Search Results

Search found 27339 results on 1094 pages for 'sql tempdb'.

Page 78/1094 | < Previous Page | 74 75 76 77 78 79 80 81 82 83 84 85  | Next Page >

  • Are Parameters really enough to prevent Sql injections?

    - by Rune Grimstad
    I've been preaching both to my colleagues and here on SO about the goodness of using parameters in SQL queries, especially in .NET applications. I've even gone so far as to promise them as giving immunity against SQL injection attacks. But I'm starting to wonder if this really is true. Are there any known SQL injection attacks that will be successfull against a parameterized query? Can you for example send a string that causes a buffer overflow on the server? There are of course other considerations to make to ensure that a web application is safe (like sanitizing user input and all that stuff) but now I am thinking of SQL injections. I'm especially interested in attacks against MsSQL 2005 and 2008 since they are my primary databases, but all databases are interesting. Edit: To clarify what I mean by parameters and parameterized queries. By using parameters I mean using "variables" instead of building the sql query in a string. So instead of doing this: SELECT * FROM Table WHERE Name = 'a name' We do this: SELECT * FROM Table WHERE Name = @Name and then set the value of the @Name parameter on the query / command object.

    Read the article

  • How to escape simple SQL queries in C# for SqlServer

    - by sri
    I use an API that expects a SQL string. I take a user input, escape it and pass it along to the API. The user input is quiet simple. It asks for column values. Like so: string name = userInput.Value; Then I construct a SQL query: string sql = string.Format("SELECT * FROM SOME_TABLE WHERE Name = '{0}'", name.replace("'", "''")); Is this safe enough? If it isn't, is there a simple library function that make column values safe: string sql = string.Format("SELECT * FROM SOME_TABLE WHERE Name = '{0}'", SqlSafeColumnValue(name)); The API uses SQLServer as the database. Thanks.

    Read the article

  • convert sql to linq sample

    - by Jeroen Breuer
    Hello, I've got a sql statement, but I can't get it working in linq. Can someone show me how I can write the following sql statement as linq? SELECT * FROM mobileApplication LEFT JOIN videoMobile ON mobileApplication.id = videoMobile.mobileApplicationId AND videoMobile.videoId = 257 It's a left join with a where statement on the right table. It works in sql server 2005, but I'd like to write it in linq.

    Read the article

  • sync data from main sql server into sql ce databases

    - by diver-d
    Hi there, I am wanting to sync data between a sql 2008 db and some sql ce. Its only a one way requirement so when data is updated in the main sql server the updates are sent to the ce databases. Is this easy to setup with the sync framework. I was able to find a demo however I couldnt compile it

    Read the article

  • Query performance difference pl/sql forall insert and plain SQL insert

    - by user289429
    We have been using temporary table to store intermediate results in pl/sql Stored procedure. Could anyone tell if there is a performance difference between doing bulk collect insert through pl/sql and a plain SQL insert. Insert into or Cursor for open cursor fetch cursor bulk collect into collection Use FORALL to perform insert Which of the above 2 options is better to insert huge amount of temporary data?

    Read the article

  • Generate SQL server scripts from command line?

    - by Luke Sampson
    In Microsoft SQL Server Management Studio 2008 there is a "Generate scripts..." option under the Tasks menu. I'm just wondering if this tool is available from the command line somehow? It looks similar to the sqlpubwiz.exe command line tool that was available for SQL Server 2005, but I can't find this executable anywhere in the SQL 2008 installation.

    Read the article

  • Insert multiple values using INSERT INTO

    - by Ben McCormack
    In SQL Server 2005, I'm trying to figure out why I'm not able to insert multiple fields into a table. The following query, which inserts one record, works fine: INSERT INTO [MyDB].[dbo].[MyTable] ([FieldID] ,[Description]) VALUES (1000,N'test') However, the following query, which specifies more than one value, fails: INSERT INTO [MyDB].[dbo].[MyTable] ([FieldID] ,[Description]) VALUES (1000,N'test'),(1001,N'test2') I get this message: Msg 102, Level 15, State 1, Line 5 Incorrect syntax near ','. When I looked up the help for INSERT in SQL Sever Management Studio, one of their examples showed using the "Values" syntax that I used (with groups of values in parentheses and separated by commas). The help documentation I found in SQL Server Management Studio looks like it's for SQL Server 2008, so perhaps that's the reason that the insert doesn't work. Either way, I can't figure out why it won't work.

    Read the article

  • SQL Server Profiler Implementation Using C#/VB.net

    - by Asim Sajjad
    I to implement sql Server Profile in C#/VB.net application, Can any one has good example of it, I have search on google but didn't find good working example, I don't have Sql server Profiler tool on my system ans also don't have Sql Server (it is on difference system). how do I can create profiler for my own

    Read the article

  • C# connect to domain SQL Server 2005 from non-domain machine

    - by user304582
    Hi, I asked a question a few days ago (http://stackoverflow.com/questions/2795723/access-to-sql-server-2005-from-a-non-domain-machine-using-windows-authentication) which got some interesting, but not usable suggestions. I'd like to ask the question again, but make clear what my constraints are: I have a Windows domain within which a machine is running SQL Server 2005 and which is configured to support only Windows authentication. I would like to run a C# client application on a machine on the same network, but which is NOT on the domain, and access a database on the SQL Server 2005 instance. I CANNOT create or modify OS or SQL Server users on either machine, and I CANNOT make any changes to permissions or impersonation, and I CANNOT make use of runas. I know that I can write Perl and Java applications that can connect to the SQL Server database using only these four parameters: server name, database name, username (in the form domain\user), and password. In C# I have tried various things around: string connectionString = "Data Source=server;Initial Catalog=database;User Id=domain\user;Password=password"; SqlConnection connection = new SqlConnection(connectionString); connection.Open(); and tried setting integrated security to true and false, but nothing seems to work. Is what I am trying to do simply impossible in C#? Thanks for any help, Martin

    Read the article

  • MySQL to SQL Server - Incorrect syntax near the keyword 'mictest'

    - by Champi Ardon
    First, I tried to migrate my databases with SQL Server Migration Assistant for MySql and it worked fine. But now, I have some problems with my code. I had this line on MYSQL version : $fct="SELECT * FROM `users` WHERE `USER` LIKE CONVERT( _utf8 '$LOGIN' USING latin1 ) COLLATE latin1_swedish_ci AND `PASS` LIKE CONVERT( _utf8 '$PASS'USING latin1 ) COLLATE latin1_swedish_ci"; This line worked fine but when i try to put this on my SQL Version i get : Error : SQLSTATE[42000]: [Microsoft][SQL Server Native Client 10.0][SQL Server]Incorrect syntax with the keyword 'mictest'. (which is my $LOGIN) I though it was a problem with "quotes" so I also tried this but it is not working : $fct="SELECT * FROM users WHERE USER LIKE CONVERT( _utf8 '$LOGIN' USING latin1 ) COLLATE latin1_swedish_ci AND PASS LIKE CONVERT( _utf8 '$PASS' USING latin1 ) COLLATE latin1_swedish_ci";

    Read the article

  • SQL Server, Remote Stored Procedure, and DTC Transactions

    - by marc
    Our organization has a lot of its essential data in a mainframe Adabas database. We have ODBC access to this data and from C# have queried/updated it successfully using ODBC/Natural "stored procedures". What we'd like to be able to do now is to query a mainframe table from within SQL Server 2005 stored procs, dump the results into a table variable, massage it, and join the result with native SQL data as a result set. The execution of the Natural proc from SQL works fine when we're just selecting it; however, when we insert the result into a table variable SQL seems to be starting a distributed transaction that in turn seems to be wreaking havoc with our connections. Given that we're not performing updates, is it possible to turn off this DTC-escalation behavior? Any tips on getting DTC set up properly to talk to DataDirect's (formerly Neon Systems) Shadow ODBC driver?

    Read the article

  • Does VS2010 does not install SQL Server during installation

    - by Greg
    Hi, Just confirming -does VS2010 does not install SQL Server during installation? I'm assuming no. This being the case I therefore need to download a copy of SQL Express 2005 or something to develop against on my windows XP home PC? Is this correct? Or would the Dev edition of SQL Server 2005 run/install on Windows XP Home? thanks

    Read the article

  • SQL Server 2005 Fail: Return Dates As Strings

    - by Abs
    Hello all, I am using the SQL Server PHP Driver, I think this question can be answered without knowing what this is. I have come across this many times, what does it mean by NAMES? Column names?: SET NAMES utf8 Is there a query similar to the above that will get my dates to be returned as a string? For some reason on my SQL Sever 2008 on Vista, this works: $connectionInfo = array('Database' => $dbname, 'ReturnDatesAsStrings' => true) But the above 'ReturnDatesAsStrings' does not work on my SQL Server 2005 on a windows server machine? I can't execute any queries after setting the above! Does SQL Server 2005 support ReturnDatesAsStrings? Is there some other parameter I can pass to do the same? Thanks all for any help EDIT I should of mentioned this but if there is a solution I am hoping for one that is in the form of a setting that can be set before any queries can be executed as I do not have control on what queries will be executed.

    Read the article

  • What are the pros and cons to keeping SQL in Stored Procs versus Code

    - by Guy
    What are the advantages/disadvantages of keeping SQL in your C# source code or in Stored Procs? I've been discussing this with a friend on an open source project that we're working on (C# ASP.NET Forum). At the moment, most of the database access is done by building the SQL inline in C# and calling to the SQL Server DB. So I'm trying to establish which, for this particular project, would be best. So far I have: Advantages for in Code: Easier to maintain - don't need to run a SQL script to update queries Easier to port to another DB - no procs to port Advantages for Stored Procs: Performance Security

    Read the article

  • Handle multiple db updates from c# in SQL Server 2008

    - by joeriks
    I like to find a way to handle multiple updates to a sql db (with one singe db roundtrip). I read about table-valued parameters in SQL Server 2008 http://www.codeproject.com/KB/database/TableValueParameters.aspx which seems really useful. But it seems I need to create both a stored procedure and a table type to use it. Is that true? Perhaps due to security? I would like to run a text query simply like this: var sql = "INSERT INTO Note (UserId, note) SELECT * FROM @myDataTable"; var myDataTable = ... some System.Data.DataTable ... var cmd = new System.Data.SqlClient.SqlCommand(sql, conn); var param = cmd.Parameters.Add("@myDataTable", System.Data.SqlDbType.Structured); param.Value=myDataTable; cmd.ExecuteNonQuery(); So A) do I have to create both a stored procedure and a table type to use TVP's? and B) what alternative method is recommended to send multiple updates (and inserts) to SQL Server?

    Read the article

  • Help finding old sql tool that rewrote queries

    - by crosenblum
    There was this old sql server tool called Lectoneth or something like that, you'd put sql queries in it, and it would rewrite it for you. I think quest bought them out, but I can't find where to download a free copy of that software. Really helps when you have no dba, and have lots of sql queries to rewrite. Thanks Craig

    Read the article

  • Best practices or tools for installing a SQL Server database

    - by Maestro1024
    Best practices or tools for installing a SQL Server database I have a SQL Server database designed with the SQL Server GUI database editor/Visual Studio. What is the best way to "install" that database on other systems. Said another way how should I ship this thing? I know I can save the scripts and set the primary/foreign keys with T-SQL but I suspect their is something better. I guess you could have people restore from backup but that does not seem very professional. What other choices are there and what are the pluses and minuses?

    Read the article

  • Please help me to write the sql

    - by Lu Lu
    Hello everyone, I am a new with T-SQL. So, please help me to write the sql. I have table Price (Code column is primary column): Code Value A1 234 A2 525 A3 566 I will input a string and the sql need to return a table. Ex1: input 'A2' - return: Code Value A2 525 Ex2: input 'A1 A3' - return: Code Value A1 234 A3 566 Ex3: input 'A1 A3 A1' - return: Code Value A1 234 A3 566 Ex4: input 'A1 A4' - return: Code Value A1 234 Please help me. I am using SQL Server 2005. Tks.

    Read the article

  • In MSSQL, how do I create a reference variable to a table?

    - by Jón Trausti
    Hello. I'm currently using sp_executesql to execute a T-SQL statement with a dynamic table name. However, it is really ugly to see something like: set sql = 'UPDATE '+Table_Name+' SET ... WHERE '+someVar+' = ... AND '+someVar2' = ...' sp_executesql sql What I would rather like to have is a TABLE variable of which is a reference to a table, so I could do for example: UPDATE TableRef SET ... WHERE ... Because when I have really long T-SQL statements it gets really hard to read due to the format of it within a string. Any suggestions would be helpful. Thanks!

    Read the article

  • Connecting to SQL Database from another computer

    - by yomayne
    I'm new to SQL Server, and have been following this tutorial I carefully followed all the steps, but when I try to connect to the database from the other computer, I get the error "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. (Microsoft SQL Server, Error: 18452)" What steps do I need to take to fix this? Thanks (I'm using SQL Server 2008 R2 on both the machines)

    Read the article

  • sql server 2008 takes alot of memory?

    - by Ahmed Said
    I making stress test on my database which is hosted on sqlserver 2008 64bit running on 64bit machine 10 GB of RAM. I have 400 threads each thread query the database for every second but the query time does not take time as the sql profiler says that, but after 18 hours sql takes 7.2 GB RAM and 7.2 on virtual memroy. Does is this normal behavior? and how can I adjust sql to clean up not in use memory?

    Read the article

< Previous Page | 74 75 76 77 78 79 80 81 82 83 84 85  | Next Page >