MySQL SQL commands can contain user variables that start with '#'.
The MySQL ADO.NET connector also uses '#' for command parameters.
Is there a way to escape the '#' character so I can use a user-variable in an SQL statement sent to MySQL via ADO.NET?
I'm trying to do something like this:
UPDATE company
SET next_job_id = #jobid:=next_job_id+1
WHERE company_id = #companyid;
SELECT #jobid;
Where #jobid is a MySQL user variable and #companyid is a parameter.
It's a connection string option - "Allow User Variables=true"
When set to true, parameters are prefixed with '?'.
Update: I've written up more on this, including how to get this to work with ADO.NET and Subsonic. See Here.
Related
I am using classic ASP and MySQL (using PHP wouldn't change the point of the question).
I need to set a variable over my homepage:
SET block_encryption_mode = 'aes-256-cbc'
I can not set it as global variable as other users are using the server and may use the default block_encryption_mode.
I know I can use the statement using ASP/PHP on the beginning of each webpage, but that seems like using too much resources; every user will execute the SET statement on every page...
Is there a way to SET variable or execute some other SQL statement at the beggining on each session, like an onstart event like ASP has, maybe? Or how could I achieve my goal without executing the query for each user on every page I have?
You can use the init_connect variable.
A string to be executed by the server for each client that connects. The string consists of one or more SQL statements, separated by semicolon characters.
You can also distinguish the users with code like this:
IF (CURRENT_USER() = 'special_crypto_dude#localhost') THEN
SET SESSION block_encryption_mode = 'aes-256-cbc';
END IF;
It is safe to call SET on every page as it executes in orders of microseconds. There is literally no overhead calling SET on already open connection.
Unless you can apply this setting globally, I would not bother. Just set the block_encryption_mode (together with collation and timezone) directly after acquiring the database connection handle.
I'm trying to map a parameter and variables to a SQL statement within a SQL Task
I'm connecting to an oracle DB - the connection is working fine.
My SQL Statement is:
insert into ? values(?,?)
I map package parameter: Param1 to (parametername) 0 in the mapping screen
variable1 to (parametername) 1 in the mapping screen and variable2 to (parametername) 3
Both the parameter and variables are datatype VARCHAR, and values are:
p1 = 'TEST_TABLE
v1 = 'TEST'
v2 = 'TEST'
However, I get an error "parameters no mapped correctly"
If I enter a sql statement like: insert into TEST_TABLE values('TEST','TEST') the record is inserted into the oracle database successfully.
Any ideas?
None of the connection managers available to the Execute SQL Task support parameterizing the table name, which is what you're trying to do with the first "parameter" in your query insert into ? values(?,?) (For further details, see "Using Parameter Names and Markers" in the MSDN article Parameters and Return Codes in the Execute SQL Task.)
The generally acceptend solution is to build the insert string on the fly and execute it. Here's an example: Using Tablename as variable in ssis
I have to connect to many Foxpro databases that have a connection string like:
Data Source=\\All Users\\DB0009\db1.dbc;User ID=xxx;Password=yyy;Provider=VFPOLEDB.1;Persist Security Info=True;
where the folder DB0009 can be any integer from 0000 to 0100 and the db1.dbc can be either db1.dbc or db2.dbc for each folder.
For each connection string, I need to build a simple SQL statement that is identical for every database except for a hardcoded year. So the sql is: select *, '2012' from table
I'd like to be able to store both the connection string AND the year for each connection string in a sql table that can be looked up at run time.
I am using SSIS 2008. I'm guessing based on what i've seen that i can use the foreach loop with the enumerator set as the ADO Enumerator (though i wouldn't mind confirmation there), but how can i pull the year off of that same table and put it into the sql query i have inside a data flow task?
Thanks for any help!
Kary
You could do the following steps:
Create the foreach loop to get the connection string and year values into variables.
create a connection manager and, using an expression, set the connection string property to your connection string variable.
Create another variable with an expression that creates your SQL command with the year variable (dynamic SQL command string).
use the execute SQL task to execute this within your foreach.
Here's a link to a blog on mapping the parameter inside the Execute SQL Task that should be helpful. http://www.rafael-salas.com/2007/11/ssis-mapping-parameter-inside-of.html
Does anyone know what something like OR 1# means in the context of mysql injection?
It is MySQL's version of the line comment delimiter. In standard SQL, the line comment delimiter is --.
-- This is a standard SQL comment.
# This is a MySQL comment.
So in the context of SQL injection, if the attacker knows you're using MySQL he may use it to abruptly terminate the malicious SQL statement, causing MySQL to ignore whatever is behind the # and execute only the stuff that comes before it. This is only effective against single-line SQL statements, however. Here's an example:
Input:
Username: fake' OR 1#
Password: pass
Resultant SQL:
SELECT * FROM users WHERE username = 'fake' OR 1#' AND password = 'pass'
Which is executed as this, which returns every row:
SELECT * FROM users WHERE username = 'fake' OR 1
This is the start of a comment. It means that anything after that will be skipped by the parser.
I want to drop a lot of SPs from my SQL Server database. However, I want to write "Delete all procedures except those which contain a certain string in their name".
How can I do this? I am using SQL Server 2008 R2.
Thank
What about:
SELECT 'DROP PROCEDURE ' + name
FROM sysobjects WHERE xtype = 'U' AND
name LIKE 'usp_%' -- Here you'll define your criteria
After running this, you just need to execute this command output.