I have a problem with the company I work in, some people are using SQL in the wrong way causing blocks that naturally crash the whole system, but we are not able to catch who is doing this, because when perceiving the person for the process.
I wonder if there is any way to save the data from the blocks?
As soon as something happens it will save the data as SPID, Login, HostName, DBName, Command and of course if possible to pull and save the script that the guy is running. I usually see through:
dbcc inputbuffer (SPID)
I already gave a Google and I did not find it, so I came here.
Thanks in advance.
PS: Sorry for the English from Google Translate
Related
Please help me on this.
I am running a query remotely on A.db, because it's a big data and maybe something is wrong on A.db that day so it took a long time. I don't spending time as long as I would get my result.
After hours of running(16 HOURS to be exact), the result is executing fail with some error. I went through the query and couldn't find any mistakes. But after a few read, I realize that the query has been executing in B.db instead of A.db that I was originally executing.
Is there any reason for the query to change to different db by itself? I read through the query and even let my colleague went through it, nothing is asking the query to run in different db.
Please help me on this, is has been bugged me for more than a week, I can't focus on others due to this problem.
Thank you
Hey this can't be run on different DB if you ran it on some DB.
There might be chances that if you accidentally hit object explorer and selected different DB.
Better way you can do is just add
Use DB_name
at top of your query this will say engine to run query in that db which you said.
Use a.DB
SELECT distinct A.* from (
I've noticed that whenever I add tables / stored procs / functions / whatever to a sql server database, that it takes a while for the code completion to pick up that they are now part of the database.
This is really annoying since the code completion and syntax highlighting become totally broken in the workflow scenario where you create a table and then start writing queries or whatever that deal with this new object.
Does anyone know how to get the code completion / syntax highlighting engine to update it's view of what is in the database to get rid of all these spurious invalid object name errors?
I understand that it's too late to answer the question but maybe it will help someone.
You can refresh the Intellisense cache with Ctrl+Shift+R, and wait for 5-10 seconds.
A guess: Close and reopen SSMS? Lame and ineffective, and I hope there's a better way.
Last night one of our SQL servers developed some major problems and after a colleague stopped, started, and all the usual things it started checking and rebuilding databases and is now running an extended stored procedure called "xp_qv".
The internet seems to be very short of information on what this procedure does or anythign like that so I was hoping somebody here might be able to help.
I should add that I assume it is meant to be running so the question isn't "Can I stop it" or anything like that, its just curiosity in what it is doing in the hope that it will help determine how long before things are usable again...
This is the only information I could find..
xp_qv, hosted in xpsqlbot.dll is a
wrapper around functionality in
sqlboot.dll, which returns information
about the SKU type, licensing etc It
is not documented that is why you can
not find a reference.
I know a little about SQL injections and URL decode, but can someone who's more of an expert than me on this matter take a look at the following string and tell me what exactly it's trying to do?
Some kid from Beijing a couple weeks ago tried a number of injections like the one below.
%27%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20%27%27=%27
It's making a guess about the sort of SQL statement that the form data is being substituted into, and assuming that it will be poorly sanitised at some step along the road. Consider a program talking to an SQL server (Cish code purely for example):
fprintf(sql_connection, "SELECT foo,bar FROM users WHERE user='%s';");
However, with the above string, the SQL server sees:
SELECT foo,bar FROM users WHERE user='' and char(124)+user+char(124)=0 and ''='';
Whoops! That wasn't what you intended. What happens next depends on the database back-end and whether or not you've got verbose error reporting turned on.
It's quite common for lazy web developers to enable verbose error reporting unconditionally for all clients and to not turn it off. (Moral: only enable detailed error reporting for a very tight trusted network, if at all.) Such an error report typically contains some useful information about the structure of the database which the attacker can use to figure out where to go next.
Now consider the username '; DESCRIBE TABLE users; SELECT 1 FROM users WHERE 'a'='. And so it goes on... There are a few different strategies here depending on exactly how the data comes out. SQL injection toolkits exist which can automate this process and attempt to automatically dump out the entire contents of a database via an unsecured web interface. Rafal Los's blog post contains a little more technical insight.
You're not limited to the theft of data, either; if you can insert arbitrary SQL, well, the obligatory xkcd reference illustrates it better than I can.
You'll find detailed info here:
http://blogs.technet.com/b/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx
These lines are double-encoded -- the
first set of encoded characters, which
would be translated by IIS, are
denoted by %XX. For example, %20 is a
space. The second set aren't meant to
be translated until they get to the
SQL Server and they use the char(xxx)
function in SQL.
' and char(124)+user+char(124)=0 and ''='
that's strange..however, make sure you escape strings so there will be no sql injections
Other people have covered what's going on, so I'm going to take a moment to get on my high-horse and strongly suggest that if you're not already (I suspect not from a comment below) that you use parameterized queries. They literally make you immune to SQL injection because they cause parameters and the query to be transmitted completely separately. There's also potential performance benefits, yadda yadda, etc.
But seriously, do it.
I want to access facebook's database.
I want to have some SQL-like access, let's like this:
"select name from facebook-big-database-table where location='France' and city='Paris' and age
between 30 and 40;"
But, it need not to be SQL, PHP or JAVA would also be nice to use to me.
Does anybody know where to start?
To be honest, I got a little bit lost in all the tutorials Facebook offers.
Is it the so called "Connect" program which offers me what I want or something different?
Facebook does have a bunch of API's, one of which actually looks like SQL. They call it FQL. Check it out here. Maybe it can help you some part of the way at least.
Note that it won't give you raw access to the underlying tables. But still, better than nothing I guess.
Facebook isn't going to let you mine their database in that way. Not possible.
You wont be able to access facebook's database. The most you'd be able to do is to get information of users who previously have consented your application to access their data.
Therefore answering your question, what you want can't be done, period.