I know what I'm looking for is probably a security hole, but since I managed to do it in Oracle and SQL Server, I'll give it a shot:
I'm looking for a way to execute a shell command from a SQL script on MySQL. It is possible to create and use a new stored procedure if necessary.
Notice: I'm not looking for the SYSTEM command which the mysql command line tool offers. Instead I'm looking for something like this:
BEGIN IF
COND1...
EXEC_OS cmd1; ELSE
EXEC_OS cmd2; END;
where EXEC_OS is the method to invocate my code.
This isn't so much an answer to the question as it is justification for this sort of functionality - hence negating those who would say "you should do something else" or "why would you want to".
I have a database which I am trying to keep strict rules on - I don't want orphans anywhere. Referential integrity checks help me with this on the table level, but I have to keep some of the data as files within the filesystem (this is a result from a direct order from my boss to not store any binary data in the database itself).
The obvious solution here is to have a trigger which fires on deletion of a record, which then automatically deletes the associated external file.
Now, I do realise that UDF's may provide a solution, but that seems like a lot of C/C++ work to simply delete a file. Surely the database permissions themselves would provide at least some security from would-be assailants.
Now, I do realise that I could write a shell script or some such which could delete the table record and then go and delete the related file, but again, that's outside the domain of the database itself. As an old instructor once told me "the rules of the business should be reflected in the rules of the database". As one can clearly see, I cannot enforce this using MySQL.
You might want to consider writing your scripts in a more featureful scripting language, like Perl, Python, PHP, or Ruby. All of these languages have libraries to run SQL queries.
There is no built-in method in the stored procedure language for running shell commands. This is considered a bad idea, not only because it's a security hole, but because any effects of shell commands do not obey transaction isolation or rollback, as do the effects of any SQL operations you do in the stored procedure:
START TRANSACTION;
CALL MyProcedure();
ROLLBACK;
If MyProcedure did anything like create or edit a file, or send an email, etc., those operations would not roll back.
I would recommend doing your SQL work in the stored procedure, and do other work in the application that calls the stored procedure.
see do_system() in http://www.databasesecurity.com/mysql/HackproofingMySQL.pdf
According to this post at the forums.mysql.com, the solution is to use the MySQL_Proxy.
Related
I want to create an insert trigger on MySQL which will automatically insert the record into an Oracle database. I would like to know if there are people that have experience to share on this topic.
Cheers
Invoke a script as is done in this example that calls the Oracle code.
Note: you lose support for transactions (there will be no built-in rollback for the Oracle database) when you perform this type of cascading, and you also will take a likely very large performance hit in doing so. The script could turn around and simply call Java code or some other executable that invokes your some generic code to insert into Oracle, or it could be a raw query that gets passed arguments from the script.
This is almost certainly a bad idea because of the odd side-effect behavior, but it's one that can be implemented. I think that you would be much better off having the code to do this against two different DataSources (in Java/.NET speak) rather than have a hidden script in a MySQL trigger that screams unmaintainable, as well as hidden failure for future developers.
I am looking for a tool or a library for Rails to validate/parse queries that could be SQL and/or DDL. Currently, I did not find anything that I could use quickly and easily.
I found Parslet that I can use to define my own SQL/DDL language to validate SQL/DDL statements.
The goal to reach is to have a tool that we can use to validate the SQL/DDL syntax before any run on the database. For example, DDL queries are not transactional with MySQL and therefore, if one statement fails at the middle of a bigger script, we need to restore the database or run the script from the failure point (that is not really userfriendly). If we can, at least, validate the syntax, we will improve our daily work by removing a lot of "stupid" errors.
This post lists a few Ruby SQL parsers you might be interested in taking a look at. This one in particular has a Treetop grammar file you could probably use as a base for your own validations.
I have created a folder that has four scripts namely ScriptA.Sql, ScriptB.Sql, ScriptC.Sql.
The fourth one I want to create MasterScript.Sql that runs all the other scripts in a transaction. How do I accomplish this.
Any ideas and suggestions are appreciated!
I think the best approach is to make in a language other than SQL, such as PowerShell or C# or Python, which interacts well with both files and SQL Server.
However, if you really want to do it as a T-SQL script you can use xp_cmdshell and Osql to call the scripts. Of course, this presumes that xp_cmdshell is enabled on your server, it is disabled by default and can open up security vulnerabilities if enabled.
Edit: Also, depending on your final purpose you could consider converting your scripts into stored procedures and stored procedures invoke each other quite readily in the normal way.
Is it possible to include a Script file (.sh file) inside a stored procedure in Mysql?
If yes, then how?
And if no, then why?
Like #mu is too short said:
You need to install these UDF's from: http://www.mysqludf.org/lib_mysqludf_sys/index.php
Here's the download link: http://www.mysqludf.org/lib_mysqludf_sys/lib_mysqludf_sys_0.0.3.tar.gz
Note that you shell commands will run with the privileges of the MySQL user, not with the privileges of the user that's connecting to MySQL.
For a security point of view this is probably a bad idea.
Note the warning in the link:
A Note of Caution
Be very careful in deciding whether you need this function. UDFs are available to all database users - you cannot grant EXECUTE privileges for them. As the commandstring passed to sys_exec can do pretty much everything, exposing the function poses a very real security hazard.
Even for a benign user, it is possible to accidentally do a lot of damage with it. The call will be executed with the privileges of the os user that runs MySQL, so it is entirely feasible to delete MySQL's data directory, or worse.
The function is intended for specialized MySQL applications where one needs extended control over the operating system. Currently, we do not have UDF's for ftp, email and http, and this function can be used to implement such functionality in case it is really necessary (datawarehouse staging areas could be a case in example).
You have been warned! If you don't see the hazard, please don't try to find it; just trust me on this.
If you do decide to use this library in a production environment, make sure that only specific commands can be run and file access is limited by using AppArmor.
I'm not even sure SQL Server stores this kind of information, but, is it possible to get the username of the person who last modified a particular stored procedure, function, table or view?
Nothing critical, just wondering. Thanks!
If you are using SQL Server 2008, you could use some new features that allow you to put triggers on DDL changes. You can then track, based on the authenticated user, who made the change.
I think these triggers are new to SQL 2008, but they may be available in 2005.
Having said this, ideally you should have your database schema under source control, using a tool like Visual Studio Database Professional. Then you'd have a complete history of who did what and when.
Randy
It doesn't store this information out of the box.
You can use SQL Trace and Event notification (see the corresponding MSDN Article) to log this kind of information by yourself.
I have no experience with these technologies though ...
Definitely put DDL triggers in place. Even if you don't end up using them, or if you end up putting a decent source control system in place, still have the DDL triggers in place so that you can be sure about what's going on.