How do convert below code from T-SQL into DB2 LUW? - db2

How do I convert this code from T-SQL into DB2 LUW, it seems so easy with T-SQL but in DB2 can't find any solution. See code below:
DECLARE #sqlCommand varchar(1000)
DECLARE #columnList varchar(75)
DECLARE #city varchar(75)
SET #columnList = 'AddressID, AddressLine1, City'
SET #city = '''London'''
SET #sqlCommand = 'SELECT ' + #columnList + ' FROM Person.Address WHERE City = ' + #city
EXEC (#sqlCommand)

The problem is that you can’t ‘select to nowhere’ in a compound statement in DB2. Db2 CLP can return you the result set of a single sql statement, but it doesn’t try to do the same for select statements in a compound statement. If you want to print the result set from a select statement in a compound statement, you can, for example, declare a cursor, fetch it in a loop, and use dbms_output.put_line calls to print the values of variables.

Not Pretty but you can find an example of the bottom of this page:
Stored Procedures and Dynamic SQL Returning a Result set
Essentially you most:
1) create a dynamic SQL string
2) prepare the string into a statement
3) Link the statement to a cursor you're going to declare as WITH RETURN
Opening the cursor will be the last line in your procedure.

Related

Trying to run dynamic sql using a UDF in DB2

I am very new to DB2 even though have experience in Oracle. I am not able to resolve this issue.I have a requirement where I need to find missing child records in the parent table .The parent table , child table and the join_key are all passed as input parameter.
I have tried this in a procedure was able to achieve this, but the admin wants it in a function so that they can just use it in a select statment and get the result in a table format. Since the parent table , child table and the join_key are comming as input parement, I am not able to run them as dynamic sql.
create or replace function missing_child_rec(PARENT_TBL VARCHAR(255),JOIN_KEY VARCHAR(255),CHILD_TBL VARCHAR(255))
RETURNS TABLE(Key VARCHAR(255))
LANGUAGE SQL
BEGIN
DECLARE V_SQL VARCHAR(500);
DECLARE C_SQL CURSOR WITH RETURN FOR S_SQL;
SET V_PARENT_TAB = PARENT_TBL;
SET V_KEY = JOIN_KEY;
SET V_CHILD_TAB = CHILD_TBL;
SET V_SQL = 'SELECT DISTINCT '|| JOIN_KEY || ' FROM ' || V_CHILD_TAB || ' A WHERE NOT EXISTS
(SELECT ' ||V_KEY || ' FROM ' || V_PARENT_TAB || ' B WHERE A.'||JOIN_KEY || '= B.'||JOIN_KEY ||' )' ;
PREPARE S_SQL FROM V_SQL;
OPEN C_SQL;
CLOSE C_SQL;
RETURN
END
When I try to compile it , it says prepare is invalid , I have tried even execute immediate but that also gave error.Can you please help me with how to use dynamic sql in UDF or an alternative logic for this problem
There is more than one way to solve this, here's one way.
If you already have a working stored-procedure that returns the correct result-set then you can call that stored-procedure from a pipelined table function. The idea is that a pipelined table function can consume the result-set and pipe it to the caller.
This will work on Db2-LUW v10.1 or higher, as long as the database is not partitioned over multiple nodes.
It may work on Db2-for-i v7.1 or higher.
It will not work with Db2 for Z/os at current versions.
Suppose your stored procedure is sp_missing_child_rec and it takes the same input parameters as the function you show in your question, and suppose the data type of the join column is varchar(100).
The pipelined wrapper table function would look something like this:
--#SET TERMINATOR #
create or replace function missing_child_rec(PARENT_TBL VARCHAR(255),JOIN_KEY VARCHAR(255),CHILD_TBL VARCHAR(255))
returns table ( join_column_value varchar(100))
begin
declare v_rs result_set_locator varying;
declare v_row varchar(100); -- to match the join_column_datatype, adjust as necessary
declare sqlstate char(5) default '00000';
CALL sp_missing_child_rec( parent_tbl, join_key, child_tbl);
associate result set locator (v_rs) with procedure sp_missing_child_rec ;
allocate v_rscur cursor for result set v_rs;
fetch from v_rscur into v_row;
while ( sqlstate = '00000') do
pipe(v_row);
fetch from v_rscur into v_row;
end while;
return;
end#
select * from table(missing_child_rec( 'parent_table' , 'join_column', 'child_table'))
#

What is wrong in my dynamic query postgres statements inside function?

I have a PL/pgSQL function that takes table name as dynamic parameter. As I am updating an existing query to take table name as dynamic parameter, this is what I have as my function:
DECLARE rec RECORD;
BEGIN
EXECUTE 'insert into stat_300_8_0(ts, target, data)
select distinct timestamp-(timestamp%3600) as wide_row_ts,
target, array[]::real[] as data
from ' || temp_table_name || ' as temp
where class_id=8
and subclass_id=0
and not exists (select ts from stat_300_8_0
where ts=temp.timestamp-(temp.timestamp%3600)
and target=temp.target)';
FOR rec IN EXECUTE 'SELECT DISTINCT timestamp AS ts
FROM ' || temp_table_name ||
' WHERE class_id=8'
LOOP
EXECUTE 'update stat_300_8_0 as disk_table
set data[new_data.start_idx:new_data.end_idx] = array[data_0,data_1]
from (select timestamp-(timestamp%3600) as wide_row_ts,
(timestamp%3600)/300 * 2 + 1 as start_idx,
((timestamp%3600 / 300) + 1) * 2 as end_idx,
target, data_0, data_1
from ' || temp_table_name ||
' where class_id=8 and subclass_id=0
and timestamp=rec.ts) as new_data
where disk_table.ts=new_data.wide_row_ts
and disk_table.target=new_data.target';
END LOOP;
END;
However, when this function is executed I get an error saying
ERROR: missing FROM-clause entry for table "rec"
However, rec is declared in the first line of the above code. I am not able to figure what is wrong with my queries. Any help is appreciated.
Supplemental to Eelke's answer:
Assuming temp_table_name is an argument, you really, really want to run it through quote_ident() because otherwise someone could create a table with a name that could inject sql into your function.
Instead of the change suggested there, you are better off using EXECUTE...USING since that gives you parameterization regarding values (and hence protection against SQL injection). You would change rec.ts to $1 and then add to the end USING ts.rec (outside the quoted execute string). This gives you a parameterized statement inside your execute which is safer. However parameters cannot include table names, so it doesn't spare you from the first point above.

Is this vulnerable to SQL injection?

We are using a third party product which references a stored procedure in MSSQL. This stored proc looks something like this:
CREATE PROCEDURE [dbo].[example]
#a nvarchar(255)
AS
BEGIN
SET NOCOUNT ON;
DECLARE #strSQL nvarchar(3000)
SET #strSQL = 'SELECT * FROM test WHERE x = ''1'''
IF IsNull(#a, '') <> ''
SET #strSQL = #strSQL + ' AND a = ''' + #a + ''''
EXEC(#strSQL)
END
This stored proc doesn't actually output its results to the website but I'm still sure that it is vulnerable to SQL injection. I can input t' + 'est and get the same result as I would from inputing test.
We obviously need to get them to change this but I need to demonstrate that it is an issue first. How can I do something like insert a row in to a table by passing SQL in as #a? If I do
'; INSERT INTO blah VALUES('test')
Then I get:
Incorrect syntax near ';'.
yes, it's vulnerable, but by chance you've injected the wrong text, producing a syntax error:
SELECT * FROM test WHERE x = "1" AND a =; INSERT INTO blah VALUES('test')
^--your syntax error
If your injection text had been:
a; INSERT blah blah blah
^---
then you'd have ended up with two valid queries and test in your blah table.
Yes, you can set your # to have an secape character and thus create mutiple Execs ulimately leading to execcmd format C: or other - google SQL injection attacks
However:
Create proc db.eg #a nvarchar(255)
AS
BEGIN
Update Mytable SET Mycol = #a WHERE Condition etc..
END
IS not open to SQL injection as the string goes directly to the table column, it is nt exec'd

How to use variable in t-sql query

Today I get my database name like that :
set #databaseNameTXT = 'NewStat1DB';
And then I insert the data to the right table like that:
IF #databaseNameTXT = 'NewStat1DB'
BEGIN
INSERT INTO [NewStat1DB] (wStat_id) values(#wStat_id)
END
IF #databaseNameTXT = 'NewStat2DB'
BEGIN
INSERT INTO [NewStat2DB] (wStat_id) values(#wStat_id)
END
How can I use the variable inside the t-sql and run it, something like:
INSERT INTO [#databaseNameTXT] (wStat_id) values(#wStat_id)
Thanks
You need to use dynamic SQL for this, though you need to be careful of SQL Injection.
Database, schema, table and column names cannot be variables - the only way to do this is use dynamic SQL.
For example (this is vulnerable to SQL Injection):
sp_executesql 'INSERT INTO [' + #databaseNameTXT +
'] (wStat_id) values(' + #wStat_id + ');';
I suggest reading the linked article - it is a comprehensive treatment of the subject of dynamic SQL.
You can use Dynamic SQL for this:
declare #query nvarchar(max)
set #query = 'INSERT INTO ' + QUOTENAME(#databaseNameTXT) + '(wStat_id)
values('+#wStat_id+')'
exec(#query)

T-SQL: issue with string concat

I have a set of audio files with names GreenLine1.mp3, GreenLine2.mp3 e.t.c. I'm going to write them into a table as BLOB (I use MS SQL Server'08), here's my sql request:
DECLARE #aud AS VARBINARY(MAX)
DECLARE #num AS INT
-- Load the audio data
SET #num=1
WHILE (#num<38)
BEGIN;
SELECT #aud = CAST(bulkcolumn AS VARBINARY(MAX))
FROM OPENROWSET(
BULK
'C:\Users\Ilya\folder\GreenLine' + CAST(#num AS VARCHAR) + '.mp3',
SINGLE_BLOB ) AS x
-- Insert the data to the table
INSERT INTO Mb2.dbo.Audios (Id, [Content])
SELECT NEWID(), #aud
SET #num = #num + 1
END;
I have an error: Incorrect syntax near '+', expecting ',' or ')'.
If I try to write
'C:\Users\Ilya\folder\GreenLine' +
CAST(#num AS VARCHAR) + '.mp3'
into a variable and put it after BULK, I get Incorrect syntax near #variable, expected STRING, or TEXT_LEX
You can't parametrise or concatenate the parameters of OPENROWSET. It is constant values only.
You'll have to use dynamic SQL and a temp table, or consider using SSIS for example
This article pointed me in the right direction when I had the same issue with OPENQUERY:
https://web.archive.org/web/20120724073530/http://consultingblogs.emc.com/jamespipe/archive/2007/06/28/SQL-Server-2005_3A00_-Passing-variables-into-an-OPENQUERY-argument.aspx
Basically, you can wrap the entire statement in a variable (nvarchar), including the openrowset, and run exec sp_executesql #sql. It gets a little ugly to read around the 's though, because you'll have to escape them with ''.