Sql Server 2008 R2 MSSQLSERVER MSSQL10_50.MSSQLSERVER
SQL Server Replication 1033 Standard Edition 10.50.1600.1 No
Sql Server 2008 R2 MSSQLSERVER MSSQL10_50.MSSQLSERVER
Full-Text Search 1033 Standard Edition 10.50.1600.1 No
Sql Server 2008 R2 MSSQLSERVER MSAS10_50.MSSQLSERVER
Analysis Services 1033 Standard Edition 10.50.1600.1 No
Sql Server 2008 R2 MSSQLSERVER MSRS10_50.MSSQLSERVER
Reporting Services 1033 Standard Edition 10.50.1600.1 No
Sql Server 2008 SEVALAL MSSQL10.SEVALAL
Database Engine Services 1033 Express Edition 10.3.5500.0
No
Sql Server 2008 SEVALAL MSSQL10.SEVALAL
SQL Server Replication 1033 Express Edition 10.3.5500.0
No
Sql Server 2008 R2
Client Tools Connectivity 1033
10.50.1600.1 No
Sql Server 2008 R2
Client Tools Backwards Compatibility 1033
10.50.1600.1 No
Sql Server 2008 R2
Client Tools SDK 1033
10.50.1600.1 No
Package properties:
Description: SQL Server Database Services
2008 R2
ProductName: SQL Server 2008 R2
Type: RTM
Version: 10
SPLevel: 0
Installation location: G:\01.SQL Server 2008 R2 FullVersion\x64\setup\
Installation edition: STANDARD
User Input Settings:
ACTION: Install
ADDCURRENTUSERASSQLADMIN: False
AGTSVCACCOUNT: <empty>
AGTSVCPASSWORD: *****
AGTSVCSTARTUPTYPE: Manual
ASBACKUPDIR: Backup
ASCOLLATION: Latin1_General_CI_AS
ASCONFIGDIR: Config
ASDATADIR: Data
ASDOMAINGROUP: <empty>
ASLOGDIR: Log
ASPROVIDERMSOLAP: 1
ASSVCACCOUNT: <empty>
ASSVCPASSWORD: *****
ASSVCSTARTUPTYPE: Automatic
ASSYSADMINACCOUNTS: <empty>
ASTEMPDIR: Temp
BROWSERSVCSTARTUPTYPE: Disabled
CONFIGURATIONFILE: C:\Program Files\Microsoft SQL Server\100\Setup
Bootstrap\Log\20140327_005035\ConfigurationFile.ini
CUSOURCE:
ENABLERANU: False
ENU: True
ERRORREPORTING: True
FARMACCOUNT: <empty>
FARMADMINPORT: 0
FARMPASSWORD: *****
FEATURES: IS,SSMS,ADV_SSMS,OCS
FILESTREAMLEVEL: 0
FILESTREAMSHARENAME: <empty>
FTSVCACCOUNT: <empty>
FTSVCPASSWORD: *****
HELP: False
IACCEPTSQLSERVERLICENSETERMS: False
INDICATEPROGRESS: False
INSTALLSHAREDDIR: C:\Program Files\Microsoft SQL
Server\
INSTALLSHAREDWOWDIR: C:\Program Files (x86)\Microsoft SQL Server\
INSTALLSQLDATADIR: <empty>
INSTANCEDIR: C:\Program Files\Microsoft
SQL Server
INSTANCEID: MSSQLSERVER
INSTANCENAME: MSSQLSERVER
ISSVCACCOUNT: NT AUTHORITY\SYSTEM
ISSVCPASSWORD: *****
ISSVCSTARTUPTYPE: Automatic
NPENABLED: 0
PASSPHRASE: *****
PCUSOURCE:
PID: *****
QUIET: False
QUIETSIMPLE: False
ROLE: <empty>
RSINSTALLMODE: FilesOnlyMode
RSSVCACCOUNT: <empty>
RSSVCPASSWORD: *****
RSSVCSTARTUPTYPE: Automatic
SAPWD: *****
SECURITYMODE: <empty>
SQLBACKUPDIR: <empty>
SQLCOLLATION: SQL_Latin1_General_CP1_CI_AS
SQLSVCACCOUNT: <empty>
SQLSVCPASSWORD: *****
SQLSVCSTARTUPTYPE: Automatic
SQLSYSADMINACCOUNTS: <empty>
SQLTEMPDBDIR: <empty>
SQLTEMPDBLOGDIR: <empty>
SQLUSERDBDIR: <empty>
SQLUSERDBLOGDIR: <empty>
SQMREPORTING: True
TCPENABLED: 0
UIMODE: Normal
X86: False
Configuration file: C:\Program Files\Microsoft SQL Server\100\Setup
Bootstrap\Log\20140327_005035\ConfigurationFile.ini
Detailed results:
Feature: Integration
Services
Status: Failed:
see logs for details
MSI status: Passed
Configuration status: Passed
Feature: Management
Tools - Complete
Status: Failed:
see logs for details
MSI status: Passed
Configuration status: Passed
Feature: Management
Tools - Basic
Status: Failed:
see logs for details
MSI status: Passed
Configuration status: Passed
Feature: Microsoft Sync
Framework
Status: Failed:
see logs for details
MSI status: Passed
Configuration status: Passed

my summary log file information:
Overall summary:
Final result: SQL Server installation failed. To continue, investigate the reason for the failure, correct the problem, uninstall SQL Server, and then rerun SQL Server Setup.
Exit code (Decimal): -2068052700
Exit facility code: 1212
Exit error code: 1316
Exit message: SQL Server installation failed. To continue, investigate the reason for the failure, correct the problem, uninstall SQL Server, and then rerun SQL Server Setup.
Start time: 2014-03-27 00:52:25
End time: 2014-03-27 00:56:09
Requested action: Install
Log with failure: C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log\20140327_005035\SSCRuntime_Cpu32_1.log
Exception help link: http://go.microsoft.com/fwlink?LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=10.50.1600.1
Machine Properties:
Machine name: SEVALAL-PC
Machine processor count: 4
OS version: Windows 7
OS service pack: Service Pack 1
OS region: United States
OS language: English (United States)
OS architecture: x64
Process architecture: 64 Bit
OS clustered: No
Product features discovered:
Product Instance Instance ID Feature
Language Edition Version Clustered
Sql Server 2008 R2 MSSQLSERVER MSSQL10_50.MSSQLSERVER Database Engine Services 1033
Standard Edition 10.50.1600.1 No
Sql Server 2008 R2 MSSQLSERVER MSSQL10_50.MSSQLSERVER SQL Server Replication 1033
Standard Edition 10.50.1600.1 No
Sql Server 2008 R2 MSSQLSERVER MSSQL10_50.MSSQLSERVER Full-Text Search 1033
Standard Edition 10.50.1600.1 No
Sql Server 2008 R2 MSSQLSERVER MSAS10_50.MSSQLSERVER Analysis Services 1033
Standard Edition 10.50.1600.1 No
Sql Server 2008 R2 MSSQLSERVER MSRS10_50.MSSQLSERVER Reporting Services 1033
Standard Edition 10.50.1600.1 No
Sql Server 2008 SEVALAL MSSQL10.SEVALAL Database Engine Services 1033
Express Edition 10.3.5500.0 No
Sql Server 2008 SEVALAL MSSQL10.SEVALAL SQL Server Replication 1033
Express Edition 10.3.5500.0 No
Sql Server 2008 R2 Client Tools Connectivity
1033 10.50.1600.1 No
Sql Server 2008 R2 Client Tools Backwards Compatibility
1033 10.50.1600.1 No
Sql Server 2008 R2 Client Tools SDK
1033 10.50.1600.1 No
Package properties:
Description: SQL Server Database Services 2008 R2
ProductName: SQL Server 2008 R2
Type: RTM
Version: 10
SPLevel: 0
Installation location: G:\01.SQL Server 2008 R2 FullVersion\x64\setup\
Installation edition: STANDARD
User Input Settings:
ACTION: Install
ADDCURRENTUSERASSQLADMIN: False
AGTSVCACCOUNT: <empty>
AGTSVCPASSWORD: *****
AGTSVCSTARTUPTYPE: Manual
ASBACKUPDIR: Backup
ASCOLLATION: Latin1_General_CI_AS
ASCONFIGDIR: Config
ASDATADIR: Data
ASDOMAINGROUP: <empty>
ASLOGDIR: Log
ASPROVIDERMSOLAP: 1
ASSVCACCOUNT: <empty>
ASSVCPASSWORD: *****
ASSVCSTARTUPTYPE: Automatic
ASSYSADMINACCOUNTS: <empty>
ASTEMPDIR: Temp
BROWSERSVCSTARTUPTYPE: Disabled
CONFIGURATIONFILE: C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log\20140327_005035\ConfigurationFile.ini
CUSOURCE:
ENABLERANU: False
ENU: True
ERRORREPORTING: True
FARMACCOUNT: <empty>
FARMADMINPORT: 0
FARMPASSWORD: *****
FEATURES: IS,SSMS,ADV_SSMS,OCS
FILESTREAMLEVEL: 0
FILESTREAMSHARENAME: <empty>
FTSVCACCOUNT: <empty>
FTSVCPASSWORD: *****
HELP: False
IACCEPTSQLSERVERLICENSETERMS: False
INDICATEPROGRESS: False
INSTALLSHAREDDIR: C:\Program Files\Microsoft SQL Server\
INSTALLSHAREDWOWDIR: C:\Program Files (x86)\Microsoft SQL Server\
INSTALLSQLDATADIR: <empty>
INSTANCEDIR: C:\Program Files\Microsoft SQL Server
INSTANCEID: MSSQLSERVER
INSTANCENAME: MSSQLSERVER
ISSVCACCOUNT: NT AUTHORITY\SYSTEM
ISSVCPASSWORD: *****
ISSVCSTARTUPTYPE: Automatic
NPENABLED: 0
PASSPHRASE: *****
PCUSOURCE:
PID: *****
QUIET: False
QUIETSIMPLE: False
ROLE: <empty>
RSINSTALLMODE: FilesOnlyMode
RSSVCACCOUNT: <empty>
RSSVCPASSWORD: *****
RSSVCSTARTUPTYPE: Automatic
SAPWD: *****
SECURITYMODE: <empty>
SQLBACKUPDIR: <empty>
SQLCOLLATION: SQL_Latin1_General_CP1_CI_AS
SQLSVCACCOUNT: <empty>
SQLSVCPASSWORD: *****
SQLSVCSTARTUPTYPE: Automatic
SQLSYSADMINACCOUNTS: <empty>
SQLTEMPDBDIR: <empty>
SQLTEMPDBLOGDIR: <empty>
SQLUSERDBDIR: <empty>
SQLUSERDBLOGDIR: <empty>
SQMREPORTING: True
TCPENABLED: 0
UIMODE: Normal
X86: False
Configuration file: C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log\20140327_005035\ConfigurationFile.ini
Detailed results:
Feature: Integration Services
Status: Failed: see logs for details
MSI status: Passed
Configuration status: Passed
Feature: Management Tools - Complete
Status: Failed: see logs for details
MSI status: Passed
Configuration status: Passed
Feature: Management Tools - Basic
Status: Failed: see logs for details
MSI status: Passed
Configuration status: Passed
Feature: Microsoft Sync Framework
Status: Failed: see logs for details
MSI status: Passed
Configuration status: Passed
Rules with failures:
Global rules:
Scenario specific rules:
Rules report file: C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log\20140327_005035\SystemConfigurationCheck_Report.htm

How to Install SQL Enterprise Manager ?

The standard installation file which sap gives sql4sap.vbs doesnt install the Enterprise manager.
How to install SQL Enterprise Manager (ECC6+Win2003).
regards,
dev

Hi,
Server type is normally "Database Engine". You can use the Dev. Studio to connect to various other types (e.g. Reporting Services, Analysis Service etc.)
The Servername is the instance name you want to connect to. For a default instance it is your machinename, for a named instance it is Machinename\Instancename.
Authentication can be Windows Authentication if you are logged on as a local Admin. For an ABAP System only Windows Authentication is possible, for a JAVA System the SQL authentication is necessary, so that you can logon as 'sa' with the password you provided in the setup.
Regards
Clas

SQL Injection detection with IDS/IPS on cisco ASA?

Hi
Is it possible to detect or prevent SQL injection attacks using Cisco IDS/ IPS on ASA or with regular expressions?
Is there any signature available in IDS/IPS for this? And how effective it is in terms of generating correct alarms?
Thanks in advance

Deepak,
We have several signatures that detect generic SQL injection attacks in the 5930-x family of signatures.

How to let sql server 2008 know the table created at front end in c#

How to let sql server 2008 know the table created at front end in c#

The best solution is to create table type and pass the DataTable as table-valued parameter. I have an article on my web site about this:
http://www.sommarskog.se/arrays-in-sql-2008.html
The full article is a bit of overkill for what you are doing right now, but just the few first pages should get you going.
Erland Sommarskog, SQL Server MVP, [email protected]

How to use Sql Tracer

Hi ,
How to use SQL Tracer..(ST05).
Thanks,
Subbu

Hi,
ST05: SQL trace
1.create a small ABAP/4 program that contains only the select statement. Before proceeding, test it to ensure that it works.
2.Open that program in the editor so that it is ready and waiting to execute.
3.Open a new session using the menu path System->Create session.
4.Run transaction ST05 (enter /nst05-zero-five, not oh-five-in the Command field, or choose the menu path System->Utilities->SQL Trace). The Trace SQL Database Requests screen is displayed.
5.If the Trace SQL Status Information box reads Trace SQL is switched off, go to step 7.
6.At this point, the Trace SQL Status Information box contains Trace SQL switched on by, followed by the user id who turned on the trace and the date and time it was started. You must switch it off before you can proceed. If the trace was started within the past hour, it is possible that it is still being used. Contact the indicated user or try again later. If the trace was started hours or days ago, the user probably left it on by mistake and it can be safely turned off. To turn off the trace, press the Trace Off pushbutton. The message in the Trace SQL Status Information box should now read Trace SQL is switched off.
7.Press the Trace On pushbutton. The Trace SQL Database Requests dialog box is displayed. The DB-Trace for User field should contain your user ID. If your user ID is not in this field, enter it now.
8.Press the OK button. You are returned to the Trace SQL Database Requests screen and the status information reads Trace SQL switched on by, indicating that you turned on the trace.
9.Switch back to the window containing your editor session (the one with your program waiting to execute).
10.Press F8 to run your program. (Only press F8, do not do anything else, do not even press the Back button.)
11.When your program has run and the hourglass is no longer displayed, switch back to the trace window.
12.Press the Trace Off pushbutton. The status information reads Trace SQL is switched off.
13.Press the List Trace pushbutton. The Trace SQL Database Requests dialog box is displayed. The fields on this screen will already contain values.
14.Press the OK button. You might need to wait a little while, at most a couple of minutes. The Trace SQL: List Database Requests screen is displayed.
15.Type %sc in the Command field and press the Enter key. The Find dialog box is displayed.
16.Type the name of the table you are tracing in the Search For field. (This is the table named in the select statement in your ABAP/4 program.)
17.Press the Find button. A search results list should be displayed with your table name highlighted.
18.Click on the first highlighted table name. You are returned to the Trace SQL: List Database Requests screen. Your cursor is positioned on the first line containing your table name. To the right of it, in the Operation column, should be the word PREPARE, OPEN, or REOPEN.
19.Press the Explain SQL button on the Application toolbar. The Show Execution Plan for SQL Statement screen is displayed.
20.Scroll down to the execution plan. The index used will be displayed in blue.
Jogdand M B

How to execute sql qurery in st05

how to execute sql qurery in st05
thanks in advanced.

Hi,
do this....
1.create a small ABAP/4 program that contains only the select statement. Before proceeding, test it to ensure that it works.
2.Open that program in the editor so that it is ready and waiting to execute.
3.Open a new session using the menu path System->Create session.
4.Run transaction ST05 (enter /nst05-zero-five, not oh-five-in the Command field, or choose the menu path System->Utilities->SQL Trace). The Trace SQL Database Requests screen is displayed.
5.If the Trace SQL Status Information box reads Trace SQL is switched off, go to step 7.
6.At this point, the Trace SQL Status Information box contains Trace SQL switched on by, followed by the user id who turned on the trace and the date and time it was started. You must switch it off before you can proceed. If the trace was started within the past hour, it is possible that it is still being used. Contact the indicated user or try again later. If the trace was started hours or days ago, the user probably left it on by mistake and it can be safely turned off. To turn off the trace, press the Trace Off pushbutton. The message in the Trace SQL Status Information box should now read Trace SQL is switched off.
7.Press the Trace On pushbutton. The Trace SQL Database Requests dialog box is displayed. The DB-Trace for User field should contain your user ID. If your user ID is not in this field, enter it now.
8.Press the OK button. You are returned to the Trace SQL Database Requests screen and the status information reads Trace SQL switched on by, indicating that you turned on the trace.
9.Switch back to the window containing your editor session (the one with your program waiting to execute).
10.Press F8 to run your program. (Only press F8, do not do anything else, do not even press the Back button.)
11.When your program has run and the hourglass is no longer displayed, switch back to the trace window.
12.Press the Trace Off pushbutton. The status information reads Trace SQL is switched off.
13.Press the List Trace pushbutton. The Trace SQL Database Requests dialog box is displayed. The fields on this screen will already contain values.
14.Press the OK button. You might need to wait a little while, at most a couple of minutes. The Trace SQL: List Database Requests screen is displayed.
15.Type %sc in the Command field and press the Enter key. The Find dialog box is displayed.
16.Type the name of the table you are tracing in the Search For field. (This is the table named in the select statement in your ABAP/4 program.)
17.Press the Find button. A search results list should be displayed with your table name highlighted.
18.Click on the first highlighted table name. You are returned to the Trace SQL: List Database Requests screen. Your cursor is positioned on the first line containing your table name. To the right of it, in the Operation column, should be the word PREPARE, OPEN, or REOPEN.
19.Press the Explain SQL button on the Application toolbar. The Show Execution Plan for SQL Statement screen is displayed.
20.Scroll down to the execution plan. The index used will be displayed in blue.

How to run .sql file in tsql or powershell

Hi All,
HOw to run .sql file inside the TSQL or powershell using with IF else condition. This below query works fine but when i executing through the SQL Agent it's geeting an error.Please could help how to run through the SQL agent already using execution type
in agent as 'Operating system(CmdExec)'
Declare @computerName varchar(100), @InstanceName varchar(50)
SET @ComputerName = REPLACE(CAST(SERVERPROPERTY('ComputerNamePhysicalNetBIOS') AS varchar),'\','$')
SET @InstanceName = REPLACE(CAST(SERVERPROPERTY('instancename') AS varchar),'\','$')
IF (@InstanceName = 'SQL2008R2')
Begin
:r C:\BackupFolder\Test1.sql
:r C:\BackupFolder\Test2.sql
End
IF (@InstanceName = 'SQLINS2')
BEGIN
:r C:\BackupFolder\Test3.sql
END
IF (@InstanceName = 'SQL2012')
BEGIN
:r C:\BackupFolder\Test4.sql
END
Thansk in Advance
A-ZSQL

In T-SQL, you can try using sqlcmd to invoke sql file
if @@SERVERNAME='abcd'
begin
Master..xp_cmdshell 'sqlcmd -S <ServerName> -i BackupDetails.sql -E'
end
OR
PowerShell
Load the snapins
Add-PSSnapin SqlServerCmdletSnapin100
Add-PSSnapin SqlServerProviderSnapin100
Function Get-SqlInstances {
Param($ServerName = '.')
$localInstances = @()
[array]$captions = gwmi win32_service -computerName $ServerName | ?{$_.Name -match "mssql*" -and $_.PathName -match "sqlservr.exe"} | %{$_.Caption}
foreach ($caption in $captions) {
if ($caption -like "MSSQLSERVER") {
$localInstances += $ServerName
} else {
$temp = $caption | %{$_.split(" ")[-1]} | %{$_.trimStart("(")} | %{$_.trimEnd(")")}
$localInstances += "$ServerName\$temp"
$localInstances
$instance=Get-SqlInstances -ServerName HQDBSP17
foreach($i in $instance)
if($i -like 'CRM2011')
write-host 'CRM Database'
invoke-sqlcmd -inputfile 'F:\PowerSQL\test.sql' -ServerInstance 'abcd'
if( $i -like 'SQL2012')
write-host 'SQL 2012 instance'
invoke-sqlcmd -inputfile 'F:\PowerSQL\test.sql' -ServerInstance 'abcd'
--Prashanth

How to detect SQL type to avoid SQL injection

Similar Messages

Maybe you are looking for