The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,839 other subscribers

Archive for the ‘Database Development’ Category

« Previous Entries
Next Entries »

In this day and age, people still write SQL injection vulnerable code

Posted by jpluimers on 2018/03/20

I keep being amazed that new generations of people keep writing SQL injection vulnerable code, so further below is a repeat of  [WayBack] xkcd: Exploits of a Mom on Little Bobby Tables named Robert '; Drop TABLE Students;--

Take this recent question on G+ for instance: [WayBack] Hi can you help to write correct Query for Filter 3 Data fields for Example Data1 , Data2 , Data2 txt1 = Data1 txt2= data2 txt3 = data3… – Jude De Silva – Google+ with this code fragment:

Tables:

Data1 , Data2 , Data2

Text control contents:

txt1 = Data1
txt2= data2
txt3 = data3

Examples when text property is filled:

ex1: Data1  and Data 3
ex2: Data 3 and Data2
ex3: Data 1, Data 2 Data 3

Code:

Qury.Close;
Query.Sql.Clear;
Qury.Sql.Add (Select * From Table1);
If Not (txt1.text = ' ')then
   Begin
   Qury.Sql.Add(Format ('Where Data1= ' '%s' ' ',[txt1] ));
  end;
If not (txt3.text = ' ') then
   Begin
   Qury.Sql.Add(Format ('and Data3= ' '%s' ' ',[txt1] ));
  end;

This example is wrong on so many levels, to lets explain a few:

  • use name Qury and Query for queries: are they actually two variables?
  • inconsistent keyword capitalisation for both used languages
  • incinsistent indenting and unindenting
  • mixed use of quotes for strings
  • use of space for blank fields
  • getting embedded quotes wrong

The basic solution for solving the actual problem asked is like this (assuming all user input are strings):

  • use
    • where 1=1 for a starting point for and based queries
    • where 1=0 for a starting point of or based queries
  • add a method AddAndClause or AddOrClause taking with parameters Query,  FieldName, ParameterName and ParameterValuethen when ParameterValue is not empty:
    • adds this to the SQL Text:
      • for and based queries:Format('and %s = :%s', [FieldName, ParameterName]);
      • for or based queries:Format('or %s = :%s', [FieldName, ParameterName]);
    • adds a parameter Query.ParamByName(ParameterName).AsString := ParameterValue

SQL Injection: Little Bobby Tables

Back in 2007, SQL Injection was already a very well known vulnerability (they date back to at least 1998), so Randall Munroe published [WayBack] xkcd: Exploits of a Mom on Little Bobby Tables named Robert '; Drop TABLE Students;--


School: “Hi, this is your son’s school. We’re having some computer trouble.”
Mom: “Oh, dear — Did he break something?”
School: “In a way. Did you really name your son Robert'); DROP TABLE Students;-- ?
Mom: “Oh. Yes. Little Bobby Tables we call him.”
School: “Well, we’ve lost this year’s student records. I hope you’re happy.”
Mom: “And I hope you’ve learned to sanitize your database inputs.”
(Alt-text: “Her daughter is named Help I’m trapped in a driver’s license factory.”)

It did not just get explained at [WayBack] 327: Exploits of a Mom – explain xkcd (Explain xkcd is a wiki dedicated to explaining the webcomic xkcd. Go figure.), Little Bobby Tables got his own page there: [WayBack] Little Bobby Tables – explain xkcd.

Like people continuing writing SQL injection vulnerable code, XKCD posted another SQL injection in [WayBack] 1253: Exoplanet Names – explain xkcd by using e'); DROP TABLE PLANETS;-- as name for Planet e of Star Gliese 667.

Preventing SQL Injection

A few years later, around 2009, Bobby Tables inspired [WayBack] bobby-tables.com: A guide to preventing SQL injection explaining:

  • what not to do “Don’t try to escape invalid characters. Don’t try to do it yourself.”
  • what do to: “Learn how to use parameterized statements. Always, every single time.”
bobby-tables.com

bobby-tables.com

It goes on with many examples of parameterised queries in many environments and language, for instance in the language used above: Delphi.

You can contribute new environments and languages as the site has source code at [WayBack] GitHub – petdance/bobby-tables: bobby-tables.com, the site for preventing SQL injections.

Finally, it points to a few more resources:

WayBack bobby-tables.com: A guide to preventing SQL injection in Delphi

Delphi

To use a prepared statement, do something like this:

query.SQL.Text := 'update people set name=:Name where id=:ID';
query.Prepare;
query.ParamByName( 'Name' ).AsString := name;
query.ParamByName( 'ID' ).AsInteger := id;
query.ExecSQL;

–jeroen

Read the rest of this entry »

Posted in Development, Software Development, SQL | Leave a Comment »

Does this company still exist today? ; DROP TABLE “COMPANIES”;– LTD

Posted by jpluimers on 2018/02/01

About a year ago, this company was incorporated: https://beta.companieshouse.gov.uk/company/10542519

; DROP TABLE “COMPANIES”;– LTD

[WayBack; DROP TABLE “COMPANIES”;– LTD – Overview (free company information from Companies House)

via: [WayBack] From the Trololo-Dept: https://beta.companieshouse.gov.uk/company/10542519 – Kristian Köhntopp – Google+

–jeroen

Posted in Database Development, Development, Power User, Security | Leave a Comment »

How to terminate sqlcmd immediately after execution completed? – Stack Overflow

Posted by jpluimers on 2018/01/24

The subtle difference between -q and -Q: the latter will exit after executing the command (regardless of the SQL server version; I think this was introduced in SQL Server 2005 or 2000).

Inside the command, you can use single ' quotes for strings.

C:\Users\jeroenp>sqlcmd /?
Microsoft (R) SQL Server Command Line Tool
Version 10.50.2500.0 NT x64
Copyright (c) Microsoft Corporation.  All rights reserved.

usage: Sqlcmd            [-U login id]          [-P password]
  [-S server]            [-H hostname]          [-E trusted connection]
  [-N Encrypt Connection][-C Trust Server Certificate]
  [-d use database name] [-l login timeout]     [-t query timeout]
  [-h headers]           [-s colseparator]      [-w screen width]
  [-a packetsize]        [-e echo input]        [-I Enable Quoted Identifiers]
  [-c cmdend]            [-L[c] list servers[clean output]]
  [-q "cmdline query"]   [-Q "cmdline query" and exit]
  [-m errorlevel]        [-V severitylevel]     [-W remove trailing spaces]
  [-u unicode output]    [-r[0|1] msgs to stderr]
  [-i inputfile]         [-o outputfile]        [-z new password]
  [-f  | i:[,o:]] [-Z new password and exit]
  [-k[1|2] remove[replace] control characters]
  [-y variable length type display width]
  [-Y fixed length type display width]
  [-p[1] print statistics[colon format]]
  [-R use client regional setting]
  [-b On error batch abort]
  [-v var = "value"...]  [-A dedicated admin connection]
  [-X[1] disable commands, startup script, enviroment variables [and exit]]
  [-x disable variable substitution]
  [-? show syntax summary]

–jeroen

via: [WayBackc# – How to terminate sqlcmd immediately after execution completed? – Stack Overflow

Posted in Database Development, Development, Software Development, SQL, SQL Server, SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, SQL Server 2014 | 1 Comment »

The ##Netherlands saw a big I.T. project meant to deliver a new citizen regis…

Posted by jpluimers on 2017/11/30

Interesting: https://github.com/MinBZK/OperatieBRP

[WayBack] The Netherlands saw a big I.T. project meant to deliver a new citizen registry system fail. So they did one thing right. All the source code is now on github… – Jan Wildeboer – Google+

It includes both documentation and source code.

A bit of browsing reveals at least some of the technologies used:

Most of the SQL code seems to be generated.

There are truckloads of .XML configuration files, typical for a Java environment. Some configuration is in .properties files.

–jeroen

Posted in ActiveMQ, Development, Java, Java Platform, MQ Message Queueing/Queuing, Open Source, PostgreSQL, Software Development | Leave a Comment »

Say NO to Venn Diagrams When Explaining JOINs – Java, SQL and jOOQ.

Posted by jpluimers on 2017/11/22

Interesting thought especially for cross-joins [WayBackSay NO to Venn Diagrams When Explaining JOINs – Java, SQL and jOOQ.

–jeroen

Via [WayBack“Say NO to Venn Diagrams When Explaining JOINs” – and [WayBack] “Say NO to Venn Diagrams When Explaining JOINs” – – Kristian Köhntopp – Google+

 

Posted in Database Development, Development, SQL | Leave a Comment »

Firebird – generate time/date/timestamp values

Posted by jpluimers on 2017/10/31

I needed the script in [WayBackFirebird – generate time/date/timestamp values to reproduce a problem in Database Workbench <= 5.3.2 with exporting TIME and TIMESTAMP values to Excel xlsx format: the time portion got lost so

The bug is fixed so will appear in the next beta and release versions: [WayBack] 0001506: Timestamp export to Excel XLSX only shows date, Time fails, CSV shows both date and time – Bug & Feature Tracker @ Upscene.com

–jeroen

Read the rest of this entry »

Posted in Database Development, Development, Firebird, Software Development, SQL | Leave a Comment »

Visual Representation of SQL Joins – CodeProject

Posted by jpluimers on 2017/08/02

I thought I posted a reference to this a long time ago, but didn’t.

It’s one of the things I show when explaining joins to people. Sometimes I need it myself too (:

The article explains these in greater detail:

  • INNER JOIN
  • LEFT JOIN
  • RIGHT JOIN
  • OUTER JOIN
  • LEFT JOIN EXCLUDING INNER JOIN
  • RIGHT JOIN EXCLUDING INNER JOIN
  • OUTER JOIN EXCLUDING INNER JOIN

Note:

  • the opposite of INNER JOIN is not OUTER JOIN. It’s OUTERJOIN EXCLUDING INNER JOIN
  • the opposite of OUTER JOIN is empty set.

But the diagram is usually speaks for itself.

–jeroen

Source: Visual Representation of SQL Joins – CodeProject

Read the rest of this entry »

Posted in Access, Database Development, DB2, Development, Firebird, InterBase, MySQL, OracleDB, PostgreSQL, SQL, SQL Server | Leave a Comment »

Firebird 3.0 – Monitor Need to monitor you firebird 3.0 database? This just works…

Posted by jpluimers on 2017/07/20

Interesting tool as it just works magically:

Firebird 3.0 – MonitorNeed to monitor you firebird 3.0 database? We have the right tool for you!

–jeroen

Posted in Database Development, Development, Firebird | Leave a Comment »

Firebird: reset statistics for all indices using `set statistics index :index_name` – via: What is index selectivity?

Posted by jpluimers on 2017/07/12

A while ago, I needed to reset the index statistics for all indices in one our databases: a Firebird database.

I hadn’t done work like this in a while, so I made the cardinal mistake of Googling and using the first matching StackOverflow answer that seemed a perfect fit.

Boy was I wrong (:

In sql – My firebird query plan does not use correct index – Stack Overflow  I found the accepted answer (no less!) has this neat block to update index statistics for all indices:

    EXECUTE BLOCK
    AS
      DECLARE VARIABLE IDX VARCHAR(31);
    BEGIN
      FOR
        SELECT rdb$index_name FROM rdb$indices
        WHERE NOT rdb$index_name LIKE 'RDB$%'
        INTO :idx
      DO BEGIN
        EXECUTE STATEMENT 'update statistics ' || :idx
        WITH AUTONOMOUS TRANSACTION; 
      END
    END

The code consistently failed with this error:

    Script Error:
    
    Dynamic SQL Error
    SQL error code = -104
    Unexpected end of command - line 1, column 19

When I removed the lines inside the do beginend block, then the outer statements execute fine.

Incidentally, column 19 is right at the space at the end of after the 'update statistics '. Which meant that either the string concatenation was wrong, or the statement itself.

And yes, I should have Googled the Firebird documentation instead, as What is index selectivity? has the correct statement that recalculates statistics for all indexes:

set term !! ;

EXECUTE BLOCK AS
declare variable index_name VARCHAR(31);
BEGIN
for select RDB$INDEX_NAME from RDB$INDICES into :index_name do
execute statement 'SET statistics INDEX ' || :index_name || ';';
END!!

set term ; !!

–jeroen

Source: What is index selectivity?

Posted in Database Development, Development, Firebird | Leave a Comment »

Firebird: creating indices in scripts after checking for their existence

Posted by jpluimers on 2017/07/11

A few notes when making scripts that create indexes based if they do (not) exist (yet):

–jeroen

Read the rest of this entry »

Posted in Database Development, Development, InterBase | Leave a Comment »

« Previous Entries
Next Entries »