SQL 2012 :: Implement Validation To XML Data To Prevent Injection
Jul 31, 2015In my database some of the store procedures getting the data from xml nodes.so I need to implement the validation to xml data for prevent sql injection.
View 0 Replies
ADVERTISEMENT
SQL Injection - How To Prevent It?
Jan 21, 2007I am building my first ASP.Net app from scratch and while working on the DAL I came across the problem of SQL Injection. I searched on the web and read different articles but I am still unsure about the answer. My question is should I add
db.AddInParameter(dbCommand, "AvatarImageID", DbType.Int32, avatarImageID);
Add in Parameters to my C# code to avoid SQL Injection. What is the best practice. I am unclear if the stored procedure already helps me avoid SQl Injection or if I need the add in parameters in the C# methods to make it work. I need some help. Thanks, Newbie
My C# update method in the DAL (still working on the code)
private static bool Update(AvatarImageInfo avatarImage)
{
//Invoke a SQL command and return true if the update was successful.
db.ExecuteNonQuery("syl_AvatarImageUpdate",
avatarImage.AvatarImageID,
avatarImage.DateAdded,
avatarImage.ImageName,
avatarImage.ImagePath,
avatarImage.IsApproved);
return true;
}
I am using stored procedures to access the data in the database.
My update stored proc
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[syl_AvatarImageUpdate]
@AvatarImageID int,
@DateAdded datetime,
@ImageName nvarchar(64),
@ImagePath nvarchar(64),
@IsApproved bit
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
BEGIN TRY
UPDATE [syl_AvatarImages]
SET
[DateAdded] = @DateAdded,
[ImageName] = @ImageName,
[ImagePath] = @ImagePath,
[IsApproved] = @IsApproved
WHERE [AvatarImageID] = @AvatarImageID
RETURN
END TRY
BEGIN CATCH
--Execute LogError SP
EXECUTE [dbo].[syl_LogError];
--Being in a Catch Block indicates failure.
--Force RETURN to -1 for consistency (other return values are generated, such as -6).
RETURN -1
END CATCH
END
What Are Sql Injection Attacks And How To Prevent?
Jan 24, 2004this is a question I put in the sql community in microsoft, but havent be answered in full
------------
I am using dynamic sql to do a query with differents 'order' sentences and/or 'where' sentences depending on a variable I pass to the sp
ex:
create proc ex
@orden varchar(100)
@criterio varchar(100)
as
declare consulta varchar(4000)
set consulta=N'select pais from paises where '+@criterio' order by '+@orden
------------
I'd like to know it it uses 2 sp in the cache, as I read, the main sp and the query inside the variable of the dynamic sql. if so, as I imagine, then I suppose I have to do the main sp without any 'if' sentence to be the same sp, and so taking it from the cache and not recompile the sp
now, I have various 'if' sentences in the main sp (the caller of the dynamic sql) but I plan to remove them and do the 'if' by program -it is in asp.net-, so I suppose it is better because in this way the main sp is took from the cache, supposing this uses the cache different that the dynamic sql in the variable
what do u think? does the dynamic sql use 2 caches? if so, u think it is better to try to do the main sp same in all uses (no 'if' statements)?
-----
They told me this coding is not good (dynamic sql) because it can give control to the user?
I ask, how does it give control to use? what ar sql injection attack and how to prevent them?
I use dynamis sql because I have 150 queries to do, and thought dynamic sql is good
is it true that dynamic sql have to be recompiled in each execution? I suppose so only if the sql variable is different, right?
can u help me?
How To Prevent SQL Injection Attacks
Apr 8, 2004Hi,
On my site I have a simple textbox which is a keyword search, people type a keyword and then that looks in 3 colums of an SQL database and returns any matches
The code is basic i.e. SELECT * FROM Table WHERE Column1 LIKE %searcg%
There is no validation of what goes into the text box and I am worried about SQL injection, what can I do to minimize the risk
I have just tried the site and put in two single quotes as the search term, this crashed the script so I know I am vunerable.
Can anyone help, perhaps point me in the direction of furthur resources on the subject?
Thanks
Ben
How To Prevent SQl Injection When Using XSD Dataset And Store Procedure
May 20, 2008Hi All, I am new at this. I found using xsd with store procedure come really handy. However, I am afraid of SQl Injections. How can I tighten up my database's security??Thanks allKen
View 10 Replies View RelatedIntegration Services :: How To Implement Data Driven Query Task In SSIS 2012
Jun 15, 2015I have a requirement of migrating DTS package which is done in Sql Server 2000 to SSIS 2012.
I started with one package having data driven query task and done with source for which i chose OLE DB Source and given the required select query in ssis 2012
I'm stuck now and i'm unable to choose the relevant tools in ssis 2012 for binding, transformation,queries and lookup tabs used in dts 2000 for this DDQT.
SQL 2012 :: Data Validation Options After Data Migration From Sybase
Jun 24, 2014I am currently in the process of migrating data from Sybase to Sql server and would like to know how to test the data migrated.
As of now, we took one table data from both source and destination and compared it in Excel to check if the data migrated looks good (note, we used SSIS to migrate data). However, I would like to check if there are any other best & easy ways to apprach data validation post migration.
SQL Server 2012 :: How To Implement Nested Tables
Dec 15, 2014I need to perform some operations that seem to require multiple nested tables.
Is the following code the way I should be attempting this or is there a better way?
Here is the sample code:
SELECT tt.tdl_ID, tt.tx_ID, adj.Prof_Chgs, rc.Rvu_Comp
FROM Table1 as tt
LEFT JOIN (
SELECT tt1.Tdl_Id,
CASE
WHEN tt1.tdl_ID = '1000'
[code]....
SQL Server 2012 :: Need To Implement Incremental Load In Database
Dec 22, 2013We need to implement incremental load in database. A sample scenario is, there is a view (INCOMEVW) which is build on top of a query like
CREATE VIEW INCOMEVW
AS
SELECT CLIENTID,COUNTRYNAME,SUM(OUTPUT.INCOME) AS INCOME
(SELECT EOCLIENT_ID AS CLIENTID,EOCOUNTRYNAME AS COUNTRYNAME,EOINCOME AS INCOME FROM EOCLIENT C INNER JOIN EOCOUNTRY CT ON
C.COUNTRYCODE=CT.COUNTRYCODE
[code]...
This is a sample view. As of now there is a full load happening from the source(select * from INCOMEVW) and loads to target table tbl_Income.We need to pick only the delta and load to the target table using a staging. The challenge is,
1) If we get the delta(Insert,update or deleted rows in the source tables EOCLIENT,EOCOUNTRY,ENCLIENT,ENCOUNTRY, how to load the incremental to
single target table tbl_Income.
2) How to do the Sum operation with group by in incremental load?
3) We are planning to have a daily incremental load and thinking to create the same table structure as source with Date and Flag column to identify
the date and whether that source row is an Insert or Update or Delete with the flag. But not sure how to frame something like this view and load to single target with Sum operations.
SQL 2012 :: How To Prevent Database Access
Aug 13, 2014Are there ways in SQL server to deny connecting to a instance? Basically i am looking for a way where data is accessed only through application , even the DBA's shouldn't have access to the data though they are sysadmins? Someone told me this is possible in SQL 2014? This is only for individual access, i know i can put some encryption in app layer.
View 9 Replies View RelatedHow To Implement Alter Database Implement Restrictions On SQL2K ?
Dec 28, 2007Hi Guyz
it is taken from SQL2K5 SP2 readme.txt. Anyone have idea what to do to implement this ?
Our sp2 is failing. we suspect the above problem and researching it.we are running on default instance of SQL2K5 on win2003 ent sp2
"When you apply SP2, Setup upgrades system databases. If you have implemented restrictions on the ALTER DATABASE syntax, this upgrade may fail. Restrictions to ALTER DATABASE may include the following:
Explicitly denying the ALTER DATABASE statement.
A data definition language (DDL) trigger on ALTER DATABASE that rolls back the transaction containing the ALTER DATABASE statement.
If you have restrictions on ALTER DATABASE, and Setup fails to upgrade system databases to SP2, you must disable these restrictions and then re-run Setup."
thanks in advance.
SQL 2012 :: Way To Prevent A User From Using SERVERPROPERTY Function?
Jun 2, 2015I manage a hosted environment - several actually. Meaning my company is the host. We provide some of our customers with a dedicated instance of SQL Server that they can use in read-only mode. Unfortunately, I have some very inquisitive customers who probably should be hosting their own SQL. They like to poke into the inner workings of our environment in ways that make me uncomfortable. What I originally found was that they were reading our server registry. I've disabled that. The next thing that bothers me is the amount of information available to them through SERVERPROPERTY. They don't need to know things like physical node of a cluster their instance is on, or the last time we updated SQL, or our licensing choices.
Is there any way to prevent a user from using the SERVERPROPERTY function? I've done a lot of digging and can't seem to find a way to do it.
SQL Server 2012 :: Trigger To Prevent Logon To A Database
Mar 19, 2014OK, I know about this: [URL] ....
But the script has "ALL SERVER".
What I want is a trigger that is specific to my DB called "JunkStuff". I only want to block a servername from connect to my super dooper DB "JunkStuff".
SQL 2012 :: Command To Uninstall Node With Skip Validation?
Jun 25, 2015what is the command to uninstall sql node with skip validation in sql 2012 ?
View 1 Replies View RelatedSQL 2012 :: AlwaysOn Avail Group - Prevent Login Direct To Server Instance Only Through Listener?
Sep 30, 2015Is it possible to ONLY allow a login to the availability group listener, but block logins to server instance/nodes?
So: MySQLServerA and MySQLServerB are in an avail group "MyAvailGroup".
I want users to login to MyAvailGroup's listener, but I do NOT want them to login to the actual hosts/nodes directly.
Is that possible?
SQL 2012 :: No Disks Were Found On Which To Perform Cluster Validation Tests
Sep 9, 2014I am getting following errors in my Cluster Validation report when trying to create a Windows Cluster.
I have 2 nodes DB01 and DB02 . Each has 1 public ip, 1 private ip (for heartbeat), 2 private ips for SAN1 and SAN2. The private ip's to SAN are directly connected via Network Adaptor in DB01 and DB02.
Validate Microsoft MPIO-based disks
Description: Validate that disks that use Microsoft Multipath I/O (MPIO) have been configured correctly.
Start: 9/9/2014 1:57:52 PM.
No disks were found on which to perform cluster validation tests.
Stop: 9/9/2014 1:57:53 PM.
[Code] ...
Archive Data Instead Of Deleting It To Prevent 4GB Data Limit
Mar 14, 2008We are running SQL Server 2005 express on Windows 2003. The database server gets significant amounts of data.
Because of the 4GB data limit we have a daily cron task which goes through and deletes data older then 90 days.
We would like a way to archive this data instead of deleting it. Is there any way to take data and compress it and store it in a different way, so that if needed, customers can query directly out from the compressed data? Cleary querying from compressed would be slower but that is ok.
Any other solutions that would allow us to archive data instead of deleting it? Thanks.
How Can I Prevent That All Data Can Be Seen With Notepad?
Jan 10, 2007Hello,
is there a way to say to SQL Server to make the data not readable?
Regards
Markus
Prevent Data Being Inserted Twice
Nov 14, 2006I have a table with 3 columns: ID, Status, DateTime.
I created a stored procedure to insert a staus value for each ID. This will run every hour. The DateTime stores the time, date when the Status was inserted.
If the procedure was to be run a second time in hour window I do not want any Status to be inserted.
Note: that I cannot rely on the procedure being run at exactly the right time - if it was scheduled to run on the hour (i.e at 1:00, 2:00, 3 :00 etc) but didn't run until 1:20 it sould still be able to run at 2:00.
Does anyone know if there is anyway I can gaurd against this?
Data Access :: Validation For Length Of The Character Data Types
Jun 10, 2015I Have a table with #Sample like below
=================================
#Sample
id int,
SSN varchar(20),
State varchar(2)
Sample Data:
ID SSN STATE
1 999-000-000 AB
2 979-000-000 BC
3 995-000-000 CD
=================================
We used filter logic based on the SSN & State.
We are passing these values through variables like
Declare @State varchar(2)
Declare @SSN varchar(20)
While run time these values are lets suppose @SSN = '999-000-000' & @State='ABC'
Now the Result is displayed with the state data Like 'AB' only.
Output: 1 999-000-000 AB
instead it should give system generated error.
Here I have 2 Questions:
1. Why it is taking 1st 2 Charecters?
2. Why it does not have any system generated for length?
I can do validation with Length function for these 2 variables however if have 100 variables then it should not feasible case. So, what is the reason behind?
How To Split The Data Into Training And Validation Sets When Doing Data Mining?
Jun 15, 2007Could I ask how to spit the data into training and validation sets when doing data mining?
Thanks
How Do You Implement Change Data Capture In SSIS Or SQL Server 2005?
Dec 3, 2007
Hi All,
I am now working on the design phase of my project, we are looking to implement Change Data Capture (CDC) but i need some help if you guys has implemented before using the SSIS 2005 componets. I am trying to use the Following:
Source---------Derived Column---------Lookup---------------Conditional Split (to split New records and Updated Records)-----------Destination. Respectively.
Lets make it clear, my source holds (Old records and newly added or Updated records), the Derived Column is to Derive new columns called Insert_Date and Update_Date. The Lookup i am Using is to look the Fact_Table(the Old Records) as Reference, and then based on this lookup i will split the records on timely based using the Conditional Split. My question is
1. Am i using the right components?
2. what consideration should i have to see to make it true (some Logics on the conditional split)?
3. Any script which helps in this strategy?
4. If you have a better idea please try to help me, i need you help badly.
Thank you,
SamiDC
How Can I Prevent From Inserting Duplicate Data?
Dec 31, 2006
I have a table storing only 2 FKs, let's say PID, MID
Is there any way that I can check distinct data before row is added to this table?
For example, current data is
PID MID------------100 2001100 2005101 3002102 1009102 7523102 2449
If my query is about to insert PID 100, MID 2001, since it's existing data, i don't want to add it. Can I use trigger to solve this issue?
Thanks.
How To Prevent DBA From Getting Confidential Data Stored In SQL Server?
Jun 11, 2006Suppose I have a database storing some confidential information, such
as legal information, medical or financial records, etc., and a
Web site with a membership system so that only authorized users can
view the information.
I understand I can encrypt the information, and the user's passwords,
so that if the database is compromised it still shouldn't be possible
for an outsider to view the confidential information.
However, what about people who have legitimate access to the database,
such as the DBA, Web developer, etc., but who should not be able to
view the confidential information? For example, even though the
user's password was encrypted, what would stop the DBA from replacing
the user's password with his own (encrypted) password, then logging in
and viewing the user's info, then copying back the original encrypted
password? Or, adding a new user for himself with whatever
permissions he chooses?
How To Prevent Memory Overflow If There Will Be Too Much Data In Those Tables
Apr 20, 20151. How to estimate how many free RAM I need. If I plan to create five 2 Gb memory optimized tables...10 Gb RAM for data and how many additional memory?
2. How to prevent memory overflow if there will be too much data in those tables? I dont want that my server down entirely
Prevent Other Users From Changing Data Of A Table
Sep 20, 2006hi..
How do i prevent other users from changing the data of my tables? Means one can change data using only my login rest others cannot even DBA or also from server administrator
Does Db_denydatawriter Prevent Procs From Updating Data?
Oct 18, 2007
If a user is a member of a role which would allow him to execute a proc which updates a table, and he is then granted db_denydatawriter , can he still update the table through the proc? SS2000 SP4.
Thanks,
michael
Since posting this I tested the scenario and YES! The user was still able to execute an update proc even though the user excuting the proc was granted db_denydatawriter.
Stored Procs: How To Prevent Return Of Uneccesary Data?
Oct 4, 2006Hi, I have a stored procedure that looks like this:...WHILE @@FETCH_STATUS = 0BEGINDECLARE @MyCount int ; EXEC spLoanQuestionnaireCriteria @AuditSelectedLoanID, @Criteria, @MyCount OUTPUTEND ...SELECT * FROM #Categories... Executing this stored procedure will return me 1 table for each time the EXEC statement is called that only has on column (MyCount)I really don't need this data to be returned, it is only used for some internal calculations in the stored procedureThe stored procedure should only return the results from SELECT * FROM #Categories in 1 table.Is there a Keyword I can use to exclude the EXEC results being returned to the dataset? Thanks in advance,Andre
View 2 Replies View RelatedIntegration Services :: UPDATE Data Overwritten - How To Prevent
Nov 16, 2015I'm trying to find a way to maintain the data that was UPDATEd in a table from being overwritten.
I used UPDATE in a table to include missing data. However, since I do not have access to the original table from where the data is derived, when I run my query, it knocks out the data in my table that was updated, because it is linked to the orginal table that has the blank fields. A few users do not have an employee email, and this has to be updated with a personal email account for now.
My update works fine, but is there a way I can use the statement in my query so that it updates each time it is run to maintain the user email address? This will solve the problem of not having to change the original table that I do not have access to.
if exists (select * test..dbo.Employee)
truncate TABLE
test.. dbo.Employee
insert into test.. dbo.Employee (EmployeeNumber
, EmplUsername
[Code] ....
Data Validation
Sep 22, 2007Hi guys I am fairly new to t-sql. I am sure there are SPs or scripts that I can use to create a procedure that will do the data validation in the staging table...
Client send us data and often some of the records have bad values... what i have to create is a process that will check for those values and update a flag in the staging table for each column if the data is not valid....
Please help me out if you have something that can be used for this.
Thanks a lot help in advance.
Data Validation
Jun 13, 2006Being relatively new to SSIS, I'm looking for advice, or a best practice, regarding data validation before extracting the data for a transformation.
One of my project's require that certain data be validated in staging tables before it is loaded. The validations include checking for null values, verifying that a field is populated with apropriate values etc... The entire batch of data (good records and bad records) may be rejected depending on the validations.
I have a couple of different thoughts on how this could be handled...
Run a series of validation queries on the data before executing an SSIS package
Run some kind of validation transformation (does one exist or should I write a custom transformation?)
Place contraints on the target tables so that bad records error out on the load
Something else... I could be missing the completely obvious
#3 doesn't seem to viable as the entire load may be rejected if some of the data is bad...
Any thoughts?
How Do I Prevent An Insert Into Statement To Increase Tempdb Data Files So Much
May 6, 2008I'm running this procedure which insert into table_name(id, name.....) select id, name.... from table_name. For some reason the tempdb data file grow up to 200GB. The tempdb is set to expand unrestricted by 10%. How can I prevent that from hapening? Thanks.
View 5 Replies View RelatedData Values Validation
Nov 28, 2007Hello all...I am trying to validate that the new work date that is being imported from the text file does not exist in the table. So in other words I do not want duplicate data. This is what I haveSqlDataReader dr = new SqlDataReader(); SqlParameter sp = new SqlParameter("@WorkDate", Data.SqlDbType.datetime, 8, Data.ParameterDirection.Input); if (dr.HasRows) sp = "@WorkDate"; else *How does that look? Am I in the ball part…
View 5 Replies View Related