I have a table which stored UID for users and I'm doing security check for my sqlserver 2008R2, currently I've successfully connected to my linked server using sqlmap and I tried to execute query injecting as below
select UID from XXXX where NickName = 'XXX'
and it returned
[*] A
[*] 1
[*]
[*]
No matter what queries I've executed, it always returned 4 lines of incomplete results. I'm wondering why it causing this problem?
Related
I'd like to use SQL Developer with DB2, I was able to connect and I canned execute my queries, but when I have an error, I cannot know witch error is. SQL Developer shown me only the error code, not the message. There is the way to know the error I have?
EDIT:
For example, launching this query:
Select * from WrongTable
other programs says:
ERROR[42704][IBM][DB2/NT64] SQL0204N "USERNAME.WRONGTABLE" รจ un nome non definito
sqldeveloper limits its report to the error nr only:
Errore alla riga del comando : 1 colonna : 1
Report errori -
Errore SQL: DB2 SQL Error: SQLCODE=-204, SQLSTATE=42704, SQLERRMC=USERNAME.WRONGTABLE, DRIVER=4.19.49
Thank you.
The URL syntax for connecting to Db2 with type-4 jdbc drivers is documented here.
The property that controls how much information is returned with getMessage() is called retrieveMessagesFromServerOnGetMessage, and its default value is disabled ( false , 0 ). Set it to value 1 (or YES, or true )to enable more details on errors.
You can append many properties after the database name in the Database field, on the Oracle SQL-Developer connection properties. Express each property in the form x=y , each x=y pair is separated by a semi-colon and the final one is terminated by a semi-colon, and the first property is prefixed by colon immediately after the database name.
For example, suppose the database name is sample and I wanted three additional properties, the I would put this in the Database field in Oracle-SQL-developer:
sample:useJDBC4ColumnNameAndLabelSemantics=No;securityMechanism=11;retrieveMessagesFromServerOnGetMessage=1;
If value 1 does not give the expected result, use value YES although they should be equivalent. Remember to SAVE the setting change, disconnect from the database, reconnect , before retrying your queries to assess the change.
Many other properties are available, see many related pages in the documentation , some properties are common to all target Db2 platforms, other properties are specific to Db2-LUW, or Db2-Z/OS, or Informix etc, so read the docs carefully. Some properties can be set by code after the connection is already established.
Database is Postgres (and in Sequelize there is support for bind parameter for Postgres).
Strange thing.
When running raw query and binding parameters this way:
return models.sequelize.query(q, {bind: ['33', 'test']}).then(function (data) {
Then sequelize seems to fail in binding parameters.
The query itself is something like
select * from A where id = $1
As soon as I remove the second element in the array passed to bind, the binding works.
But when there are more than one element, the $1 is not transformed to value. This is what I can see in the log.
The query when only a bind parameter is present will print
select * from A where id = 33
While the query when more than one bind parameter is added will print
select * from A where id = $1
My bad. I didn't look at the real error message sent ot the client.
It had nothing to do with the number of parameters.
The problem was that using LIKE I had something like:
and name LIKE '%$2%'
This gives the error:
bind message supplies 2 parameters, but prepared statement requires 1
Which was the real issue.
I realize this is an old thread. However, it may be a workaround for those facing this issue and using postgresql.
let array = ['33', 'test'];
let query = `SELECT * FROM A WHERE id::text IN(SELECT UNNEST(STRING_TO_ARRAY($1, ','))::text)`
// Now we can run the query.
models.sequelize.query(q, {bind: [array.toString()]})
I have some SQL in which I want to test whether a certain record exists. I initially tried
perform select from vote,file
where vote.file_id=file.file_id and vote.uid = userId and
file.basename=aBase[1];
with the idea of testing whether the item with given uid and basename was found. The compiler complained about an error at select. To make it compile I had to declare version and write:
select file.basename into version from vote,file ....
Can someone explain why the perform here failed? I have other seemingly identical code which works fine.
Thanks.
From PostGreSQL DOC, SEE http://www.postgresql.org/docs/9.1/static/plpgsql-statements.html
Note: One might expect that writing SELECT directly would accomplish
this result, but at present the only accepted way to do it is PERFORM.
A SQL command that can return rows, such as SELECT, will be rejected
as an error unless it has an INTO clause.
I posted a few weeks back inquiring about the firebird DB and how to monitor it. Since then I have come up with a nifty script that monitors all of the page reads/writes/fetches/marks. One of the columns I am monitoring is the MON$STAT_ID and the MON$STAT_GROUP fields. This prints out a nice number for me; however, I have no way to correlate and understand what exactly it is. I thought printing out the MON$STAT_GROUP would help but it has yet to assist me in any way...
I have also looked into the RDB$ commands but have found very limited documentation to see if they might assist me in monitoring my database.
So I decided to come here and inquire first off whether I am monitoring my database in a way that others can view the data from page reads/writes/fetches/marks and make an intelligent decision on whether or not the database is performing as expected.
Secondly, would adding RDB$ commands to my script add anything to the value of the data that I will be giving our database folks?
Lastly, and maybe most importantly, is there anyway to correlate the MON$STAT_ID fields to an actual table in the database to understand when something is going on that should not be? I currently am monitoring the database every minute which may be to frequent, but I am getting valid data out. The only question now is how to interpret this data. Can someone give me advice on methods they use/have used in the past that have worked for them?
(NOTE: Running firebird 2.1)
The column MON$STAT_ID in MON$IO_STATS (and MON$RECORD_STATS and MON$MEMORY_USAGE) is the primary key of the record in the monitoring table. Almost all other monitoring tables include a MON$STAT_ID to point to these statistics: MON$ATTACHMENTS, MON$CALL_STACK, MON$DATABASE, MON$STATEMENTS, MON$TRANSACTIONS.
In other words: the statistics apply on the database, attachment, transaction, statement or call level (PSQL executes). The statistics tables contain a column called MON$STAT_GROUP to discern these types. The values of MON$STAT_GROUP are described in RDB$TYPES:
0 : DATABASE
1 : ATTACHMENT
2 : TRANSACTION
3 : STATEMENT
4 : CALL
Typically the statistics of level 0 contain all from level 1, level 1 contains all from level 2 for that attachment, level 2 contains all from level 3 for that transaction, level 3 contains all from level 4 for that statement.
As there might be data processed unrelated to the lower level, or a specific attachment, transaction or statement handle has already been dropped, the numbers of the lower level do not necessarily aggregate to the entire number of the higher level.
There is no way to correlate the statistics to a specific table (as this information isn't table related, but - simplified - from executing statements which might cover multiple tables).
As I also commented, I am unsure what you mean with "RDB$ commands". But I am assuming you are talking about RDB$GET_CONTEXT() and RDB$SET_CONTEXT(). You could use RDB$GET_CONTEXT() to obtain the current connection (SESSION_ID) and transaction id (TRANSACTION_ID). These values values can be used for MON$ATTACHMENT_ID and MON$TRANSACTION_ID in the monitoring tables. I don't think the other variables in the SYSTEM namespace are interesting, and those in USER_SESSION and USER_TRANSACTION are all user-defined (and initially those namespaces are empty).
It is far easier to use the CURRENT_CONNECTION and CURRENT_TRANSACTION context variables within a statement. As documented in doc\README.monitoring_tables.txt in the Firebird installation:
System variables CURRENT_CONNECTION and CURRENT_TRANSACTION could be used to select data about the current (for the caller) connection and transaction respectively. These variables correspond to the ID columns of the appropriate monitoring tables.
Note: my answer is based on Firebird 2.5.
To present statistics by specific tables I use this SQL (FB 3)
select t.mon$table_name,trim(
case when r.mon$record_seq_reads>0 then 'Non index Reads: '||r.mon$record_seq_reads else '' end||
case when r.mon$record_idx_reads>0 then ' Index Reads: '||r.mon$record_idx_reads else '' end||
case when r.mon$record_inserts>0 then ' Inserts: '||r.mon$record_inserts else '' end||
case when r.mon$record_updates>0 then ' Updates: '||r.mon$record_updates else '' end||
case when r.mon$record_deletes>0 then ' Deletes: '||r.mon$record_deletes else '' end)
from MON$TABLE_STATS t
join mon$record_stats r on r.mon$stat_id=t.mon$record_stat_id
where t.mon$table_name not starting 'RDB$' and r.mon$stat_group=2
order by 1
2 stored procedures are developed by .net developers. which are giving same record counts when you pass the same parameter?
now due to some changes , we are getting mismatch record count i.e
if first stored procedure is giving 2 records for a paramemter , the second SP is giving only 1 record.
to find this i followed the approach like
i verified
i counted total records of a table after joining
total tables used in joining
3.distinct / group by is used in 2 tables or not?
finally i am not able to find the issue.
how do i fix it?
could any body share some ideas.
thanks in advance?
Assuming the same JOINs and filters, then the problem is NULLs.
That is, either
A WHERE clause has a direct NULL comparison which will fail
A COUNT is on a nullable column. See Count(*) vs Count(1) for more
Either way, why do you have the same very similar stored procedures written by 2 different developers, that appear to have differences?