I have seen executing something like this in SQL Server
EXEC (0x53454C45435420312041532054)
or simply like
0x53454C45435420312041532054
Above binary form is equal to SELECT 1 AS T
But I don't remember the exact way how to do this.
Does anyone know executing query like this?
Update:
I know how to convert Binary into Varchar and Varchar into Binary. What I am asking here is how to execute the query in Binary Form?
This is one way,
Declare #q as nvarchar(1000)
-- 0x530045004C004500430054002000310020004100530020005400 = SELECT 1 AS T
SET #q = CAST(0x530045004C004500430054002000310020004100530020005400 as nvarchar(1000));
EXEC (#q)
Any other way?
No, I am pretty sure there is no other way to do this.
You cannot simply execute binary data.
You can use exec, as you already do, or you could use sp_executesql, but both expect you to pass the query to be executed as a string (NVARCHAR).
Related
I have the following string:
SELECT hello as "helloHello", '' as "empty" FROM tbl_test
I want to do something like this:
INSERT INTO tbl_x (a, b, c) VALUES (x, y, string_from_above)
The strings are going to be dynamic (basically they're strings of sql statements), so I do not want to escape all the ' and ". If I open the postgres database and double click on the varchar column, I can copy and paste the string and it goes in exactly as it looks. I want to be able to programmatically do so. Is there a way using an insert command? I tried using pgFormat, but that didn't work. See attached pic with what it looks like in the table.
All PostgreSQL APIs worth their money have a way to escape strings for inclusion in a dynamic SQL statement.
For example, if you write in C, you can use libpq's PQescapeLiteral().
There are also SQL functions for this: quote_literal() and format(). They can be used in PL/pgSQL code.
Don't try to write your own code for this. Use prior art and avoid the risk of getting it wrong.
First of all, thank you beforehand for helping me with this. Please do not state that this is a repeat question as I have searched a lot but still none of the threads I found here relate to my query. Actually I have a simple query which I'm failing to pass through and needed some help. My issue is as follows,
I want to run a simple SQL query to insert some data into a table i.e.,
INSERT INTO "public"."plan" (id,name,description) VALUES (6,"Plan Name","Plan Description");
But instead of passing Plan Name and Plan Description as text, I'm looking to define variables and pass those instead, in short something like this,
INSERT INTO "public"."plan" (id,name,description) VALUES (6,customPlanName,customPlanDescription);
I've tried using the following but this doesn't work,
DECLARE
planname TEXT;
plandesc TEXT;
SET planname = 'MidasName';
SET plandesc = 'PlanDescription';
INSERT INTO "public"."plan" (id,name,description) VALUES (6,planname,plandesc);
Can you please help me out with this? I want something to be run using PostgreSQL on PgAdmin III
Thank you in advance for any help provided.
example with prepared statements:
prepare plan_insert (text,text)
as INSERT INTO "public"."plan" (id,name,description) VALUES (6,$1,$2);
execute plan_insert ('MidasName','PlanDescription');
execute plan_insert ('Some Other','Some more');
Oracle supports dynamic XMLElement name with evalname function. Is there a similar feature in postgres to get the XMLElement name dynamically instead of using constant?
Example in ORACLE:
select xmlelement(evalname(ENAME),EMPNO) from EMP;
This statement will result in list of enames as separate xml elements.
<SMITH>7369</SMITH>
<ALLEN>7499</ALLEN>
<WARD>7521</WARD>
Not sure if postgres has something similar.
Thanks.
I was able to get a workaround to construct xml with dynamic element names in Postgres using execute format. Posting this just in case if anyone had same issue.
execute format('SELECT XMLElement(NAME %I, $1)', emp_name) USING empno from emp;
<SMITH>7369</SMITH>
<ALLEN>7499</ALLEN>
Same worked with XMLForest and having XMLAttributes inside XMLElement.
There is no such function as far as I know.
The closest you can get is adding an attribute with the empname:
select xmlelement(name emp, xmlattributes(empname), empno)
from emp;
Generates:
<emp empname="Smith">7369</emp>
<emp empname="Allend">7499</emp>
<emp empname="Ward">7521</emp>
Personally I would find that format much easier to parse e.g. in XSLT or an XML parser. Because in order to process a tag you would need to know the tag name, which you don't if the tag changes for each row - but this might just be me.
Currently my development environment is using SQL server express 2008 r2 and VS2010 for my project development.
My question is like this by providing a scenario:
Development goal:
I develop window services something like data mining or data warehousing using .net C#.
That meant I have a two or more database involved.
my senario is like this:
I have a database with a table call SQL_Stored inside provided with a coloum name QueryToExec.
I first idea that get on my mind is written a stored procedure and i tried to came out a stored procedure name Extract_Sources with two parameter passed in thats ID and TableName.
My first step is to select out the sql need to be execute from table SQL_Stored. I tried to get the SQL by using a simple select statement such as:
Select Download_Sql As Query From SQL_Stored
Where ID=#ID AND TableName=#TableName
Is that possible to get the result or is there another way to do so?
My Second step is to excecute the Sql that i get from SQL_Stored Table.Is possible to
to execute the query that select on the following process of this particular stored proc?
Need to create a variable to store the sql ?
Thank you,Appreciate for you all help.Please don't hesitate to voice out my error or mistake because I can learn from it. Thank you.
PS_1:I am sorry for my poor English.
PS_2:I am new to stored procedure.
LiangCk
Try this:
DECLARE #download_sql VARCHAR(MAX)
Select
#download_sql = Download_Sql
From
SQL_Stored
Where
AreaID = #AreaID
AND TableName = #TableName
EXEC (#download_sql)
I have a stored procedure and would like to know if its possible to build up a dynamic where condition based on a parameter.
Lets say I have this query:
SELECT *
FROM tbl_Users
Now, I have a parameter called #username, which I would like to use to build up a dynamic where condition (which through my program might be 1 or more conditions). To achieve something like that I use the following statement:
SELECT *
FROM tbl_Users
#username -- where this parameter might hold a condition string such as "Where usr_Username = 5 and usr_first_name like '%Frank%' etc
Is it possible to do something like this?
You're going to have to break into dynamic sql for this.
it would run something like this:
declare #sql varchar(max)
set #sql = '
SELECT *
FROM tbl_Users
WHERE ' + #username
exec (#sql)
I'm not certain I understand you, but if my understanding is correct, you can do the following (NOTICE: injection vulnerable)
DECLARE #SQL varchar(500) = 'SELECT * FROM tbl_users ' + #username
EXEC #SQL
From what I know, this is not going to work. You're going to need to generate the script you want to execute and use the exec command.
You are really not supposed to be concatenating SQL keywords and parameters into one single string as shown in some of the responses above for reasons of opening the doors to SQL injection (One of the contributors actually called it out. That's a wise Warning!).
Instead, you are supposed to parameterize your SQL and execute the system SP sp_executesql.
A very good code example is shown in this StackOverflow posting.