I want to find the exact SQL statements that are generated by a Perl ORM package such as Class::DBI. I am not looking for SQL generated for simple inserts and deletes, but for row modifications that result from slightly complicated object manipulations (inserting rows in a table which is a child of a row in a parent table, for example)
Is there some way to get it?
Class::DBI uses DBI under the hood, so you can enable tracing of all SQL statements via an environment variable:
DBI_TRACE=3=dbi.log your-perl-script
Or inside of Perl, before executing any statements:
use DBI;
DBI->trace(2, 'dbi.log');
See http://metacpan.org/pod/DBI#TRACING
Since you said "such as"…
You can set the environment variable DBIC_TRACE to 1 if you are using DBIx::Class (which has a Class::DBI compatibility layer).
Related
I use CTEs (common table expressions) in SQL developer to make my queries more structured, and also with the intent to create "bricks" which I can reuse in queries.
For the second purpose it would be good to keep those CTEs in a separate file, so I don't need to browse for the latest version.
Is it possible to refer to CTE in another file in Oracle's SQL developer?
I know I could create queries / views in the database and use them, but unfortunately I don't have access to that.
One way to go would be code templates in SQL Developer itself. So you could code up your most frequent CTE's and invoke them with the keyboard.
I talk about those here
But basically you code them up in the preferences, and give them a name.
Then type the name, and hit ctrl+space to invoke the template.
You can also set these up as Auto-Replace.
For what it's worth - you CAN reference code from other files using the # and ## commands. However, it will take the contents of that file and execute as a complete, standalone SQL statement or series of statements, so I don't think you can use this to achieve your goal.
I'm writing a PL/1 subroutine that reads data from DB2. Depending on the input, it uses one of 3 cursors. These have to be opened, fetched, closed, etc. On every of these cursor-specific operations I have to specify its name. This leads to very redundant code, because the remaining operations are exactly the same for every case.
Is it possible to create a reference, to which I would assign the appropriate cursor? Then I could use this to perform the necessary tasks only once.
Because of safety-related restrictions, I'm not allowed to use dynamic (prepared) SQL.
And is there a reference containing all commands I can use in my EXEC SQL statements?
Thanks in advance
David
And is there a reference containing all commands I can use in my EXEC SQL statements?
IBM has documentation for DB2, which contains an SQL reference for the product.
I'd like to know if it's possible to execute more than one SQL statement within a single execute() or do() call using DBD::Oracle via Perl DBI. Example:
# Multiple SQL statements in a single query, separated by a ";"
$sql = 'UPDATE foo SET bar = 123; DELETE FROM foo WHERE baz = 456';
$sth = $dbh->prepare($sql);
$sth->execute;
# ...or...
$dbh->do($sql);
I ask this not because I want to actually do such a thing, but rather because I want to gauge the damage possible through a successful SQL injection attack. And yes, I know that, regardless of the answer to this question, the possibility of SQL injection must still be eliminated at its root using bind values and trusted input only, etc. But the question still stands: is it possible to make DBD::Oracle execute multiple statements?
As a related example, DBD::mysql has a mysql_multi_statements connection option that explicitly enables this "feature." I can't shake the feeling that there's some similar, perhaps undocumented and obscure Oracle OCI option that's accessible somehow via DBD::Oracle that will enable the same thing.
In case it matters, this is:
perl 5.8.8
DBD::Oracle 1.22
Oracle 11g (11.01.0700)
If there is a successful SQL injection attack, couldn't the attacker simply repeat it and run multiple statements that way as well?
Oracle supports anonymous PL/SQL blocks which can contain multiple statements.
"begin execute immediate 'drop table customers'; execute immediate 'drop table sales'; end"
Oracle provides a free tutorial on avoiding SQL injection attacks here:
http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm
I need to make sure my ado.net commands don't return more than 1000-5000 rows. Is there an ADO.NET way to do this, or is it just a TSQL?
I'm calling a stored procedure, I don't control the source code in that stored procedure. Hence I was hoping there was a ADO.NET way to do it.
Before LINQ this typically was always done using a top N clause in your inline query or stored proc. With LINQ there is some cool functions called "Take" and "Skip" which provides a construct for downloading and or skipping N number of rows. Under the hood LINQ figures out the details of how to construct the inline query that yields the exact number of rows you want off the top.
[Edit]
Since you're calling a stored procedure, I'd advise just using a TOP N clause in the select statement. This is path of least resistance and IMHO is the simplest to maintain going forward since you already have the stored procedure.
I need to get a database connection through a firewall, and also limit what queries can be run. DBD::Proxy seems to be the perfect solution for this. However, I'm currently using DBIx::Class, and can't figure out how to hook them together.
In particular, DBD::Proxy doesn't take SQL; it takes particular named queries. But DBIx::Class doesn't seem to have a way to invoke those named queries.
This is inside a Catalyst-based webapp.
DBD::Proxy does take SQL. It allows for named queries as a convenience.
There is no convenient way to use DBIx::Class with DBD::Proxy named queries, since the purpose of the DBIx::Class Object-Relational Mapper (ORM) is to present an object-oriented view of SQL's Data Manipulation Language (DML) statements. The named query feature of DBD::Proxy is not a DML statement, so DBIx::Class does not have feature that suit your needs: passing a literal string directly to the prepare() function of your DBD::Proxy driver.
Some inconvenient ways:
Don't use DBIx::Class. Just do it in DBI. You could use Catalyst::Model::DBI, or plain DBI + catalyst::Model::Adaptor + your own model class.
Don't use named queries. This means that if you were planning to use named queries as a way to control access to the database, then you'll need to move the query authorization
logic into the code that makes the call to the database inside your controller or model, depending on how you built your application.