I am a complete beginner in terms of SSIS packages.
I really want to execute a stored procedure that takes in parameters with different values at each iteration of the foreach loops. So I'm wondering if anyone can give me an example (VERY VERY VERY basic example) on how I can use variables as values inside an Execute SQL Task like this:
UPDATE tbName SET c1 = Var1, C2 = Var2 etc...
OR
#bDate = VarDate1
#eDate = VarDate2
where Var2, VarDate1, VarDate2 are variables in BIDS
First you need to create the stored procedure on the SQL Server end. This is done with a statement like this. After this has been ran a new stored procedure object called "yourProcedure" will exist in the database.
CREATE PROCEDURE yourProcedure
#pKeyVar int, /* declare variables to be passed here */
#pFirstVar varchar(40),
#pSecondVar int,
#pThirdVar decimal(18,2)
AS
BEGIN
Update yourTable Set /* place what will be done here */
Col1 = #pFirstVar,
Col2 = #pSecondVar,
Col3 = #pThirdVar
WHERE KeyColumn = #pKeyVar
END
GO
Once the stored procedure has been created you can call it like this:
exec dbo.yourProcedure 12345, 'string value', 2, 2.05
There are a couple ways to call it from SSIS, but the most common is the Execute SQL Task. You can map the parameters that will be passed to the variables that hold the content and put the task inside your looping logic.
Here is a decent walkthrough of the Execute SQL Task.
Pay close attention to the section on mapping parameters to variables etc. The version of SSIS is 2005 but the concepts are all the same.
Update after comment.
In order to loop through a recordset and obtain values to pass back to the proc you can follow the information as provided in this article.
Related
hi friends i googled for this and find different methods use by others to prevent sql injection. i wrote in below stored procedure before finalising to follow specific method i want suggestion from you guys. which method should i follow.
below is the example of my stored procedure, in which i wrote different methods
CREATE DEFINER=`root`#`localhost` PROCEDURE `spTestSQLInjection`(pSelfId VARCHAR(100),bIntSelfId BIGINT(20))
BEGIN
SET #sSelfId = pSelfId;
-- Method:1
-- below code is for injection
SET #selectQuery = CONCAT('select * from userProfile where userId = ',#sSelfId);
PREPARE stmt FROM #selectQuery;
EXECUTE stmt ;
DEALLOCATE PREPARE stmt;
-- Method:2
-- injection doesent affect below code
select * from userProfile where userId = #sSelfId;
-- Method:3
select * from userProfile where userId = bIntSelfId;
-- Method:4
SET #sSelectQuery=
'select * from userProfile where userId = ? ';
PREPARE stmtQuery FROM #sSelectQuery;
EXECUTE stmtQuery USING #sSelfId;
DEALLOCATE PREPARE stmtQuery;
END
executed below stored procedure in workbench :
1)call spTestSQLInjection('231', 231);
result : when i pass proper data then result set gives single user data for all then 4 method.
2)call spTestSQLInjection('231 OR 1=1', 231);
result : when i pass '231 OR 1=1' data then result set gives all user data for method 1 and single record for method,2,3,4.
so concluded that method1 is prone to sql injection so not to follow this method, as its dynamic query
& its advisable not to write dynamic query in stored procedure.
method2, method3 worked & gave single user record, which means this query are not prone to sql injection.
method4 is adviced by most of the developer to follow this to prevent sql injection in stored procedure. but my
live project contains 20 to 30 queries(insert/update/delete) inside a stored procedure, so writing prepared statement
for all is time consuming.
so guide me to follow which method, method2, method3, or method4
Thanking you in advance, any help will be appreciated.
Methods 2, 3, and 4 are safe from SQL injection, but method 3 is the simplest solution.
CREATE DEFINER=`root`#`localhost` PROCEDURE `spTestSQLInjection`(pSelfId VARCHAR(100), bIntSelfId BIGINT(20))
BEGIN
-- Method:3
select * from userProfile where userId = bIntSelfId;
END
There's no need to create a user-defined variable, because the procedure parameter bIntSelfId is already a variable.
There's no need to use a parameter or a prepared statement in this case, because the variable is treated only as a scalar value. It doesn't need to modify any SQL syntax, nor is it used as an identifier, so it can simply be used in the query as shown above.
This assumes your table does not have its own column with the same name of bIntSelfId. If it did, the use of that identifier would be ambiguous. It's recommended to name your parameters distinctly from any of the columns of tables you will query using that variable. Using a user-defined variable or a query parameter would also avoid the ambiguity.
I have a very basic test stored procedure, shown below. This proc is reading data in a different database, in a different server. To do this I am using a linked server. From what I have read, I need to change the FROM clause to this:
[linked server name].[database name].[schema name].[table name]
However, I would like to pass in the linked server name and database name as parameters and use them in my FROM clause. I am not concerned with injection attacks, etc. I will be passing this in from a config file.
create PROC [dbo].[SelectTEST]
#GU UNIQUEIDENTIFIER,
#LINKED_SERVER_NAME nvarchar(max),
#DATABASE_NAME nvarchar(max)
AS
SET NOCOUNT ON
SET XACT_ABORT ON
BEGIN TRAN
SELECT [GU]
FROM '[' + #LINKED_SERVER_NAME +'].['+ #DATABASE_NAME + '].[Test Table] '
WHERE ([GU] = #GU OR #GU IS NULL)
COMMIT
This is a big mess of syntax errors. Is it possible to pass in these parameters and use in my stored procedure? I would have to make this change to a bunch of different procs, so sorta trying to find the a succinct solution...
I am trying to use a Foreach Loop Container in SSIS to loop through a small set of rows and set the column 'id' to a variable.
I have the following variables:
#startNumber = 5
#maxNumber = 10
Here's how my loop would look in traditional syntax:
for (int i = #startNumber; i > #maxNumber ; i++)
This is the TSQL code I want to run to update my rows:
UPDATE myTable SET id = i
Would I use a Foreach ADO Enumeration?
What would be my source variable?
How would I apply the logic above?
Would I include an Execute TSQL Statment for my update?
Any help is greatly appreciated.
I created a simple control flow to show you what I think you're after
I start with an Execute SQL Task to generate a basic table. You would probably have logic here instead to determine the starting number and/or the terminal value
if not exists
(
SELECT * FROM sys.tables AS T WHERE T.name = 'FLC'
)
BEGIN
CREATE TABLE dbo.FLC
(
currentID int
);
END
3 variables, scoped to package level
I configure the For Loop (not the foreach as your question has tagged) much as one would a classic for loop. Here I'm assigning a value to my SSIS Variable #currentNumber
Within my Execute SQL Task (inside the for loop) I am using #currentNumber as a parameter to my task.
INSERT INTO
dbo.FLC
(
currentID
)
-- OLE DB & ODBC connections use ? for ordinal parameter
-- ADO.NET uses named parameters like #foo
SELECT ? AS currentID;
Can i do something like below, let me know
IF #parameter=1 BEGIN ...query... END IF #parameter=2
Need the correct syntax if it is possible.
It's OLE DB connection.
Not a Stored Proc. just a sql query
DECLARE #param AS INT = ?;
IF #param = 1
BEGIN
SELECT 1 AS Y;
END
ELSE IF #param = 2
BEGIN
SELECT 2 AS Y;
END
There are two question marks in your query and probably you were passing only one variable. I have seen code where developers pass the same value twice (or multiple) times. This is inefficient. A better way is to receive the passed parameters in SSIS variables. Advantages:
1. You need to pass one value only once.
2. More importantly, if you change the order in which the passed parameters are used in the sql, you do not need to change their order on the user-interface of Execute SQL Task Editor//Parameters. This is what Andy Leonard has suggested later in his response.
You can. Assuming you are referring to an Execute SQL Task, the parameters in an Execute SQL Task using an OLE DB connection utilize question marks (?) as parameter placeholders. You map the placeholders to SSIS variables on the Parameter Mapping page of the Execute SQL Task. In the SQLStatement property you would enter:
If (?=1)
begin
... {some T-SQL here} ...
end
If (?=2)
begin
... {some T-SQL here} ...
end
That's one way to accomplish what I think you are asking.
Another way is to create an Execute SQL Task to read the value of #parameter from the database into an SSIS variable. Then you can build two Execute SQL Tasks - one with each option for T-SQL as the SQLStatement property - and use expressions on precedent constraints to determine which Execute SQL Task to execute.
Hope this helps,
:{>
You cannot use Execute SQL Task to run Transact-SQL statements.
For setting conditional SQL Statement based on what you are trying to achieve.
In Execute SQL Task editor
In general tab, leave the SQLStatement blank.
In parameter mapping tab, add parameter and map User::Parameter variable to Parameter Name 0.
In Expression tab, set the SQLStatementSource to
(DT_NUMERIC, 18, 0) #[User::Parameter]==1 ? ...query 1... : ...query 2...
[SQL Server 2008 Std]
I have a stored procedure that is used to insert new data into a table, which works as expected. However I now need to call this stored procedure multiple times using the results of a query as the parameters.
e.g.
select
name, age, foo, bar
from
sometable
where
wobble = 'true'
exec insertProc name age foo bar
I know I can use a cursor to acheive this, but I keep reading that "cursors are bad"...but I don't know any other way to do this?
One solution is to use cursor. Other is to prepare your result set into temp table before calling the procedure and then supply it to the procedure ( you have to alter the procedure by adding table-value param as input param). Some info in msdn.