Procedure not running in toad asking for the variable - database

I'm using TOAD for Oracle. I'm trying to execute a stored procedure with two parameters - one IN and one OUT. It looks like this:
PROCEDURE get_stuff (
parm_1 IN VARCHAR2,
parm_2 OUT currefcursor)
In the SQL Editor window in TOAD, I've tried various things to no avail. I'm sure this is something simple that I'm missing, 'cause I've tried all sorts of things I've seen in other solutions here at Experts Exchange, but can't get past various errors. Here's what I think should work from what I've seen here:
var p1 VARCHAR2 := 'some text';
var p2 currefcursor;
EXEC get_stuff( :p1, :p2 );
When I run this, though, the SQL Editor pops up a window titled 'Variables' that appears to be looking for a value. No matter whether I put something in the 'Value' textbox or not, when I click OK, it says:
ORA-00900: invalid SQL statement
and highlights the 'var' in front of p1.
Please tell me what I'm missing!
Status Solved Priority Medium Security Public Views 21999

As the second parameter is OUT, you have to declare the variable which will accept that value. Here's how; I don't know what currefcursor type is - I guess you do.
declare
l_out currefcursor;
begin
get_stuff(:p1, l_out);
end;
/
A simple option to view the result would be this: put this code into the editor and run it as a script; the result will be displayed in the Script Output tab.
variable l_out currefcursor
exec get_stuff(:p1, :l_out);
print l_out
Or, you could even create a wrapper function which returns cursor, and then select from it:
create or replace function f_get_stuff(p1 in number)
return currefcursor
is
l_out currefcursor;
begin
get_stuff(p1, l_out);
return l_out;
end;
/
select f_get_stuff(:p1) from dual;

You can use Toad to execute without writing the execution harness yourself as well. Here is one method using the Schema Browser. Select your object and right-click > Execute.
You are presented with a dialog asking for your input parameters. Set your inputs and you can see the generated execution harness below. You can also use this generated code as an educational guide to see one method of writing the code yourself.
Click OK and your function/procedure is executed and results are shown.

Related

Accessing to OUT parameter (t_cursor type) from stored procedure using go and InstantClient

I'm dealing with an Oracle DB, connecting from go via InstantClient (version 11) (https://github.com/mattn/go-oci8). I need to be able to load this object and browse results... t_cursor output parameter.
I have tried many strategies, I know how to map function parameters to go structures but I don't know how to work with t_cursor type since it seems not being implemented in InstantClient
Example of stored procedure
create or replace procedure EXAMPLE(a IN NUMBER, b IN NUMBER, c OUT T_CURSOR) AS BEGIN
[Edit] We have also tried to execute SQL blocks from code to try to handle this third parameter.
i.e.
If you add something like
declare
c t_cursor;
begin
EXAMPLE(:1, :2, c)
end
then I don't know how you can get the block to return a result set that contains the cursor.
declare
c t_cursor;
begin
EXAMPLE(:1, :2, c)
select 1, c from dual
end
The whole block returning the result of that select would be ideal but oracle blocks do not return result sets afaik.
Anyone who can bear a hand on this?
Thank you very much
It can be done with the driver https://github.com/rana/ora instead.
*Rset may be passed to Stmt.Exe when prepared with a stored procedure accepting an OUT SYS_REFCURSOR
The README.me even has that exact example.
Caveats:
It's unclear whether the database/sql interface may be used or you are limited to the lib specific API.
Instant Client gets restricted to versions from 12.1.0.1.0 on.

Using Parameters in SSRS with LIKE operator

I am trying to create a report that has a list of various product groups as parameters. When selecting each group, a list of those related products should appear. I am currently getting a blank table.
The results for this product group display when i execute the query.
I have the list of parameters and values as follows:
i'm struggling to see where I have gone wrong, when i preview the report, I can select each parameter, but get an empty table in the report. I expect the way I have given each parameter a value may be the problem, but cannot figure it out.
This is the query in the report.
DECLARE #ProductCode VARCHAR(12)
SELECT STRC_CODE, STRC_DESC FROM DeFactoUser.F_ST_Products
WHERE STRC_CODE LIKE #ProductCode
I am using Visual Studio Data Tools 2012 to build the report.
If anyone could give me a clue, that would be greatly appreciated.
It doesn't work without the quotes. I thought the quotes and wildcard
would be necessary to allow the LIKE operator to work.
First of all you don't need to use quotes, I tried to reproduce it right now and it works without quotes:
Second, the query that SSRS sends to server looks like this:
exec sp_executesql N'select model
from [dbo].[cars]
where model like #car',N'#car nvarchar(3)',#car=N'ca%'
So the only thing it changes respect to your code is parameter type, it always declares it as unicode, i.e. nvarchar(...), so maybe it make sense to try in SSMS your code with parameter type changed to nvarchar(12):
declare ProductCode nvarchar(5) = N'PA.A%'
Try to execute it in SSMS and see if it returns smth or not

SQL Injection, ignore first select command

I am trying to build a scenario that would allow me to expose additional data from a server (for case-demo purposes). The server calls a vulnerable SQL code:
EXEC my_storeProc '12345'
where "12345" (not the single quotes) is the parameter. This performs a SELECT statement. I would like to eliminate this execution and instead call my own select statement, however the server side code will only accept the first select statement called, contained within the aforementioned EXEC call. Calling the second statement is easy:
EXEC my_storeProc '12345 ' select * from MySecondTable--
(the -- at the end will block the closing single quote added by the server to prevent errors). My problem is that although there are 2 select statements, the server will only parse the first one. Is there a way to cancel the first EXEC call without throwing an error so that the second one would be taken instead? Perhaps even a UNION but there isn't much I can do with only one variable open to exploit (variable being 12345 in this case).
You have to think of how it will be executed, specifically you want it called so it doesn't raise an exception and put the kabosh on the whole statement. You can't set the result to always true with a proc call, so there is no real way escape the proc. Instead, you'll want to slip a second command in, Your desired code looks like;
exec my_Storeproc '1234'; select * from mysecondtable
So we need to close the quotes, and make a new statement. That would mean the string with the insert needs to be;
1234'; select * from mysecondtable where 1 = '1
There is a flaw in this, whatever command you are executing is not being returned to the UI. To get the data you'll have to add a server connection to the second command.
To make the second command unnecessary you would have to inject code into the proc, which is a non starter since the proc is already complied and sql injection relies on confusing the compiler as to what is data and what is commands. For a more verbose explanation of that check out this answer:
https://security.stackexchange.com/a/25710

Trying to escape a sp_executesql variable

I've run in to a problem with a software I'm configuring. I do not have access to the source code, only the config.
The issue is as follows, in the configuration the software expects me to enter a string, but I would like the string to jump out of the compare and instead execute a funtion.
Using sql profiler I get something like this:
exec sp_executesql N'SELECT * FROM dummyTable WHERE (Name LIKE #Pattern)',N'
This does not work in my setup, because pattern is not clearly defind in advanced. I need to take the
variable passed as pattern and run it trough a sql function but I can't figure out how. Typically Pattern contains a single char, in my example "1". I've tried altering the Pattern to use an escape char and run my function on it, but I think I'm missing someting (If this is at all possible).
The variable I've send from config is as follows:
{0}' or Name like dbo.RunCalulation({0})
Giving me the following:
'…#Pattern nvarchar(43)',#Pattern=N'1'' or Name like dbo.RunCalulation(1) '
This executes, but does not give any response, so I think the esacpe char does not work, and it compares the whole string to Name.
I'm real stuck at this, hope someone has a good idea what to do (I know that not having the source code is a real problem here.
One of the huge advantages of query parameters (such as #Pattern) is that they help protect against SQL injection (which is what you are trying to do).
So the answer is that you cannot do what you want. There's no way to escape the #Pattern parameter and add some of your own SQL to that query, because everything you pass as #Pattern will be interpreted as data, and never as SQL command text (which is the reason why your SQL text ends up inside the single quotes, and why your quote is automatically escaped to ''.).

Cakephp mssql Store Procedure with parameters (Invalid cursor state)

I use CakePhp for a little application. In this application I store some store procedures (I use mssql). Now I want to execute theses store procedures and want to use the result set.
If I call a store procedure without any parameters i get want I want without any problems. But when i call another store procedure with parameters i get the error "Invalid cursor state"). I did some research and i understood that there it seemed to be that i execute multiple select because of the result-state.
In CakePhp i call:
This is running without any problems
$res = $db->query("Exec storeProcedureWithoutParams");
Here I get the error with the cursor
$res = $db->query("Exec storeProcedureWithParams 'param1'");
The store procedures are very simple:
CREATE PROCEDURE [dbo].[storeProcedureWithoutParams]
AS
SELECT [u1]
,[u2]
,[u3]
,[u4]
,[u5]
,[u6]
FROM [testdb].[dbo].[test]
CREATE PROCEDURE [dbo].[storeProcedureWithParams]
#test nvarchar(50)
AS
SELECT [u1]
,[u2]
,[u3]
,[u4]
,[u5]
,[u6]
FROM [testdb].[dbo].[test]
where [u6] <> #test
If I execute the both queries directly at the database I get two return. The first one is the result of the select-statement and the second one is the result-set. If I understood it right, is this the problem because i get two results (thats why the cursor-error). BUT I don't know how to solve it and I don't know how to get only the result of the select-statement without the return-state?
Can anybody help me?
Thank you very much!
Greetz
V
Sorry for the late answer, but I'll add it here for testing purposes, as there aren't any full answers for this question.
Not sure 100%, but seems that when there is some kind of message output along the query results, it gives the "invalid cursor state". Adding SET NOCOUNT ON it solved to me.

Resources