I'm familiar with Oracle more so than DB2, I have a piece of JavaScript code that makes an Oracle (SQL) call that returns an explain plan, essentially a remote statement execution. From what I've read DB2 looks to be a little different in that there is a command line utility to generate the plan.
Is there a way to generate an explain plan via a remote call in the same way an SQL statement is prepared and executed?
Update:
I'm working in a hosted setup where to be honest I don't even know the version or platform for db2, I'm not sure if this will help but for Oracle we do this:
Statement stmt = con.createStatement();
stmt.execute("explain plan for "+sql);
rs = stmt.executeQuery("select * from table(dbms_xplan.display())");
This (in rs) gives me a textual explain plan that includes the cost of the query, I'm looking to do the same for a db2 database where I assume this syntax isn't going to work.
Related
As shown in this article, DB2 might be vulnerable to SQL Injections:
* Potential SQL injection if X, Y or Z host variables come from untrusted input
STRING "INSERT INTO TBL (a,b,c) VALUES (" X "," Y "," Z ")" INTO MY-SQL.
EXEC SQL PREPARE STMT FROM :MY-SQL END-EXEC.
EXEC SQL EXECUTE STMT END-EXEC.
My question is if native IMS commands are vulnerable of this kind (or similar) injections? For instance, by imputing malicious input in the ISRT DLI command.
It depends on how you plan to access the IMS database.
Quoting from an IBM document.
The SQL statements that you issue through the web interface or the
ISPF interface are executed as IMS application programming API in the
IMS SPUFI application program in z/OS®. You can select COBOL or Java™
for the language environment to execute SQL statements.
If you use SQL, you're possibly vulnerable to SQL injection.
If you use native IMS commands, probably not. But it's still a good idea to sanitize your inputs, even for native IMS commands.
Yes, all SQL databases that support runtime parsing of an SQL query string are susceptible to SQL injection.
SQL injection is not a flaw in the database technology, it's a flaw in the client code you write that builds the SQL query string.
I’m a member of the IBM IMS team.
IMS DL/I calls are not dynamic and for that reason are not susceptible like SQL calls. There is no injection risk for CALL xxxTDLI IMS APIs. That being said, a COBOL program can open up risk by allowing input to the program to influence the SSA list or IOAREA parameters being passed to the xxxTDLI. So, secure engineering practices should be followed while programing against these interfaces.
No, an IMS DL/I database doesn't parse the record at all. See it as an early version of a NoSQL database like Cassandra. The segment key is parsed as a binary value but you can't do injections like in a SQL database.
And depending on the skill of the programmers/IMS-admins the attack vector might be closed by limiting the range of available CRUD actions that are available for the program using the PROCOPT's of the PCB in the PSB.
Most IMS-system+DB2 use static SQL's so the statement is already prepared and not vulnerable to SQL injection attacks.
My ssis package has an oledb source which joins oracle and sql server to get source data and loads it into sql server oledb destination. Earlier we were using linked server for this purpose but we cannot use linked server anymore.
So I am taking the data from sql server and want to return it to the in clause of the oracle query which i am keeping as sql command oledb source.
I tried parsing an object type variable from sql server and putting it into the in clause of oracle query in oledb source but i get error that oracle cannot have more than 1000 literals in the in statement. So basically I think I have to do something like this:
select * from oracle.db where id in (select id from sqlserver.db).
Since I cannot use linked server so i was thinking if I could have a temp table which can be used throughout the package.
I tried out another way of using merge join in ssis. but my source data set is really large and the merge join is returning fewer rows than expecetd. I am badly stuck at this point. I have tried a number if things nothung seems to be working.
Can someone please help. Any help will be greatly appreciated.
A couple of options to try.
Lookup:
My first instinct was a Lookup Task, but that might not be a great solution depending on the size of your data sets, since all of the records from both tables have to pulled over the wire and stored in memory on the SSIS server. But if you were able to pull off a Merge Join, then a Lookup should also work, but it might be slow.
Set an OLE DB Source to pull the Oracle data, without the WHERE clause.
Set a Lookup to pull the id column from your SQL Server table.
On the General tab of the Lookup, under Specify how to handle rows with no matching entries, select Redirect rows to no-match output.
The output of the Lookup will just be the Oracle rows that found a matching row in your SQL Server query.
Working Table on the Oracle server
If you have the option of creating a table in the Oracle database, you could create a Data Flow Task to pipe the results of your SQL Server query into a working table on the Oracle box. Then, in a subsequent Data Flow, just construct your Oracle query to use that working table as a filter.
Probably follow that up with an Execute SQL Task to truncate that working table.
Although this requires write access to Oracle, it has the advantage of off-loading the heavy lifting of the query to the database machine, and only pulling the rows you care about over the wire.
I'm new be to DB2/AS400. I know writing sql queries to insert/update in the database but not sure how could i perform same thing in DB2/AS400.Can any body guide me how could i write the sql insert/stored procedure queries in db2 database
STRSQL as suggested previously would work fine but it is a green screen (5250 emulation) option; if you are not familiar with that environment, I would recommend you use the 'Run SQL Script' function from either IBM i Access Client Solutions or IBM i Navigator, whichever is available to you.
On the AS400 command line issue the following command.
STRSQL
Start Here and this is typical IBM documentation. It leaves you guessing why am I here.
I have for years used MS Access and its query tool that is used for making queries. This tool is so good that I have never been forced to do very much SQL programming myself. The query tool has done all the work.
However, now I have started using Postgres and the Graphical Query Builder in pgAdmin. It seems that the Graphical Query Builder is rather primitive: It cannot be used if you need an aggregate function like SUM or COUNT.
Is this really correct?
Does anybody know a better graphical query builder for PostgreSQL?
Until now I have 'solved' the problem by linking MS Access to the Postgres database through ODBC and used MS Access' query tool to generate SQL commands which I then copy into pgAdmin's Graphical Query Builder - and edit the SQL commands until everything is correct.
SQL Maestro has a query designer, although it is PC only, AFAIK
http://www.sqlmaestro.com/products/postgresql/maestro/screenshots/getting_started/visual_query_builder/
EMS SQL Manager also has a query designer
http://www.sqlmanager.net/en/products/postgresql/manager/screenshots
Try SQLeo, its free and has a specific feature (autosavepoint) to prevent
ERROR: current transaction is aborted, commands ignored until end of transaction block.
Try a browser-based query builder for PostgreSQL called Skyvia. And you don’t have to worry about which operating system it works. It works where a browser exists. Simply make a connection to your PostgreSQL database and start building your queries. See a sample below.
Note that you can still switch between SQL code and query builder if you want to, just like in MS Access. Get the details here.
We have a software solution that involves syncing some data between a Progress database and SQL server. Unfortunately, we do not have any Progress gurus in house, so I'm working kinda blind here and would welcome any advice that is on offer.
For the workflow that is already in place, what would work very well for us is the ability to do an external call to insert a row into an SQL database from an within ABL procedure's 'for each' loop.
Is anyone able to direct me to any code snippets or articles that might help me achieve this?
Many thanks,
In case your SQL database is MS SQL Server, you might want to have a look at OpenEdge DataServer for Microsoft SQL Server (web.progress.com/en/openedge/dataserver-microsoft.html, documentation.progress.com/output/OpenEdge102b/pdfs/dmsql/dmsql.pdf).
The DataServer provides you with ABL access to a non-Progress database so you can use standard Progress statements, e.g. CREATE to add new records or FOR EACH to retrieve query results.
OpenEdge DataServers are also available for Oracle (using Oracle Call Interface), DB2 and Sybase (using ODBC). The DataServer for MS SQL Server uses ODBC behind the scenes as well. web.progress.com/docs/datasheets/openedge/openedge_dataservers.pdf
You dont need the dataserver, connection with ADODB works fine in ABL, you can even call stored-procedures with the command object, the user you connect with will have to be granted EXEC rigths on the SQL-Server to do that.
I'm not a Progress guru, but I did do some work in it for awhile. AFAIK there is no way to have ABL code connect to a non-Progress database (part of that whole vendor lock-in strategy Progress Corp. leverages).
Your best bet is probably to have the ABL code serialize the records to XML, and use something like ActiveMQ (or even a plain socket or named pipe/FIFO depending on your setup) to send them to a program written in a more capable language to do the SQL insert.