Search Results

Search found 84007 results on 3361 pages for 'sql system table'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 95/3361 | < Previous Page | 91 92 93 94 95 96 97 98 99 100 101 102  | Next Page >

  • Parameterized SQL statements vs. very simple method

    - by Philipp G
    When I started to write the first SQL-Statements in my programs I felt quite comfortable with protecting myself against SQL-Injection with a very simple method that a colleague showed me. It replaced all single quotes with two single quotes. So for example there is a searchfield in which you can enter a customername to search in the customertable. If you would enter Peter's Barbershop The SELECT Statement would look like SELECT * FROM Customers WHERE Customername = 'Peter''s Barbershop' If now an attacker would insert this: ';DROP TABLE FOO; -- The statement would look like: SELECT * FROM Customers WHERE Customername = ''';DROP TABLE FOO;--' It would not drop any table, but search the customertable for the customername ';DROP TABLE FOO;-- which, I suppose, won't be found ;-) Now after a while of writing statements and protecting myself against SQL-Injection with this method, I read that many developers use parameterized statements, but I never read an article where "our" method was used. So definitely there is a good reason for it. What scenarios would parameterized statements cover but our method doesn't? What are the advantages of parameterized statements compared to our method? Thanks Philipp

    Read the article

  • SQL Server lock/hang issue

    - by mattwoberts
    Hi, I'm using SQL Server 2008 on Windows Server 2008 R2, all sp'd up. I'm getting occasional issues with SQL Server hanging with the CPU usage on 100% on our live server. It seems all the wait time on SQL Sever when this happens is given to SOS_SCHEDULER_YIELD. Here is the Stored Proc that causes the hang. I've added the "WITH (NOLOCK)" in an attempt to fix what seems to be a locking issue. ALTER PROCEDURE [dbo].[MostPopularRead] AS BEGIN SET NOCOUNT ON; SELECT c.ForeignId , ct.ContentSource as ContentSource , sum(ch.HitCount * hw.Weight) as Popularity , (sum(ch.HitCount * hw.Weight) * 100) / @Total as Percent , @Total as TotalHits from ContentHit ch WITH (NOLOCK) join [Content] c WITH (NOLOCK) on ch.ContentId = c.ContentId join HitWeight hw WITH (NOLOCK) on ch.HitWeightId = hw.HitWeightId join ContentType ct WITH (NOLOCK) on c.ContentTypeId = ct.ContentTypeId where ch.CreatedDate between @Then and @Now group by c.ForeignId , ct.ContentSource order by sum(ch.HitCount * hw.HitWeightMultiplier) desc END The stored proc reads from the table "ContentHit", which is a table that tracks when content on the site is clicked (it gets hit quite frequently - anything from 4 to 20 hits a minute). So its pretty clear that this table is the source of the problem. There is a stored proc that is called to add hit tracks to the ContentHit table, its pretty trivial, it just builds up a string from the params passed in, which involves a few selects from some lookup tables, followed by the main insert: BEGIN TRAN insert into [ContentHit] (ContentId, HitCount, HitWeightId, ContentHitComment) values (@ContentId, isnull(@HitCount,1), isnull(@HitWeightId,1), @ContentHitComment) COMMIT TRAN The ContentHit table has a clustered index on its ID column, and I've added another index on CreatedDate since that is used in the select. When I profile the issue, I see the Stored proc executes for exactly 30 seconds, then the SQL timeout exception occurs. If it makes a difference the web application using it is ASP.NET, and I'm using Subsonic (3) to execute these stored procs. Can someone please advise how best I can solve this problem? I don't care about reading dirty data... Thanks

    Read the article

  • Are Parameters really enough to prevent Sql injections?

    - by Rune Grimstad
    I've been preaching both to my colleagues and here on SO about the goodness of using parameters in SQL queries, especially in .NET applications. I've even gone so far as to promise them as giving immunity against SQL injection attacks. But I'm starting to wonder if this really is true. Are there any known SQL injection attacks that will be successfull against a parameterized query? Can you for example send a string that causes a buffer overflow on the server? There are of course other considerations to make to ensure that a web application is safe (like sanitizing user input and all that stuff) but now I am thinking of SQL injections. I'm especially interested in attacks against MsSQL 2005 and 2008 since they are my primary databases, but all databases are interesting. Edit: To clarify what I mean by parameters and parameterized queries. By using parameters I mean using "variables" instead of building the sql query in a string. So instead of doing this: SELECT * FROM Table WHERE Name = 'a name' We do this: SELECT * FROM Table WHERE Name = @Name and then set the value of the @Name parameter on the query / command object.

    Read the article

  • t-sql grouping query

    - by stackoverflowuser
    Hi based on the following table Name --------- A A A B B C C C I want to add another column to this table called 'OnGoing' and the values should alternate for each group of names. There are only two values 'X' and 'Y'. So the table will look like Name OnGoing ---------------- A X A X A X B Y B Y C X C X C X how to write such a query that can alternate the values for each group of names.

    Read the article

  • Query performance difference pl/sql forall insert and plain SQL insert

    - by user289429
    We have been using temporary table to store intermediate results in pl/sql Stored procedure. Could anyone tell if there is a performance difference between doing bulk collect insert through pl/sql and a plain SQL insert. Insert into or Cursor for open cursor fetch cursor bulk collect into collection Use FORALL to perform insert Which of the above 2 options is better to insert huge amount of temporary data?

    Read the article

  • convert sql to linq sample

    - by Jeroen Breuer
    Hello, I've got a sql statement, but I can't get it working in linq. Can someone show me how I can write the following sql statement as linq? SELECT * FROM mobileApplication LEFT JOIN videoMobile ON mobileApplication.id = videoMobile.mobileApplicationId AND videoMobile.videoId = 257 It's a left join with a where statement on the right table. It works in sql server 2005, but I'd like to write it in linq.

    Read the article

  • How to escape simple SQL queries in C# for SqlServer

    - by sri
    I use an API that expects a SQL string. I take a user input, escape it and pass it along to the API. The user input is quiet simple. It asks for column values. Like so: string name = userInput.Value; Then I construct a SQL query: string sql = string.Format("SELECT * FROM SOME_TABLE WHERE Name = '{0}'", name.replace("'", "''")); Is this safe enough? If it isn't, is there a simple library function that make column values safe: string sql = string.Format("SELECT * FROM SOME_TABLE WHERE Name = '{0}'", SqlSafeColumnValue(name)); The API uses SQLServer as the database. Thanks.

    Read the article

  • sync data from main sql server into sql ce databases

    - by diver-d
    Hi there, I am wanting to sync data between a sql 2008 db and some sql ce. Its only a one way requirement so when data is updated in the main sql server the updates are sent to the ce databases. Is this easy to setup with the sync framework. I was able to find a demo however I couldnt compile it

    Read the article

  • Generate SQL server scripts from command line?

    - by Luke Sampson
    In Microsoft SQL Server Management Studio 2008 there is a "Generate scripts..." option under the Tasks menu. I'm just wondering if this tool is available from the command line somehow? It looks similar to the sqlpubwiz.exe command line tool that was available for SQL Server 2005, but I can't find this executable anywhere in the SQL 2008 installation.

    Read the article

  • Insert multiple values using INSERT INTO

    - by Ben McCormack
    In SQL Server 2005, I'm trying to figure out why I'm not able to insert multiple fields into a table. The following query, which inserts one record, works fine: INSERT INTO [MyDB].[dbo].[MyTable] ([FieldID] ,[Description]) VALUES (1000,N'test') However, the following query, which specifies more than one value, fails: INSERT INTO [MyDB].[dbo].[MyTable] ([FieldID] ,[Description]) VALUES (1000,N'test'),(1001,N'test2') I get this message: Msg 102, Level 15, State 1, Line 5 Incorrect syntax near ','. When I looked up the help for INSERT in SQL Sever Management Studio, one of their examples showed using the "Values" syntax that I used (with groups of values in parentheses and separated by commas). The help documentation I found in SQL Server Management Studio looks like it's for SQL Server 2008, so perhaps that's the reason that the insert doesn't work. Either way, I can't figure out why it won't work.

    Read the article

  • SQL Server Profiler Implementation Using C#/VB.net

    - by Asim Sajjad
    I to implement sql Server Profile in C#/VB.net application, Can any one has good example of it, I have search on google but didn't find good working example, I don't have Sql server Profiler tool on my system ans also don't have Sql Server (it is on difference system). how do I can create profiler for my own

    Read the article

  • T-SQL query with date range

    - by Moo
    Hi, I have a fairly weird 'bug' with a simple query, and I vaguely remember reading the reason for it somewhere a long time ago but would love someone to refresh my memory. The table is a basic ID, Datetime table. The query is: select ID, Datetime from Table where Datetime <= '2010-03-31 23:59:59' The problem is that the query results include results where the Datetime is '2010-04-01 00:00:00'. The next day. Which it shouldn't. Anyone? Cheers Moo

    Read the article

  • C# connect to domain SQL Server 2005 from non-domain machine

    - by user304582
    Hi, I asked a question a few days ago (http://stackoverflow.com/questions/2795723/access-to-sql-server-2005-from-a-non-domain-machine-using-windows-authentication) which got some interesting, but not usable suggestions. I'd like to ask the question again, but make clear what my constraints are: I have a Windows domain within which a machine is running SQL Server 2005 and which is configured to support only Windows authentication. I would like to run a C# client application on a machine on the same network, but which is NOT on the domain, and access a database on the SQL Server 2005 instance. I CANNOT create or modify OS or SQL Server users on either machine, and I CANNOT make any changes to permissions or impersonation, and I CANNOT make use of runas. I know that I can write Perl and Java applications that can connect to the SQL Server database using only these four parameters: server name, database name, username (in the form domain\user), and password. In C# I have tried various things around: string connectionString = "Data Source=server;Initial Catalog=database;User Id=domain\user;Password=password"; SqlConnection connection = new SqlConnection(connectionString); connection.Open(); and tried setting integrated security to true and false, but nothing seems to work. Is what I am trying to do simply impossible in C#? Thanks for any help, Martin

    Read the article

  • MySQL to SQL Server - Incorrect syntax near the keyword 'mictest'

    - by Champi Ardon
    First, I tried to migrate my databases with SQL Server Migration Assistant for MySql and it worked fine. But now, I have some problems with my code. I had this line on MYSQL version : $fct="SELECT * FROM `users` WHERE `USER` LIKE CONVERT( _utf8 '$LOGIN' USING latin1 ) COLLATE latin1_swedish_ci AND `PASS` LIKE CONVERT( _utf8 '$PASS'USING latin1 ) COLLATE latin1_swedish_ci"; This line worked fine but when i try to put this on my SQL Version i get : Error : SQLSTATE[42000]: [Microsoft][SQL Server Native Client 10.0][SQL Server]Incorrect syntax with the keyword 'mictest'. (which is my $LOGIN) I though it was a problem with "quotes" so I also tried this but it is not working : $fct="SELECT * FROM users WHERE USER LIKE CONVERT( _utf8 '$LOGIN' USING latin1 ) COLLATE latin1_swedish_ci AND PASS LIKE CONVERT( _utf8 '$PASS' USING latin1 ) COLLATE latin1_swedish_ci";

    Read the article

  • SQL Server, Remote Stored Procedure, and DTC Transactions

    - by marc
    Our organization has a lot of its essential data in a mainframe Adabas database. We have ODBC access to this data and from C# have queried/updated it successfully using ODBC/Natural "stored procedures". What we'd like to be able to do now is to query a mainframe table from within SQL Server 2005 stored procs, dump the results into a table variable, massage it, and join the result with native SQL data as a result set. The execution of the Natural proc from SQL works fine when we're just selecting it; however, when we insert the result into a table variable SQL seems to be starting a distributed transaction that in turn seems to be wreaking havoc with our connections. Given that we're not performing updates, is it possible to turn off this DTC-escalation behavior? Any tips on getting DTC set up properly to talk to DataDirect's (formerly Neon Systems) Shadow ODBC driver?

    Read the article

  • Handle multiple db updates from c# in SQL Server 2008

    - by joeriks
    I like to find a way to handle multiple updates to a sql db (with one singe db roundtrip). I read about table-valued parameters in SQL Server 2008 http://www.codeproject.com/KB/database/TableValueParameters.aspx which seems really useful. But it seems I need to create both a stored procedure and a table type to use it. Is that true? Perhaps due to security? I would like to run a text query simply like this: var sql = "INSERT INTO Note (UserId, note) SELECT * FROM @myDataTable"; var myDataTable = ... some System.Data.DataTable ... var cmd = new System.Data.SqlClient.SqlCommand(sql, conn); var param = cmd.Parameters.Add("@myDataTable", System.Data.SqlDbType.Structured); param.Value=myDataTable; cmd.ExecuteNonQuery(); So A) do I have to create both a stored procedure and a table type to use TVP's? and B) what alternative method is recommended to send multiple updates (and inserts) to SQL Server?

    Read the article

  • Many to many table design question

    - by user169867
    Originally I had 2 tables in my DB, [Property] and [Employee]. Each employee can have 1 "Home Property" so the employee table has a HomePropertyID FK field to Property. Later I needed to model the situation where despite having only 1 "Home Property" the employee did work at or cover for multiple properties. So I created an [Employee2Property] table that has EmployeeID and PropertyID FK fields to model this many 2 many relationship. Now I find that I need to create other many-to-many relationships between employees and properties. For example if there are multiple employees that are managers for a property or multiple employees that perform maintenance work at a property, etc. My questions are: 1) Should I create seperate many-to-many tables for each of these situations or should I just create 1 more table like [PropertyAssociatonType] that lists the types of associations an emploee can have with a property and just add a FK field to [Employee2Property] such a PropertyAssociationTypeID that explains what the association is? I'm curious about the pros/cons or if there's another better way. 2) Am I stupid and going about this all worng? Thanks for any suggestions :)

    Read the article

  • SQL Server 2005 Fail: Return Dates As Strings

    - by Abs
    Hello all, I am using the SQL Server PHP Driver, I think this question can be answered without knowing what this is. I have come across this many times, what does it mean by NAMES? Column names?: SET NAMES utf8 Is there a query similar to the above that will get my dates to be returned as a string? For some reason on my SQL Sever 2008 on Vista, this works: $connectionInfo = array('Database' => $dbname, 'ReturnDatesAsStrings' => true) But the above 'ReturnDatesAsStrings' does not work on my SQL Server 2005 on a windows server machine? I can't execute any queries after setting the above! Does SQL Server 2005 support ReturnDatesAsStrings? Is there some other parameter I can pass to do the same? Thanks all for any help EDIT I should of mentioned this but if there is a solution I am hoping for one that is in the form of a setting that can be set before any queries can be executed as I do not have control on what queries will be executed.

    Read the article

  • Does VS2010 does not install SQL Server during installation

    - by Greg
    Hi, Just confirming -does VS2010 does not install SQL Server during installation? I'm assuming no. This being the case I therefore need to download a copy of SQL Express 2005 or something to develop against on my windows XP home PC? Is this correct? Or would the Dev edition of SQL Server 2005 run/install on Windows XP Home? thanks

    Read the article

  • What are the pros and cons to keeping SQL in Stored Procs versus Code

    - by Guy
    What are the advantages/disadvantages of keeping SQL in your C# source code or in Stored Procs? I've been discussing this with a friend on an open source project that we're working on (C# ASP.NET Forum). At the moment, most of the database access is done by building the SQL inline in C# and calling to the SQL Server DB. So I'm trying to establish which, for this particular project, would be best. So far I have: Advantages for in Code: Easier to maintain - don't need to run a SQL script to update queries Easier to port to another DB - no procs to port Advantages for Stored Procs: Performance Security

    Read the article

  • Best practices or tools for installing a SQL Server database

    - by Maestro1024
    Best practices or tools for installing a SQL Server database I have a SQL Server database designed with the SQL Server GUI database editor/Visual Studio. What is the best way to "install" that database on other systems. Said another way how should I ship this thing? I know I can save the scripts and set the primary/foreign keys with T-SQL but I suspect their is something better. I guess you could have people restore from backup but that does not seem very professional. What other choices are there and what are the pluses and minuses?

    Read the article

  • Changing the indexing on existing table in SQL Server 2000

    - by Raj
    Guys, Here is the scenario: SQL Server 2000 (8.0.2055) Table currently has 478 million rows of data. The Primary Key column is an INT with IDENTITY. There is an Unique Constraint imposed on two other columns with a Non-Clustered Index. This is a vendor application and we are only responsible for maintaining the DB. Now the vendor has recommended doing the following "to improve performance" Drop the PK and Clustered Index Drop the non-clustered index on the two columns with the UNIQUE CONSTRAINT Recreate the PK, with a NON-CLUSTERED index Create a CLUSTERED index on the two columns with the UNIQUE CONSTRAINT I am not convinced that this is the right thing to do. I have a number of concerns. By dropping the PK and indexes, you will be creating a heap with 478 million rows of data. Then creating a CLUSTERED INDEX on two columns would be a really mammoth task. Would creating another table with the same structure and new indexing scheme and then copying the data over, dropping the old table and renaming the new one be a better approach? I am also not sure how the stored procs will react. Will they continue using the cached execution plan, considering that they are not being explicitly recompiled. I am simply not able to understand what kind of "performance improvement" this change will provide. I think that this will actually have the reverse effect. All thoughts welcome. Thanks in advance, Raj

    Read the article

  • IS NULL doesn't work as expected in SQL Server 2000 with no Service Pack on it

    - by user306825
    The following batch executed on different instances of SQL Server 2000 illustrates the problem. select @@version create table a (a int) create table b (b int) insert into a(a) values (1) insert into a(a) values (2) insert into a(a) values (3) insert into b(b) values (1) insert into b(b) values (2) select * from a left outer join (select 1 as test, b from b) as j on j.b = a.a where j.test IS NULL drop table a drop table b Output 1: Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Developer Edition on Windows NT 6.1 (Build 7600: ) (1 row(s) affected) (1 row(s) affected) (1 row(s) affected) (1 row(s) affected) (1 row(s) affected) (1 row(s) affected) a test b ----------- ----------- ----------- (0 row(s) affected) Output 2: Microsoft SQL Server 2000 - 8.00.2039 (Intel X86) May 3 2005 23:18:38 Copyright (c) 1988-2003 Microsoft Corporation Developer Edition on Windows NT 5.2 (Build 3790: Service Pack 2) (1 row(s) affected) (1 row(s) affected) (1 row(s) affected) (1 row(s) affected) (1 row(s) affected) (1 row(s) affected) a test b ----------- ----------- ----------- 3 NULL NULL (1 row(s) affected) If someone encounters the same problem - make sure you have the SP installed!

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 91 92 93 94 95 96 97 98 99 100 101 102  | Next Page >