SQL Query Select Line Number (SSMS) - sql-server

Do any of you know of a command or function that would produce the line number of the query window inside of select statement? For example, if you are on line 34 it you would have select statement and the results would show 34. I am not looking to use row_number() function because we are not referencing a table.

You can't do what you want without altering the stored procedure and adding PRINT 'something' statements.
While this tactic can be useful for quick-and-dirty stored procedure debugging, it does not beautify the code and, is not considered sustainable. There are better methods. Maybe look at a tutorial like this: https://www.sqlshack.com/debugging-stored-procedures-sql-server-management-studio-ssms/

Related

Using Parameters in SSRS with LIKE operator

I am trying to create a report that has a list of various product groups as parameters. When selecting each group, a list of those related products should appear. I am currently getting a blank table.
The results for this product group display when i execute the query.
I have the list of parameters and values as follows:
i'm struggling to see where I have gone wrong, when i preview the report, I can select each parameter, but get an empty table in the report. I expect the way I have given each parameter a value may be the problem, but cannot figure it out.
This is the query in the report.
DECLARE #ProductCode VARCHAR(12)
SELECT STRC_CODE, STRC_DESC FROM DeFactoUser.F_ST_Products
WHERE STRC_CODE LIKE #ProductCode
I am using Visual Studio Data Tools 2012 to build the report.
If anyone could give me a clue, that would be greatly appreciated.
It doesn't work without the quotes. I thought the quotes and wildcard
would be necessary to allow the LIKE operator to work.
First of all you don't need to use quotes, I tried to reproduce it right now and it works without quotes:
Second, the query that SSRS sends to server looks like this:
exec sp_executesql N'select model
from [dbo].[cars]
where model like #car',N'#car nvarchar(3)',#car=N'ca%'
So the only thing it changes respect to your code is parameter type, it always declares it as unicode, i.e. nvarchar(...), so maybe it make sense to try in SSMS your code with parameter type changed to nvarchar(12):
declare ProductCode nvarchar(5) = N'PA.A%'
Try to execute it in SSMS and see if it returns smth or not

SQL Injection, ignore first select command

I am trying to build a scenario that would allow me to expose additional data from a server (for case-demo purposes). The server calls a vulnerable SQL code:
EXEC my_storeProc '12345'
where "12345" (not the single quotes) is the parameter. This performs a SELECT statement. I would like to eliminate this execution and instead call my own select statement, however the server side code will only accept the first select statement called, contained within the aforementioned EXEC call. Calling the second statement is easy:
EXEC my_storeProc '12345 ' select * from MySecondTable--
(the -- at the end will block the closing single quote added by the server to prevent errors). My problem is that although there are 2 select statements, the server will only parse the first one. Is there a way to cancel the first EXEC call without throwing an error so that the second one would be taken instead? Perhaps even a UNION but there isn't much I can do with only one variable open to exploit (variable being 12345 in this case).
You have to think of how it will be executed, specifically you want it called so it doesn't raise an exception and put the kabosh on the whole statement. You can't set the result to always true with a proc call, so there is no real way escape the proc. Instead, you'll want to slip a second command in, Your desired code looks like;
exec my_Storeproc '1234'; select * from mysecondtable
So we need to close the quotes, and make a new statement. That would mean the string with the insert needs to be;
1234'; select * from mysecondtable where 1 = '1
There is a flaw in this, whatever command you are executing is not being returned to the UI. To get the data you'll have to add a server connection to the second command.
To make the second command unnecessary you would have to inject code into the proc, which is a non starter since the proc is already complied and sql injection relies on confusing the compiler as to what is data and what is commands. For a more verbose explanation of that check out this answer:
https://security.stackexchange.com/a/25710

ColdFusion 10 error with Stored Procedures

In a .CFC file, within a CFfunction and with CFargument tags.
<cfscript>
var sp=new storedproc();
sp.setDatasource(variables.datasource);
sp.setProcedure("storedProcedure_INSERT");
sp.addParam(cfsqltype="cf_sql_integer",type="in",value=arguments.one);
sp.addParam(cfsqltype="cf_sql_integer",type="in",value=arguments.two);
sp.addParam(cfsqltype="cf_sql_integer",type="in",value=arguments.three);
sp.addParam(cfsqltype="cf_sql_integer",type="in",value=arguments.four);
sp.addProcResult(name="results",resultset=1);
//writeDump(sp);break; //This dump is reached
var spObj=sp.execute(); //blows up here; this is never reached
writeDump(spObj);break; //This is never reached, either.
var spResults=spObj.getProcResultSets().results;
A shiny nickle to anyone who can tell me why the sp.execute() is blowing up with message
"Cannot find results key in structure.
The specified key, results, does not exist in the structure."
I've used this psuedo-code many, may times in the past, and never had it do this. I'm connected to a MSSQL Server 2012 DB, everything's cricket in CF Admin, and other SPs are working properly. The stack trace doesn't even include any of MY code at all o_O
The error occurred in C:/ColdFusion10/cfusion/CustomTags/com/adobe/coldfusion/base.cfc: line 491
Called from C:/ColdFusion10/cfusion/CustomTags/com/adobe/coldfusion/storedproc.cfc: line 142
Called from //hq-devfs/development$/websites/myProject/cfc/mySOAPWSDLs.cfc: line 123
And SO is blowing up if I try and paste anymore of that. Google has...not been helpful ._.
Short answer: The error means you are trying to retrieve a resultset from the stored procedure, when it does not actually return one. A simple solution is to add a SELECT to the end of your procedure, so it returns a resultset containing the data you need. Then your original code will work:
SELECT ##ROWCOUNT AS NumOfRowsAffected;
Longer answer:
The method you are using, addProcResult(), is the equivalent of <cfprocresult>. It is intended to capture a resultset returned from a stored procedure. (Due to CF's poor choice of attribute names, a lot of people think "resultset" means the storedproc "result" structure, but they are two totally different things). A "resultset" is a query object", in CF parlance.
While all four (4) of the primary sql statements return some result, not all of them return a "query object"
Only SELECT statements generate a "query object"
INSERT/UPDATE/DELETE statements simply return the number of rows affected. They do not generate a "query object".
Since your stored procedure performs an INSERT, it does not generate a "query object". Hence the error when you try and grab the non-existent query here:
sp.addProcResult(name="results",resultset=1);
The simple solution is to add a SELECT statement to the end of your stored procedure, so that it does return a query object. Then your code will work as expected.
As an aside, I suspect you were actually trying to grab the "result" structure, but used the wrong method. The equivalent of <cfstoredproc result=".."> is getPrefix(). Though that would not work here anyway. According to the docs, it does not contain the number of rows affected. Probably because stored procedures can execute multiple statements, each one potentially returning a row count, so there is not just a single value to return.

Cakephp mssql Store Procedure with parameters (Invalid cursor state)

I use CakePhp for a little application. In this application I store some store procedures (I use mssql). Now I want to execute theses store procedures and want to use the result set.
If I call a store procedure without any parameters i get want I want without any problems. But when i call another store procedure with parameters i get the error "Invalid cursor state"). I did some research and i understood that there it seemed to be that i execute multiple select because of the result-state.
In CakePhp i call:
This is running without any problems
$res = $db->query("Exec storeProcedureWithoutParams");
Here I get the error with the cursor
$res = $db->query("Exec storeProcedureWithParams 'param1'");
The store procedures are very simple:
CREATE PROCEDURE [dbo].[storeProcedureWithoutParams]
AS
SELECT [u1]
,[u2]
,[u3]
,[u4]
,[u5]
,[u6]
FROM [testdb].[dbo].[test]
CREATE PROCEDURE [dbo].[storeProcedureWithParams]
#test nvarchar(50)
AS
SELECT [u1]
,[u2]
,[u3]
,[u4]
,[u5]
,[u6]
FROM [testdb].[dbo].[test]
where [u6] <> #test
If I execute the both queries directly at the database I get two return. The first one is the result of the select-statement and the second one is the result-set. If I understood it right, is this the problem because i get two results (thats why the cursor-error). BUT I don't know how to solve it and I don't know how to get only the result of the select-statement without the return-state?
Can anybody help me?
Thank you very much!
Greetz
V
Sorry for the late answer, but I'll add it here for testing purposes, as there aren't any full answers for this question.
Not sure 100%, but seems that when there is some kind of message output along the query results, it gives the "invalid cursor state". Adding SET NOCOUNT ON it solved to me.

EF generate result objects for SQL OUTPUT clause

What can I do so that EF becomes aware of the output clause in SPs and generates the result object accordingly?
INSERT INTO goodtable
(token,
ip, long_ip,
) OUTPUT INSERTED.*
VALUES
(#token,
#ip, #long_ip,
);
What I currently do to circumvent this is writing a dummy select, generate the objects and the comment out the dummy select leaving the output. This is not a good solution for a long term run.
Please do not suggest changing the SQL.
Have you tried. when importing the stored procedure into EF, using function import, to add the returns a collection of option.
I've never tried it, but can't see a reason for it not to work.

Resources