In SQL Server Database Project I have several views
CREATE VIEW [dbo].[vwDB1_Table1]
AS
SELECT
0 as Id,
0 as Col1,
0 as Col2
and in postdeployment i am modifying these views
ALTER VIEW [dbo].[vwDB1_Table1]
AS
SELECT Id, Col1, Col2 FROM DB1.dbo.Table1
GO
the reason I am doing this is because of visual studio IntelliSense and prevent build warnings (maybe it will not build at all)
but the problem is that sometimes (it is rather an exception) the views are not modified and application start throw errors.
therefore I would like to ask if there is possible to have some kind of tests (Unit, Integration) which will after deploy (or manually) check, if the SELECT is success (returns more then 1 row).
any idea ? I am totally unexperienced with testing.
Related
I'm running a very simple Qlik Sense script which connects to MySQL and returns a resultset. Everything runs OK until a bit datatype column is added. Then the Load Script just keeps on 'loading'. It will stay like that for hours on end. When I remove the BIT column from the column list in the SELECT statement, the script runs in a few seconds. Here is the script that works:
LIB CONNECT TO 'MySQL_.......';
First 5
LOAD col1,
col2,
col3;
[my_table]:
SELECT col1,
col2,
col3;
FROM `db_name`.`table_name`;
And, after adding the column of BIT data type, the script hangs:
LIB CONNECT TO 'MySQL_.......';
First 5
LOAD col1,
col2,
col3,
bitCol;
[my_table]:
SELECT col1,
col2,
col3,
bitCol;
FROM `db_name`.`table_name`;
Note: object names changed for privacy.
I looked up documentation on Qlik and it there is nothing specifically that says anything about BIT data type nuances. I'm baffled and any direction appreciated. Thanks!
For anyone that encounters this issue. The Qlik MySQL connector was causing the issue. I setup a system ODBC data source to the MySQL instance and used a Qlik ODBC connection instead and it worked right away.
I want to do a data transfer between two different databases in Delphi. I can not work with TBachmove because the columns that are going to be transferred are selected by the user.
I try to integrate this code but I did not know how to integer it with different databases.
INSERT INTO table_destination ( colonne1, colonne2, colonne3, ..., colonneN )
SELECT
colonne3,
colonne8,
NULL,
...,
colonne137,
...,
colonneN
FROM table_source;
I can not work with TBachmove because the columns that are going to be transferred are selected by the user.
Actually, even in D7, you should be able to do this quite easily as long as Blob columns are not involved. Steps:
Create an ODBC System DSN pointing to your MySQL destination database.
Create a Delphi project with a TTable, Table1, which opens your Paradox table, a TQuery, Query1, which uses the same BDE Alias as your Paradox Table1,
a TTable Table2 which uses the ODBC Alias from step 1, and a BatchMove component. Give Table2 a TableName which is what you want the MySQL table to be called.
Provide a gui method for the user to select which columns to copy.
When the user has selected the columns to copy, create a SQL statement to select those columns from your paradox table, load it into Query1 and call Open on it.
Set Query1 as the Source of BatchMove1, Table2 as the Destination and the BatchMove mode as batCopy.
Call BatchMove1.Execute.
That should do it.
My first attempt to test this, using the Biolife.Db table from the "FishFacts" demo failed because I got an exception complaining about an invalid blob size. My second attempt, using the Customer.Db table worked fine though.
As far as the blob-size problem is concerned, although it has been 15+year since I used the BDE, ISTR that there is a maximum blob-size configuration parameter that can be adjusted via the BDE Adminstrator and that there was a way to set it to "No maximum", possibly by setting it to -1.
Current versions of Delphi include the FireDAC data-access components, which include a "modern" BatchMove component which does not depend on the BDE, but I think FireDAC was only included with Delphi in XE8.
So a little background on our system to explain things.
Our databases are version (as probably most are). We have a table in the database called "DBVersion". However a few months ago we migrated over to liquibase. And now have a DATABASECHANGELOG table.
We, unfortunately, are a fairly unorganized company when it comes to our databases. So I am trying to write a view that will allow me to know what version our clients are on.
I honestly dont even know where to begin. But I figured I can write multiple CASE statements that will allow me to do this. I will be using the SP sp_msforeachdb to run the view.
SELECT
Case when id = '8.12' then '8.12'
End as Version
From DATABASECHANGELOG
Where id = '8.12'
I would like to do something like this:
CASE
WHEN (SELECT ID FROM DATABASECHANGELOG WHERE ID = '8.12' IF NULL CONTINUE)
WHEN (SELECT VERSION FROM DBVERSION, IF > 400 && < 425 THEN PRINT 'VERSION 8.7'
I know the above query isnt even in SQL, But It gives you an idea. Our versions with Liquibase are 8.10, 8.11, and 8.12 plus all future version. Everything below 8.10 is with the watson version which would be a simple number range.
Sorry if this is way too confusing.
Don't really understand your question.
The following SQL displays your application's database versions:
SELECT ID,FILENAME,TAG FROM DATABASECHANGELOG WHERE TAG IS NOT NULL
Each time you run the "tag" command it will insert a value into the tag column, so that a rollback operation knows how many changesets to undo.
I've got one easy question: say there is a site with a query like:
SELECT id, name, message FROM messages WHERE id = $_GET['q'].
Is there any way to get something updated/deleted in the database (MySQL)? Until now I've never seen an injection that was able to delete/update using a SELECT query, so, is it even possible?
Before directly answering the question, it's worth noting that even if all an attacker can do is read data that he shouldn't be able to, that's usually still really bad. Consider that by using JOINs and SELECTing from system tables (like mysql.innodb_table_stats), an attacker who starts with a SELECT injection and no other knowledge of your database can map your schema and then exfiltrate the entirety of the data that you have in MySQL. For the vast majority of databases and applications, that already represents a catastrophic security hole.
But to answer the question directly: there are a few ways that I know of by which injection into a MySQL SELECT can be used to modify data. Fortunately, they all require reasonably unusual circumstances to be possible. All example injections below are given relative to the example injectable query from the question:
SELECT id, name, message FROM messages WHERE id = $_GET['q']
1. "Stacked" or "batched" queries.
The classic injection technique of just putting an entire other statement after the one being injected into. As suggested in another answer here, you could set $_GET['q'] to 1; DELETE FROM users; -- so that the query forms two statements which get executed consecutively, the second of which deletes everything in the users table.
In mitigation
Most MySQL connectors - notably including PHP's (deprecated) mysql_* and (non-deprecated) mysqli_* functions - don't support stacked or batched queries at all, so this kind of attack just plain doesn't work. However, some do - notably including PHP's PDO connector (although the support can be disabled to increase security).
2. Exploiting user-defined functions
Functions can be called from a SELECT, and can alter data. If a data-altering function has been created in the database, you could make the SELECT call it, for instance by passing 0 OR SOME_FUNCTION_NAME() as the value of $_GET['q'].
In mitigation
Most databases don't contain any user-defined functions - let alone data-altering ones - and so offer no opportunity at all to perform this sort of exploit.
3. Writing to files
As described in Muhaimin Dzulfakar's (somewhat presumptuously named) paper Advanced MySQL Exploitation, you can use INTO OUTFILE or INTO DUMPFILE clauses on a MySQL select to dump the result into a file. Since, by using a UNION, any arbitrary result can be SELECTed, this allows writing new files with arbitrary content at any location that the user running mysqld can access. Conceivably this can be exploited not merely to modify data in the MySQL database, but to get shell access to the server on which it is running - for instance, by writing a PHP script to the webroot and then making a request to it, if the MySQL server is co-hosted with a PHP server.
In mitigation
Lots of factors reduce the practical exploitability of this otherwise impressive-sounding attack:
MySQL will never let you use INTO OUTFILE or INTO DUMPFILE to overwrite an existing file, nor write to a folder that doesn't exist. This prevents attacks like creating a .ssh folder with a private key in the mysql user's home directory and then SSHing in, or overwriting the mysqld binary itself with a malicious version and waiting for a server restart.
Any halfway decent installation package will set up a special user (typically named mysql) to run mysqld, and give that user only very limited permissions. As such, it shouldn't be able to write to most locations on the file system - and certainly shouldn't ordinarily be able to do things like write to a web application's webroot.
Modern installations of MySQL come with --secure-file-priv set by default, preventing MySQL from writing to anywhere other than a designated data import/export directory and thereby rendering this attack almost completely impotent... unless the owner of the server has deliberately disabled it. Fortunately, nobody would ever just completely disable a security feature like that since that would obviously be - oh wait never mind.
4. Calling the sys_exec() function from lib_mysqludf_sys to run arbitrary shell commands
There's a MySQL extension called lib_mysqludf_sys that - judging from its stars on GitHub and a quick Stack Overflow search - has at least a few hundred users. It adds a function called sys_exec that runs shell commands. As noted in #2, functions can be called from within a SELECT; the implications are hopefully obvious. To quote from the source, this function "can be a security hazard".
In mitigation
Most systems don't have this extension installed.
If you say you use mysql_query that doesn't support multiple queries, you cannot directly add DELETE/UPDATE/INSERT, but it's possible to modify data under some circumstances. For example, let's say you have the following function
DELIMITER //
CREATE DEFINER=`root`#`localhost` FUNCTION `testP`()
RETURNS int(11)
LANGUAGE SQL
NOT DETERMINISTIC
MODIFIES SQL DATA
SQL SECURITY DEFINER
COMMENT ''
BEGIN
DELETE FROM test2;
return 1;
END //
Now you can call this function in SELECT :
SELECT id, name, message FROM messages WHERE id = NULL OR testP()
(id = NULL - always NULL(FALSE), so testP() always gets executed.
It depends on the DBMS connector you are using. Most of the time your scenario should not be possible, but under certain circumstances it could work. For further details you should take a look at chapter 4 and 5 from the Blackhat-Paper Advanced MySQL Exploitation.
Yes it's possible.
$_GET['q'] would hold 1; DELETE FROM users; --
SELECT id, name, message FROM messages WHERE id = 1; DELETE FROM users; -- whatever here');
Given:
A table named Table1 that has the following columns:
ID
ColumnA
ColumnB
Typing Table1. in Microsoft SQL Server Management Studio provides me with a list of columns for that table.
Scenario:
I open up Table1 in the design view and add ColumnC to it. I save Table1 and refresh it to see the new column, Column3 show up in the Object Explorer.
Going back to the Query Window, I type Table1. but Column3 is not available to be selected. Typing it out gives me a syntax error but running a query with the column in it works as expected.
Is there a menu item somewhere that I need to click to get Intellisense to pick up the DDL changes I have made?
Edit -> Intellisense - Refresh Local Cache
That should do it.
Ctrl-Shift-R is the shortcut.
In addition to refreshing the cache you also need to do the following if you haven't already:
Go to Tools >> Options >> Text Editor >> Transact-SQL >> General >> IntelliSense
Check the box Auto List Members and also the box Parameter Information save and restart.
I also highly recommend the Redgate SQL Toolbox if you regularly use SQL Server. SQL Compare and SQL Data Compare and the SQL Prompt5 have saved me lots of time in development.
I have to restart management studio when this happens. Refreshing object explorer doesn't update the intellisense.