Tech Sharing Blog

Computer knowledge, news, product, SEO, earn money online sharing place

Advertisement

Posts Tagged ‘ SQL ’

Possible injection use keyword

By on May 19, 2010

SQLInjection1 1 Possible injection use keyword

All the web developer, web admin, as well as DB admin are always facing the attacking from all around the world toward their web site, but how to prevent it?


Some may use the 3th party software to prevent it, some may just filter all the possible keyword enter by the user, some will use the database store procedure to prevent it. The following are some of the keyword that you may need to take care of when you allow your user to enter any input to your system.


Web site injection attack keyword (204)

More From david_cheong

david_cheong Recommends

Possible injection use keywordAsk david_cheong To Recommend Your Posts Possible injection use keyword

Popularity: 4% [?]

SQL Server Do’s And Dont’s

By on August 29, 2009

data SQL Server Dos And DontsSo, you are now the leader of a SQL Server based project and this is your first one, perhaps migrating from Access. Or maybe you have performance problems with your SQL Server and don’t know what to do next. Or maybe you simply want to know of some design guidelines for solutions using SQL Server and designing Database Access Layers (DAL): this article is for you.



Even if you are not using SQL Server, most of these design guidelines apply to other DBMS, too: Sybase is a very similar environment for the programmer, and Oracle designs may benefit from this too. I won’t show here how to use specific T-SQL tricks, nor won’t give you miracle solutions for your SQL Server problem. This is by no means a complete, closed issue. What I intend to do is give you some advices for a sound design, with lessons learned through the last years of my life, seeing the same design errors being done again and again.

 

Do know your tools

Please, don’t underestimate this tip. This is the best of all of those you’ll see in this article. You’d be surprised of how many SQL Server programmers don’t even know all T-SQL commands and all of those effective tools SQL Server has.

 

“What? I need to spend a month learning all those SQL commands I’ll never use???” you might say. No, you don’t need to. But spend a weekend at MSDN and browse through all T-SQL commands: the mission here is to learn a lot of what can and what can’t be done. And, in the future, when designing a query, you’ll remember “Hey, there’s this command that does exactly what I need”, and then you’ll refer again to MSDN to see its exact syntax.

 

In this article I’ll assume that you already know the T-SQL syntax or can find about it on MSDN.

  [More]

More From david_cheong

david_cheong Recommends

SQL Server Dos And DontsAsk david_cheong To Recommend Your Posts SQL Server Dos And Donts

Popularity: 1% [?]

Advance SQL Injection

By on June 17, 2009

sqlinjection Advance SQL InjectionThere are a lot of web site attacking method now a days, one of the most attacking method that we can easily found is the SQL Injection.


First of all, before you know about the SQL Injection, you may need to know what is SQL. Structured Query Language (‘SQL’) is a textual language used to interact with relational databases.


There are many varieties of SQL; most dialects that are in common use at the moment are loosely based around SQL-92, the most recent ANSI standard. The typical unit of execution of SQL is the ‘query’, which is a collection of statements that typically return a single ‘result set’. SQL statements can modify the structure of databases (using Data Definition Language statements, or ‘DDL’) and manipulate the contents of databases (using Data Manipulation Language statements, or ‘DML’). In this paper, we will be specifically discussing Transact-SQL, the dialect of SQL used by Microsoft SQL Server.


SQL Injection occurs when an attacker is able to insert a series of SQL statement into a ‘query’ by manipulating data input into an application.


The attacker may use the try and error method to study the database table structure and may inject the statement either to read, delete, edit your data in database or more  dangerous is they may take control ovre your database server.


The following PDF file explain the SQL injection in more detail, you may download, study and understanding the most common SQL Injection technique use by the attacker.


Advance SQL Injection (232)


More From david_cheong

david_cheong Recommends

Advance SQL InjectionAsk david_cheong To Recommend Your Posts Advance SQL Injection

Popularity: 1% [?]

Convert varchar into math calculation

By on May 27, 2009

database symbol Convert varchar into math calculationI try to google, call, msn my friend to find out the solution when I stay back in my office until late night yesterday. But still no luck after few hours of trying.


Thinking of gave up when back to office this morning, but one of my friend suddently send me the solution via MSN. That’s the best present I received by today. I’m not sure how many people will looking for this kind of solution, but any way, will post here to share with all and you may take it if you need it.


Basically the idea is that you put all your select, update or delete statment into the variable and use the execute command to execute the whole variable.

My problem:

I have a formula store in a table which is A+B*C+D. My A = 1, B=2, C=3, D=4.


I managed to replace all my variable with the integer using cursor (This maybe not a good solution, but this is not the main discussion in this post)


The finally answer I get is 1+2*3+4. But the bad thing is in the varchar datatype. I only manage to disply 1+2*3+4 but not the answer of 11.


The solution as below:


Declare @MathFomula Varchar(100)

Set @MathFormula = ’1+2*3+4′

Exec(‘SELECT ‘ + @MathFormula  + ‘ AS Result’


Output: 11


* Remember that * and / will calculate at first before + and -


execute math in sql Convert varchar into math calculation


More From david_cheong

david_cheong Recommends

Convert varchar into math calculationAsk david_cheong To Recommend Your Posts Convert varchar into math calculation

Popularity: 3% [?]

ISNULL, NULLIF MsSQL function

By on May 21, 2009

I just found out this usefu function in MSSQL when I try to Google for the solution to replace the null value with something else. So that I no need to do the checking again in my application. The function is call


NULLIF and ISNULL


This 2 functions are actually work opposite with each other.

NULLIF(ColumnName, ValueToCompare) accept 2 parameters, and will return the NULL value if both the expression match.


IFNULL(ColumnName, NewValue) accept 2 parameters, the first parameters is the string that you wish you check with, and the 2nd parameter that you wish to replace with.


More From david_cheong

david_cheong Recommends

ISNULL, NULLIF MsSQL functionAsk david_cheong To Recommend Your Posts ISNULL, NULLIF MsSQL function

Popularity: 3% [?]

Copy data and update table in MsSQL 2000

By on January 20, 2009

mssql copy data logo Copy data and update table in MsSQL 2000I try to search around the solution of how to copy and update certain data from table1 to table2. But always cannot remember it and keey search it again and again even I did it several time.


So rather then always search it in Google, I just copy it here to share and keep it as the part of my e-library.


SQL Syntax as below:

UPDATE t1
SET col2 = t2.col2
FROM table1 t1 inner join table2 t2 on t1.col1=t1.col2
WHERE Col3 >5


What the above SQL did was it copy the certain data in table2 and update to the field table1 base on the search query in the where.


More From david_cheong

david_cheong Recommends

Copy data and update table in MsSQL 2000Ask david_cheong To Recommend Your Posts Copy data and update table in MsSQL 2000

Popularity: 1% [?]

SEO Powered by Platinum SEO from Techblissonline