I don't use SQL Server Cursors often but when I do, I always have to look up the syntax and options.
So I wanted to ask, what is the best SQL Server Cursor reference on the web?.
I'm looking for a reference that explains all of the (major?) options (I.E. FAST_FORWARD) and also shows quick snippets of how to use it. (I.E. How to implement looping though a cursor and with a good practice for checking the ##FETCH_STATUS variable.)
Best Regards,
Frank
Quick Update: I'm looking for a balance of quick-reference but detailed enough to see my options. As an example. MSDN is a great reference guide but it has too much detail. The reference, ideally, should be concise.
Further update: I'm still looking for sources. If someone posts a good source that fits my criteria of concise, I will accept that answer...
How to Perform SQL Server Row-by-Row Operations Without Cursors:
http://www.sql-server-performance.com/articles/per/operations_no_cursors_p1.aspx
SQL Server Cursor Examples (with Cursor Alternatives):
http://www.mssqltips.com/tip.asp?tip=1599
I'd start out with the MSDN help page for cursors...
http://msdn.microsoft.com/en-us/library/ms180169.aspx
I always use the built in "Transact-SQL Reference" help within management studio. I find the examples on everything there to be more than enough for what I need.
Related
I would like to know what the fn:data() function does in exist-db. I can't find the answer anywhere on the web.
It seems you have found one documentation of the data function, however, that is part of the MS SQL Server XQuery support.
In general, the W3C XQuery/XPath/XSLT functions are specified in https://www.w3.org/TR/xpath-functions/, so the data function in https://www.w3.org/TR/xpath-functions/#func-data.
Or use the eXist-db documentation if you want an eXist-db specific documentation, searchable at http://www.exist-db.org/exist/apps/fundocs/index.html: for the data function http://www.exist-db.org/exist/apps/fundocs/view.html?uri=http://www.w3.org/2005/xpath-functions&location=java:org.exist.xquery.functions.fn.FnModule&details=true#data.1
For the data function it might not matter but in general the "XQuery" support in non-XML databases like MS SQL is often not complete and/or not based on the current/latest spec so I would start with the W3C specification and then look at vendor specific documentation for the XQuery implementation in use instead of using third party documentation.
I just found the answer to my own question. If anyone else is wondering about this, you can find more here: https://learn.microsoft.com/en-us/sql/xquery/data-accessor-functions-data-xquery?view=sql-server-ver15
Sorry about the broad question. I'm just curious if someone could point me in the right direction.
Say there's a database of contact information, and there's a site where you can input a persons name and it brings you to a page with all of their information on that database. How does this happen exactly? The server would have to dynamically create this page, but does it have a generic format that it just fills with the information? And how does this happen?
Like you said, this is a an extremely broad question. It could be either way. The server could generate the entire contents dinamically, or it could be "filling the blanks" into a preformatted layout.
Google some PHP basic tutorials. That should give you a good idea about how this "dynamism" works. Sorry but your question is too broad to ellaborate more.
The server would dynamically create the page using PHP and SQL. There is a quick tutorial at http://www.mysqltutorial.org/php-querying-data-from-mysql-table/ that shows how it would be setup.
If I understood your question right, you are asking things like how this page was created, for example, in which case it can be as simple as a basic PHP and SQL combination. You can check an example on the w3sschools website:
Try it yourself example
There would be special place holders for the data and a query will extract the data and put it into the given place holders, please note, you can also use loops to add things like tables, fetch through multiple rows and so on.
I have a column called link, which can hold different types of link. I'd like to retrieve only those that have a urls, i.e. www.google.com, so that I can apply something.
SELECT *
FROM UserAlert
WHERE Link = ...// check whether it's a url
Thanks for helping
This is almost 100% likely to be a job better suited to the front-end application, not the database. It will require code execution on the server.
Here is a thread here on StackOverflow about url detection regexes, from which you can select any of a number of reasonably good expressions: What is the best regular expression to check if a string is a valid URL?
To use regexes in MSSQL, you need to first use MSSQL 2005 or later. Assuming that is the case... you have to wrap regex functionality in a custom CLR object, enable CLR interaction on your whole database, and then you can use that custom CLR object in your WHERE clause.
Here is a detailed article about doing exactly that with examples and step-by-step instructions.
I hope you're REALLY SURE that you want code execution to be part of your database. Good luck!
I know a little about SQL injections and URL decode, but can someone who's more of an expert than me on this matter take a look at the following string and tell me what exactly it's trying to do?
Some kid from Beijing a couple weeks ago tried a number of injections like the one below.
%27%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20%27%27=%27
It's making a guess about the sort of SQL statement that the form data is being substituted into, and assuming that it will be poorly sanitised at some step along the road. Consider a program talking to an SQL server (Cish code purely for example):
fprintf(sql_connection, "SELECT foo,bar FROM users WHERE user='%s';");
However, with the above string, the SQL server sees:
SELECT foo,bar FROM users WHERE user='' and char(124)+user+char(124)=0 and ''='';
Whoops! That wasn't what you intended. What happens next depends on the database back-end and whether or not you've got verbose error reporting turned on.
It's quite common for lazy web developers to enable verbose error reporting unconditionally for all clients and to not turn it off. (Moral: only enable detailed error reporting for a very tight trusted network, if at all.) Such an error report typically contains some useful information about the structure of the database which the attacker can use to figure out where to go next.
Now consider the username '; DESCRIBE TABLE users; SELECT 1 FROM users WHERE 'a'='. And so it goes on... There are a few different strategies here depending on exactly how the data comes out. SQL injection toolkits exist which can automate this process and attempt to automatically dump out the entire contents of a database via an unsecured web interface. Rafal Los's blog post contains a little more technical insight.
You're not limited to the theft of data, either; if you can insert arbitrary SQL, well, the obligatory xkcd reference illustrates it better than I can.
You'll find detailed info here:
http://blogs.technet.com/b/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx
These lines are double-encoded -- the
first set of encoded characters, which
would be translated by IIS, are
denoted by %XX. For example, %20 is a
space. The second set aren't meant to
be translated until they get to the
SQL Server and they use the char(xxx)
function in SQL.
' and char(124)+user+char(124)=0 and ''='
that's strange..however, make sure you escape strings so there will be no sql injections
Other people have covered what's going on, so I'm going to take a moment to get on my high-horse and strongly suggest that if you're not already (I suspect not from a comment below) that you use parameterized queries. They literally make you immune to SQL injection because they cause parameters and the query to be transmitted completely separately. There's also potential performance benefits, yadda yadda, etc.
But seriously, do it.
I'm a bit confused here. Microsoft as far as I can tell claims that parametrization is the best way to protect your database from SQL injection attacks. But I find two conflicting sources of information here:
This page says to use the ADO command object. But this page says that the command object isn't safe for scripting. I seem to recall reading somewhere that the command object shouldn't be used in VBScript or JScript because of security vulnerabilities, but I can't seem to find that article.
Am I missing something here, or do those two articles seem to contradict each other?
I could be wrong here, but I think this just means that someone could use the Command object to do bad things. I.e. it's not to be trusted if someone else is scripting it.
See safe for scripting in this article. Every instance that talks about this phrase online, references it as if you are marking an ActiveX control saying "This control does no I/O or only talks back to the server that it came from" but the Command object doesn't do that. It can be used to do a lot of things which could be unsafe.
The "safe" they are talking about and the "safe" to prevent from SQL injection are two different things. The article about using the ADO Command object to parametrize your data is spot on. You should do that.
And, Microsoft further confirms this here:
http://msdn.microsoft.com/en-us/library/ms676585(v=VS.85).aspx
I think "safe for scripting" means "safe to be run from a webpage we just retrieved from some Nigerian prince". The command object should be safe to run on the server.
At work though, back in the day my colleagues didn't trust it so we had an in-house framework that basically did the same thing.