Sprocs Vs Sql Queries.

Apr 29, 2007

i have a question.
 how do i protect my website from sql injection.
right now most of my queries are in the form of:

  Public Sub updateCredits(ByVal deduct As Int16, ByVal userid As Guid)
            Dim cmd As New SqlCommand
            Dim con As New SqlConnection(ConfigurationManager.ConnectionStrings("LocalSqlServer2").ConnectionString)

            cmd.Connection = con

            cmd.CommandType = Data.CommandType.Text
            cmd.CommandText = "Update [userprofile] SET credits = credits - @c WHERE userID= @id"
            cmd.Parameters.Add("@id", SqlDbType.UniqueIdentifier).Value = userid
            cmd.Parameters.Add("@c", SqlDbType.Int).Value = deduct


            Using con
                con.Open()
                cmd.ExecuteNonQuery()
                con.Close()
            End Using

            cmd.Dispose()

        End Sub
 
is that a safe way to do it? using parameters and stuff? or should i completely switch over to stored procedures as i hear they are safer. 

View 12 Replies


ADVERTISEMENT

Advantages Of Using CRL Sprocs Over T-SQL Sprocs?

Apr 23, 2006

I am wondering what the advantages of using CRL Sprocs over T-SQL sprocs and what not.

Looking for such comparison and articles on websites resulted in only "how to create CRL sprocs" but none of them were talking about what they are used for in what situations.

I would really appreciate it if you guys can post comments, links and external articles.

Thank you in advance.

View 1 Replies View Related

About Those Sp_ Sprocs

Mar 6, 2007

I find the replication put many sprocs with sp_ prefix in our database. Do you think that should be changed? I have been told not to use sp_. See http://www.sqlmag.com/Article/ArticleID/23011/sql_server_23011.html.

View 3 Replies View Related

Sprocs- What Actually Got Executed?

Sep 21, 2005

I know you can use sql profiler to see what sqlcode actually executed when you run a sproc, but is there any way toget this information in asp.net? After executing a sproc, I'd like to send the sqlcode that was sent, to my Audit class. Is there any wayto retrieve this in asp.net itself?cheers!

View 1 Replies View Related

Variables In Sprocs

Sep 27, 2001

While trying to assign a variable a table name then later use the variable name in a select statement (ie select sys_id from @table_name) it fails and says incorrect syntax.

How can I use a variable for a table name to later use within the sproc?

View 2 Replies View Related

Exec And Sprocs

Nov 7, 2000

is it possible to have a sproc with a input parm of a column name and have this column name be inserted into an exec statement that runs and provides the output as a OUTPUT parm instead of a result set?

i can get the sproc to take the column name as a parm, run the exec, but cannot figure out how to assign the "dynamic sql" output to a OUTPUT variable instead of returning the result set.

View 1 Replies View Related

SQL Server Views Vs Sprocs

Aug 30, 2006

I know that stored procedures(sql server) caches stored procedures in memory where it keeps the compiled execution plan in memory, how does it work with the views does sql server store /cache the views. Just wondering Thanks 

View 2 Replies View Related

Generated Sprocs Of VS2005

Oct 24, 2006

Can someone explain the generated sprocs of VS2005 if one column can be nullableDependentOfSeqID = @Original_DependentOfSeqID OR ((@IsNull_DependentOfSeqID = 1) AND (DependentOfSeqID IS NULL))In VS2003 the generated sprocs would beDependentOfSeqID = @Original_DependentOfSeqID OR ((@Original_DependentOfSeqID IS NULL) AND (DependentOfSeqID IS NULL))Which is the best? 

View 1 Replies View Related

UNION 2 Sprocs From Within A Sproc

Aug 21, 2004

Hello,

I have 3 stored procedures.

A, B, C

sproc B has input variable of int



In sproc A, I want to execute B, then C and UNION them together

Can some one possible help me out with syntax?

Thanks a lot.

View 3 Replies View Related

Search For A Phrase In Sprocs

Jul 10, 2007

Due to a business rule change, I had to take what was 1 column in a table and split it off into a new table. Now I need to find every time that column is used in a SPROC and change those sprocs. Is there a way to sift through the sprocs to search for a "phrase" (the column name) -- other than reading through every one manually?

Thanks
Mark

View 11 Replies View Related

Cyclomatic Complexity For Sprocs

May 8, 2015

there's a concept named cyclomatic complexity in software dev which measures the complexity of code by its number of decision points. This would be measured by # of if statements, nested if statements, etc in a method.

Do SQL queries have any type of equivalent? For example, # of joins, # of conditions, etc. Factors into a complexity metric which indicate how complex, risky or error-prone a sproc might be based on certain factors?

View 1 Replies View Related

Alternative To EM For Writing Sprocs?

Oct 11, 2005

I've been using EM for writing stored procedures. I am ready to upgrade to something that works like an IDE. What do you use?

View 7 Replies View Related

How Can I Search All My Sprocs To See If Any Use A Function?

May 6, 2008

Anyone have the code that would allow me to see if any of my sprocs contain references to a function? I imagine it would someting like select name from sysobjecst where charindex(whatevertextis, 'ufnName') > 0

Thanks

View 5 Replies View Related

Rollback When Debugging T-sql Sprocs In VS2005

Apr 27, 2007

Hi,

Is it possible to rollback changes made to the DB when debugging a t-sql sproc in VS2005? i.e. step through the sproc, then hit rollback and be able to step through it again in the same state

Thanks, moff.

View 4 Replies View Related

Copying Sprocs, DTS To Multiple DBs And Servers

May 3, 2007

We have a growing number of servers and databases on each server that all share the same (sub)set of sprocs and UDFs. DTS packages, which we use for data import, frequently need to be copied between the servers. What is the best way to maintain this? Ideally, I would like to be able to click a button and have a script creating or altering one or more sprocs automatically run aginst all DBs on all servers. Likewise, I'd like to be able to copy DTS packages to all servers.

We use SS2000 SP4 and plan to migrate to SS2005. We also use ASP.net 2.0 and VS 2005 SP1.

View 4 Replies View Related

Script To Grant Execute For Sprocs

Aug 7, 2007

Hello.

I'm using what looks to be a popular script to grant execute privileges to stored procedures, and it works great as long as the user account that you want to grant to is not a domain account.
For example, I need to grant execute to myDomaindbUsers, but get a syntax error when the script tries to execute this statement:


SET @SQL = 'GRANT EXECUTE ON [' + @Owner

+ '].[' + @StoredProcedure

+ '] TO myDomaindbUsers'


Incorrect syntax near ''.




The script works fine if a non-concatenated user account is given.
We use Active Directory to manage our access, thus the domaingroup.
Has anyone found a way around this?
Thanks in advance.

Tess


Here's the entire script for anyone who's interested:




USE whateverDatabase

GO

DECLARE @SQL nvarchar(4000),

@Owner sysname,

@StoredProcedure sysname,

@RETURN int

-- Cursor of all the stored procedures in the current database

DECLARE cursStoredProcedures CURSOR FAST_FORWARD

FOR

SELECT USER_NAME(uid) Owner, [name] StoredProcedure

FROM sysobjects

WHERE xtype = 'P'

AND OBJECTPROPERTY(OBJECT_ID(QUOTENAME(USER_NAME(uid)) + '.' + QUOTENAME(name)), 'IsMSShipped') = 0

AND name LIKE 'p%'

OPEN cursStoredProcedures

-- "Prime the pump" and get the first row

FETCH NEXT FROM cursStoredProcedures

INTO @Owner, @StoredProcedure

-- Set the return code to 0

SET @RETURN = 0

-- Encapsulate the permissions assignment within a transaction

BEGIN TRAN

-- Cycle through the rows of the cursor

-- And grant permissions

WHILE ((@@FETCH_STATUS = 0) AND (@RETURN = 0))

BEGIN

-- Create the SQL Statement. Since we€™re giving

-- access to all stored procedures, we have to

-- use a two-part naming convention to get the owner.

SET @SQL = 'GRANT EXECUTE ON [' + @Owner

+ '].[' + @StoredProcedure

+ '] TO myDomaindbUsers'

-- Execute the SQL statement

EXEC @RETURN = sp_executesql @SQL

-- Get the next row

FETCH NEXT FROM cursStoredProcedures

INTO @Owner, @StoredProcedure

END

-- Clean-up after the cursor

CLOSE cursStoredProcedures

DEALLOCATE cursStoredProcedures

-- Check to see if the WHILE loop exited with an error.

IF (@RETURN = 0)

BEGIN

-- Exited fine, commit the permissions

COMMIT TRAN

END

ELSE

BEGIN

-- Exited with an error, rollback any changes

ROLLBACK TRAN



-- Report the error

SET @SQL = 'Error granting permission to ['

+ @Owner + '].[' + @StoredProcedure + ']'

RAISERROR(@SQL, 16, 1)

END

GO

View 3 Replies View Related

Very Basic Questions About Tsql Sprocs

Apr 2, 2008



Hi,

I really confused , I wanna get an rowid on sql 2000 table so I have created a sproc and it's syntax is OK
How can I check it on sql query analyzer? this sql server 2000
Also How can I use that in select statement?

thanks..

here is my select statement which I have to use sproc inside
select custid,ordernum,sku,amount,
dbo.get_rownums (custid,ordernum,sku ) ???
from tp_cod cod

here is my sproc:
CREATE PROCEDURE [dbo].[get_rownums] @custid as varchar(10),@ordernum as varchar(5),@sku as varchar(10) , @i as int output
AS
BEGIN
DECLARE @SkuID as varchar(10)
--DECLARE @i as int
DECLARE got_sku CURSOR FOR
Select sku from tp_cod where custid=@custid and ordernum=@ordernum
set nocount on
set @i=0
OPEN got_sku
FETCH NEXT FROM got_sku INTO @SkuID
WHILE @@FETCH_STATUS = 0
BEGIN
Set @i =@i + 1
if @SkuID=@sku
begin
return @i
end
else
begin FETCH NEXT FROM got_sku INTO @SkuID end
END
CLOSE got_sku
DEALLOCATE got_sku
END
GO

View 25 Replies View Related

Best Way To Execute Heavy Sprocs Wihtout Slowdown

Aug 27, 2007

Hi,

Just a general question here.. I'm designing a web application that might have 50 million - 100 million rows plus. Basically its a simple logging table each row probably only 24 bytes wide, however I can see it taking quite awhile to execute.

The query is basically a group by, showing the amount of "hits" per day.

Are there any special types of strategies I should implement ? Or is a properly designed structure with indexes likely sufficient (on the right hardware of course)

Thanks for any advice!,
Mike

View 7 Replies View Related

Issues With 1.1 Framework Calling SQL 2005 CLR Sprocs?

Oct 5, 2006

Are there any issues calling SQL 2005 CLR bases stored procedures and functions from a web application which uses the dotnet 1.1 framework?

I assume not, but would like advice from those who've been there...

Thanks,

Marie

View 3 Replies View Related

Config Files For .Net Code In Managed Sprocs

Oct 3, 2006

I have been attempting to create a managed stored procedure which calls a web service using WSE 3.0 for security.

It appears that the WSE-generated config file (or possibly the app.config file) is not accessible to the .Net code.

Is there a method for using config files with CLR managed sprocs?


Thanks,
Max

View 1 Replies View Related

How To Script Muplitple SPROCS/VIEWS At One Time

Mar 30, 2006

In Enterprise Manager one can select several SPROCS/VIEWS using the CONTROL key and then Right-Click to script out those objects. Alternativly, pressing CONTROL-C copies, to the clipboard, the T-SQL to create the selected objects.

SQL Management Studio seems to only allow you to script one object at a time.

Is there a way in SQL Management Studio to select multiple objects and generate create or modify scripts?

View 5 Replies View Related

T-SQL (SS2K8) :: Find And Replace Text For All Sprocs On A Server

Apr 24, 2014

There are plenty of scripts to do this on a per-DB level, but any that will allow me to generate a script for all DB's at once? Mine are split across dozens and it would be much easier to do a loop (using MS_ForeachDB ? )

View 1 Replies View Related

Transact SQL :: Referencing UDFs And Sprocs In Linked Server

Oct 7, 2015

We have migrated a database (myDb2014) to a SQL Server 2014 instance. We have another on a 2008R2 instance (myDb2008). Both on the same server.

I have setup a linked server to the 2014 instance from the 2008R2 one.

I have a number of sprocs on myDb2008 that call TVFs and sprocs on myDb2014. This worked fine when they were both on the same instance.

Now however, I have an issue where I would have to update all the references in each calling query.

I looked into creating Synonyms but this only works for Tables/Views.

Is there a workaround to querying myDb2014 TVFs/sprocs without having to update each calling query in myDb2008?

View 25 Replies View Related

How Do I Grab A Simple List Of SQL Server Views, Tables Or Sprocs?

Jul 20, 2005

I need just the names of tables, views and sprocs within a SQL Serverdatabase. What's the easiest way to do this?

View 3 Replies View Related

Parameterized Queries Running Slower Than Non-parameterized Queries

Jul 20, 2005

HelloWhen I use a PreparedStatement (in jdbc) with the following query:SELECT store_groups_idFROM store_groupsWHERE store_groups_id IS NOT NULLAND type = ?ORDER BY group_nameIt takes a significantly longer time to run (the time it takes forexecuteQuery() to return ) than if I useSELECT store_groups_idFROM store_groupsWHERE store_groups_id IS NOT NULLAND type = 'M'ORDER BY group_nameAfter tracing the problem down, it appears that this is not preciselya java issue, but rather has to do with the underlying cost of runningparameterized queries.When I open up MS Enterprise Manager and type the same query in - italso takes far longer for the parameterized query to run when I usethe version of the query with bind (?) parameters.This only happens when the table in question is large - I am seeingthis behaviour for a table with > 1,000,000 records. It doesn't makesense to me why a parameterized query would run SLOWER than acompletely ad-hoc query when it is supposed to be more efficient.Furthermore, if one were to say that the reason for this behaviour isthat the query is first getting compliled and then the parameters aregetting sent over - thus resulting in a longer percieved executiontime - I would respond that if this were the case then A) it shouldn'tbe any different if it were run against a large or small table B) thisperformance hit should only be experienced the first time that thequery is run C) the performance hit should only be 2x the time for thenon-parameterized query takes to run - the difference in response timeis more like 4-10 times the time it takes for the non parameterizedversion to run!!!Is this a sql-server specific problem or something that would pertainto other databases as well? I there something about the coorect use ofbind parameters that I overall don't understand?If I can provide some hints in Java then this would be great..otherwise, do I need to turn/off certain settings on the databaseitself?If nothing else works, I will have to either find or write a wrapperaround the Statement object that acts like a prepared statement but inreality sends regular Statement objects to the JDBC driver. I wouldthen put some inteligence in the database layer for deciding whetherto use this special -hack- object or a regular prepared statementdepending on the expected overhead. (Obviously this logic would onlybe written in once place.. etc.. IoC.. ) HOWEVER, I would desperatelywant to avoid doing this.Please help :)

View 1 Replies View Related

How To Run Queries???

Aug 9, 2006

Hi,
I am using visual web developer2005 express edition and finding hard time to get my query run in this i am making my own login page as i have few more things to ask to user before they get logged in so i am not using the login control.   
i want to write my own query without help of sqlDataSource control from start something like
sqldatasource con=new sqldatasource;
con.connection String=""
then what all things will come........ ???
and please give me some poitners to some articles which help one to do the requested.
 
Regards,
 
 

View 1 Replies View Related

Is It Possible To Put Several Queries Into One Sp

Dec 7, 2007

 I have an update query which either inserts a row or increases quantity, depending if row exists or not. It works, better than my explanation probably.After that query could be a good time to count total of all calculated sub sums.Something like this.  previous queryEND goSELECT SUM(SubTotal)FROM dbo.t_Shoppings I have tried this on the tool which has a long name, but I think my way didn't work. (Microsoft sql server management studio express)Is this possible or do I have make and call another stored procedure.I can send my sp if someone wants. 

View 4 Replies View Related

2 Queries Together

Dec 18, 2007

 how can i execute  for example



2 queries together, in a single stored procedure Select top 20 * from Product where Active=1select Count( *) from product  if i execute such one  how can i get the 2 results in vb/c#  ?

View 3 Replies View Related

Queries Or SP

Jun 18, 2004

hi which is bettere to use a quesry from the code or to use a Stored Procedure and call the SP from the code

View 3 Replies View Related

Sql Queries

Oct 21, 2004

Hi All,

Not sure if I've got the correct place for this question. But, I'm trying to create and sql query to list the lates 10 items in a database. So far I haven't had any luck finding this.

All I have is a normal query (below). Can anyone help me please?

SELECT * FROM pages WHERE show = 'yes' ORDER BY id Desc;

Regards,

Rich

View 2 Replies View Related

Please Help In Queries

Jan 23, 2006

Hi,I have 5 tables in sql database, naming Book, Category, Subject, UserDownload, User.In Book table, BookID, BookTitle, CategoryIDIn Category table, CategoryID, CategoryNameIn Subject table, SubjectID, SubjectName, CategoryIDIn UserDownload table, UserID, BookIDIn User table, UserID, UserNameI used Book to store information of books. Those books has many categories. In those categories, there is also some subjects.When user downloads book, I update UserDownload table.The result I want to get is, Top Ten Download Subject. How can I get? Please help me.

View 1 Replies View Related

Queries

Jul 16, 2002

Could anyone help me?I need all the commands like select,from etc.Basically I need to learn writing queries etc.Please

View 1 Replies View Related

Queries In SQL

Aug 3, 2000

I just upsized my Access2K db to SQL. I am using Front Page 2000 for my website. When I had the database as Access, I was able to use one of my Access queries as my record source for my data base. I was able to choose between my queries AND my tables as the source for my records. Now that I've upsized, I am no longer given that choice. My only choices are the tables. Unfortunately, my database is designed to pull records from a query, not just a table. So my question is, in FP2000, how do I use a QUERY from my newly upsized SQL db as my record source?

Thank you all very much in advance.

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved