The reason I have dynamic SQL in my stored procedure is because I need to pass in the database name on which to execute the stored procedure on. Due legacy db design the stored procedure talks to another as well as the database the stored procedure is on.
will sp_executesql protect me from SQL injection?
our owasp manager wants me to sanitise the parameters at the stored procedure level how the heck am I going to do that? I already use parametrised query to call the stored procedure from C#
Code:
SELECT
data.userid,
aspnet_users.username,
CASE
WHEN data.email LIKE '%#b.c' THEN ''
ELSE data.email
END AS email,
data.islockedout,
data.isapproved
FROM
dbo.aspnet_membership data
INNER JOIN
aspnetdb.dbo.aspnet_users ON aspnet_users.userid = data.userid
LEFT JOIN
martin.dbo.application_users ON application_users.username = aspnet_users.username COLLATE latin1_general_ci_as
LEFT JOIN
martin.dbo.life_company_users ON life_company_users.user_id = application_users.id
WHERE
((aspnet_users.username LIKE '%ss%' OR ISNULL(#username, '') = '')
AND (data.email LIKE '%ya.com%' OR ISNULL(#email, '') = '')
AND (#lifeCompany = life_company_users.life_company_id OR #lifeCompany = 0)
Related
Here's shortened script of my stored procedure:
DROP PROCEDURE IF EXISTS `GetVehicleDetails`;
DELIMITER //
CREATE PROCEDURE `GetVehicleDetails`(
IN `inRefNo` VARCHAR(30) COLLATE utf8mb4_general_ci,
IN `inSurveyType` VARCHAR(20) COLLATE utf8mb4_general_ci
)
BEGIN
DECLARE vehicleTypeID VARCHAR(2);
SET FOREIGN_KEY_CHECKS = OFF;
SELECT * FROM vehicle_details V
LEFT JOIN vehicle_types VT ON VT.TypeID = V.VehicleType
LEFT JOIN vehicle_makes VM ON VM.TypeID = V.VehicleType AND VM.MakeID = V.VehicleMake
LEFT JOIN vehicle_models VD
ON VD.TypeID = V.VehicleType AND VD.MakeID = V.VehicleMake AND VD.ModelID = V.VehicleModel
LEFT JOIN vehicle_variants VV
ON VV.TypeID = V.VehicleType
AND VV.MakeID = V.VehicleMake
AND VV.ModelID = V.VehicleModel
AND VV.VariantID = V.VehicleVariant
LEFT JOIN vehicle_body_types VB ON VB.BodyTypeID = V.TypeOfBody
LEFT JOIN vehicle_info_preinspection VP ON VP.RefNo = inRefNo
LEFT JOIN fuel_types F ON F.FuelTypeID = VP.Fuel
WHERE V.RefNo = inRefNo;
# Fetch Vehicle Type
SELECT VehicleType INTO vehicleTypeID FROM vehicle_details WHERE RefNo = inRefNo;
# Get details of body parts
IF vehicleTypeID = 1 THEN /* Personal Car */
SELECT * FROM body_parts_personal_car WHERE RefNo = inRefNo;
/*IF inSurveyType = 'preinspection' THEN
SELECT * FROM accessories_personal_car WHERE RefNo = inRefNo;
END IF;*/
ELSEIF vehicleTypeID = 4 THEN /* 2 Wheeler */
SELECT * FROM body_parts_2_wheeler WHERE RefNo = inRefNo;
ELSE
SELECT * FROM body_parts_commercial_vehicle WHERE RefNo = inRefNo;
END IF;
SET FOREIGN_KEY_CHECKS = ON;
END//
DELIMITER ;
Now, while executing the stored procedure with this statement:
CALL GetVehicleDetails('some ref no', 'interim-survey');
an error is being thrown:
Static analysis:
1 errors were found during analysis.
Missing expression. (near "ON" at position 25)
SQL query: Edit Edit
SET FOREIGN_KEY_CHECKS = ON;
MySQL said: Documentation
2014 - Commands out of sync; you can't run this command now
I have noticed that the stored procedure is throwing on second SELECT statement -
SELECT * FROM body_parts_personal_car WHERE RefNo = inRefNo;
in my case. Even if I write SELECT Now(); or SELECT vehicleTypeID; before it, the stored procedure throws the same error. If I comment this SELECT statement out, the stored procedure WORKS.
The same stored procedure works on localhost perfectly. I am using phpMyAdmin on remote server to maintain my database.
Any help please?
EDIT: I am receiving same problem in all stored procedures which have multiple SELECT statements to be returned back as ResultSet.
And, if I click Execute from the list of stored procedures in phpMyAdmin, the stored procedure executes. But if I invoke the stored procedure with CALL <proc_name()>;, the above error is displayed.
The "Commands out of sync" error usually indicates the client side error (results from the previous result set have not been processed and remain in the buffer).
If you are running the procedure from the phpMyAdmin, note that phpMyAdmin does not know to handle procedures returning multiple result sets. Try to run the command from MySQL command prompt and see if you get any errors.
The procedure itself looks ok, apart from unnecessary SET FOREIGN_KEY_CHECKS-commands (the procedure does not do any update/insert).
There problem was with one or more of tables involved in the procedure. Some queries and procedure calls inside a procedure were giving errors as "illegal mix of collations xxxxxxxx". I had to set COLLATIONS of all char/varchar/enum fields of tables and parameters of procedures giving errors to utf8mb4_general_ci.
I have two stored procs which i call from my laravel application.
My laravel application passes in a cID parameter which is then passed to the stored procedure as the "where clause". But it seems something is going astray and possibly my variables arent set up properly.
Also i know that laravel IS passing the correct cID to my stored proc because i enabled the logs for mysql to see if it was passing any params.
Also the stored procedure select statement runs fine as a query if i manually set the ClientID = '';
My stored proc sends ALL clients and cards to the view, totally ignoring the where clause.
Laravel code:
Route::get('/clients/{cID}', function ($cID) {
$details = DB::select('CALL sp_Details(' . DB::raw($cID) . ')');
$cards = DB::select('CALL sp_Cards(' . DB::raw($cID) . ')');
return view('client.show', compact('details','cards'));
});
Any my Stored Proc
CREATE DEFINER=`root`#`localhost` PROCEDURE `sp_Details`(IN cID int )
BEGIN
SET #ClientID = cID;
SELECT
ClientID,
Client_Name
FROM accounts
where #ClientID = cID;
END
Stored Proc #2
CREATE DEFINER=`root`#`localhost` PROCEDURE `sp_Cards`(cID int)
BEGIN
SET #ClientID = cID;
SELECT
ClientID,
Code
FROM cards
where cID = #ClientID;
END
You are using local variables like #ClientID and you are confusing it to column names, must change your code to avoid them and there is no necessary use the local variable:
CREATE PROCEDURE `sp_Details`(IN cID int )
BEGIN
SELECT
ClientID,
Client_Name
FROM accounts
where ClientID = cID;
END
The other proc:
CREATE PROCEDURE `sp_Cards`(cID int)
BEGIN
SELECT
ClientID,
Code
FROM cards
where ClientID = cID;
END
I'm converting all of my existing MSSQL databases and stored procedures am stuck on a new stored procedure where I need to update an existing record. The procedure gets called from a web form once a record has been inserted into the database and en email sent successfully (or at least passed off to the SMTP server)
I've had a working procedure in MSSQL for a long time but am trying to convert it to MySQL. I'm passing in 3 variables - a bit indicating the email got sent, a string indicating which SMTP server has been used to sent the email and a unique record id so I'll know what record to update. I'm also adding the date and time to another field to know when the procedure ran.
I've got the following but keep getting an error "#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 7 - yet I don't see anything off at line 7 - at least to my eye.
The code I'm trying to use is:
CREATE PROCEDURE `sp_Test`(
`emailSent_In` BIGINT UNSIGNED,
`emailTransport_In` VARCHAR(100),
`formSecret_In` VARCHAR(32)
)
BEGIN
SET #`query` := CONCAT('UPDATE ',`tbl_JustSayThanks`,'
SET `emailSent` = `emailSent_In`,
`emailTransport` = ',`emailTransport_In`,',
`emailSentDate` = NOW()
WHERE `formSecret` = ', `formSecret_In`, '');
PREPARE `stmt` FROM #`query`;
EXECUTE `stmt`;
#`query` := NULL;
DEALLOCATE PREPARE `stmt`;
END//
DELIMITER ;
Just FYI, I'm using the CONCAT based on a previous answer I received from wchiquito and will be passing in the table name eventually. But, I wanted to get it to work on a simplified level before going there.
The following is wrong:
SET #`query` := CONCAT('UPDATE ',`tbl_JustSayThanks`,'
because you seem to be concatenating your SQL text with the value of tbl_JustSayThanks, but I think you mean to use the identifier itself. This should therefore be:
SET #`query` := CONCAT('UPDATE `tbl_JustSayThanks`',
The following is wrong:
`emailTransport` = ',`emailTransport_In`,',
because the variable is a VARCHAR but you don't quote it as a string literal in your SQL statement. It's easy to get mixed up with the multiple levels of quoting. It should be:
`emailTransport` = ''', `emailTransport_In`, ''',
The following is wrong for the same reason:
WHERE `formSecret` = ', `formSecret_In`, '');
it should be:
WHERE `formSecret` = ''', `formSecret_In`, '''');
This still suffers from SQL injection problems, unless you can guarantee that the input parameters are safe (which is not a good assumption). If you need to concatenate values into your SQL expressions, you should use the QUOTE() function to do escaping:
SET #query = CONCAT('
UPDATE tbl_JustSayThanks
SET emailSent = ', QUOTE(emailSent_In), '
emailTransport = ', QUOTE(emailTransport_In), '
emailSentDate = NOW()
WHERE formSecret = ', QUOTE(formSecret_In));
More comments:
You don't need to delimit every identifier with back-ticks, only those that conflict with SQL reserved words, or contain whitespace or punctuation or international characters. None of your identifiers you show require delimiting.
When you use prepared statements, you should use query parameters with the ? placeholders, intead of concatenating variables into the SQL string. You don't quote parameter placeholders in your SQL query. That way you won't run into hard-to-debug syntax errors like the ones you found.
Here's an example showing the fixes:
CREATE PROCEDURE sp_Test(
emailSent_In BIGINT UNSIGNED,
emailTransport_In VARCHAR(100),
formSecret_In VARCHAR(32)
)
BEGIN
SET #query = '
UPDATE tbl_JustSayThanks
SET emailSent = ?,
emailTransport = ?,
emailSentDate = NOW()
WHERE formSecret = ?';
SET #es = emailSent_In;
SET #et = emailTransport_In;
SET #fs = formSecret_In;
PREPARE stmt FROM #query;
EXECUTE stmt USING #es, #et, #fs;
DEALLOCATE PREPARE stmt;
END//
DELIMITER ;
Final comment:
Your example query has no dynamic syntax elements, only dynamic values. So you don't need to use a prepared statement at all.
This is how I'd really write the procedure:
CREATE PROCEDURE sp_Test(
emailSent_In BIGINT UNSIGNED,
emailTransport_In VARCHAR(100),
formSecret_In VARCHAR(32)
)
BEGIN
UPDATE tbl_JustSayThanks
SET emailSent = emailSent_In,
emailTransport = emailTransport_In,
emailSentDate = NOW()
WHERE formSecret = formSecret_In;
END//
DELIMITER ;
You should also be aware that MySQL stored procedures are greatly inferior to Microsoft SQL Server. MySQL doesn't keep compiled stored procedures, it doesn't support packages, it doesn't have a debugger... I recommend you do not use MySQL stored procedures. Use application code instead.
I have been working on paramaterised stored procedure in SQL Server, but I get an error stating
Ambiguous column name 'musictypeID'
Code:
create procedure getmusicbytype
(#musictypeID int)
as
begin
select *
from musicc
inner join MusicType on musicc.musictypeID = MusicType.musictypeID
where musictypeID = #musictypeID
end
Both tables have musictypeID, so you need to specify one in the where clause.
Change where musictypeID = #musictypeID to where musicc.musictypeID = #musictypeID
I have a stored procedure in SQL server 2008. It takes an email as parameter and then looks up if the user linked to it has rights to access a mobile MVC 5 application. The stored procedure returns either a 1 or a 0. Here is the code for the stored procedure.
-- Add the parameters for the stored procedure here
#email varchar(128)
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
DECLARE #Check int
SELECT
#Check = (
SELECT P.MobileRights
FROM eMK_Person as P
WHERE P.ID = (SELECT FK_Person FROM eMK_contact WHERE eMK_Contact.Information = #Email)
)
IF (#Check is null) RETURN 0
RETURN (#Check)
END
GO
In the standard mvc5 code of the account controller I added a simple check on this stored procedure, if the outcome is 0 it should just return the view. Here is a the code that I added to the Login task action result:
var test = db.SP_MB_MobileRights(model.Email);
if (db.SP_MB_MobileRights(model.Email) == 0)
{
return View(model);
}
I have two test accounts. One that has the rights and one that does not. If I execute the stored procedure in the management studio with a query it works like it should, returning 0 for one and 1 for the other.
But when I debug the code the test variable always gets filled with -1.
Here is the code that MVC made for me when I added the stored procedure to the model.
public virtual int SP_MB_MobileRights(string email)
{
var emailParameter = email != null ?
new ObjectParameter("email", email) :
new ObjectParameter("email", typeof(string));
return ((IObjectContextAdapter)this).ObjectContext.ExecuteFunction("SP_MB_MobileRights", emailParameter);
}
When I debug through it, I can clearly see that the emailParameter variable is filled with the email address:
If the procedure is meant to return a 1 or 0 try changing your procedure to:
AS
BEGIN
IF EXISTS (SELECT P.MobileRights FROM eMK_Person as P WHERE P.ID = (SELECT FK_Person FROM eMK_contact WHERE eMK_Contact.Information = #Email))
RETURN 1
ELSE
RETURN 0
END
You should also change your query to a JOIN rather then a sub query.
Something like:
SELECT P.MobileRights FROM eMK_Person as P
JOIN eMK_contact as C ON c.FK_Person = P.ID WHERE C.Information = #Email