I'm wondering if it's possible to store a result-set of a select query into a mysql variable, while using a stored procedure?
Example of a select query:
SELECT * FROM registrations WHERE user_id = <input_stored_proc>
I have multiple select queries that I'd like to run in that stored procedure and would like to store each result-set into a different variable.
What I'd like to do is, call that stored procedure from any application and be able to do something like this: (all SELECT queries require the user_id input)
CALL <stored_proc_name>(<user_id>)
And then use the variables, so I can e.g. loop through the rows of any executed select query.
Thanks.
Related
I'm working through an SQL injection tutorial. I don't understand one aspect of an SQL statement which is used determine where the different columns in the table will be displayed on the web page and then used to execute statements. A previous SQL injection statement has been used to determine the number of columns in the table, which is 6. The SQL statement is
SELECT * FROM TableName Where id=12 union all select 1,2,3,4,5,6
I've researched the SELECT and UNION ALL statements and haven't been able to work out what is actually going on. My thinking is that the numbers in the 2nd select statement respresent the column numbers.
The second statement used to get the values from the table is:
SELECT * FROM TableName Where id=12 union all select 1,2,3,4,user(),6
What does the select 1,2,3,4,5,6 and select 1,2,3,4, user(),6 component of the SQL injection query actually do?
They are not column numbers but values. Assuming you can somehow inject the statement you now need something to do with it. The first example counts the columns. theUNION will fail when there are not enough columns. By adding more columns to the UNION eventually the statement will execute. Now you know how many columns there are.
The second one is injecting the user into the return result set. Assuming the result set gets displayed on the screen for some reason, you now have a user name (or service account name) with which to execute more statements on your database, escalate privileges or make service calls.
It's doing something like that. Without knowing more it's hard to know what exactly.
I have one table that has userID, department, er. I've created one simple query to gather all this information.
SELECT table.userID, table.department, table.er FROM table;
Now, I want to group all er's that belong to the same department and perform this calculation
select sum(table.er)/3 as department_er from table group by table.department;
Then add this result as a new column in my first query. To do this I've created a UDF that looks like this
BEGIN
DECLARE department_er FLOAT;
set department_er = (select sum(er) from table where table.department = dpt);
RETURN department_er;
END
Then I used that UDF in this query
SELECT table.userID, table.department, (select dptER(table.department)/3) as department_er FROM table
I've indexed my tables and more complex queries were dropped from 4+ minutes to less than 1 second. This seems to be pretty simple but is going on 10 minutes to run. Is there a better way to do this or a way to optimize my UDF?
Forgive my n00b-ness :)
Try a query without a dependent aggregated subquery in SELECT clause:
select table.userID,
table.department as dpt,
x.department_er
from table
join (
select department,
(sum(table.er)/3) As department_er
from table
group by department
) x
ON x.department = table.department
This UDF function cannot be optimized. Maybe it seems to work in simple queries, but generally it can hurt your database performance.
Imagine that we have a query like this one:
SELECT ....., UDF( some parameters )
FROM table
....
MySql must call this funcion for each record that is retrieved from the table in this query
If the table contains 1000 records - the function is fired 1000 times.
And the query within the function is also fired 1000 times.
If 10.000 records - then the function is called 10.000 times.
Even if you optimize this function in such a way, that the UDF will be 2 times faster, the above query will still fire the function 1000 times.
If 500 users have the same department - it still is called 500 times for each user and calculates the same value for each of them. 499 redundant calls, because only 1 call is required to calculate this value.
The only way to optimize such queries is to take the "inner" query out of the UDF function and combine it with the main query using joins etc.
How can I call a MySQL procedure in where clause?
In the example demo is a table name get_name() is a function and 1 is a parameter (id) .
select * from demo where name = (select name from call get_name(1))
You should use a function instead of a procedure. A procedure returns a (one or multiple) result sets (tables), whereas a function returns a single value.
You should think twice before using functions in where-clause, if they contain select clauses from the database, as it may lead into situation where the query optimizer unable to optimize the query path resulting serialized queries and poor performance. If the data amount is small or you are ok with the possible performance hit, this would work.
I am using stored procedure. I am passing some input parameter to stored procedure like p_type. Based on this condition i need to get either 1 column or 3 column as output
like
select
a_orderid AS OrderId,
t_logisticpartner.a_name AS Logistics,
t_shipment.a_shipmentid AS ShipmentId
from order some join comitions;
If p_type is 1 then i need all 3 columns or else just orderid column. I need to have aliases also.
Two MySQL solutions:
Write big switch with all possible SELECT queries using CASE or IF statements.
Construct result SELECT statement, and then execute it using MySQL prepared statements.
I'm trying to build a query with a variable limit. As far as I know I cannot do something like select * from table limit my_variable;, but I've read on the internet about a workaround:
SET SQL_SELECT_LIMIT = variable;
I have to write this syntax before the query I want to apply the LIMIT in. This works fine if I write a SELECT query after that code line, but it does not work if I write the following code instead:
INSERT INTO table
SELECT * FROM table1;
It will insert every record of the table1 in table2, instead of inserting the quantity of records specified in the first code line I wrote in this post.
How can I accomplish this?
Using prepared statements to dynamically compose SQL queries.