Protect from SQL Injection?

SQL Server Security

Index ‹ SQL Server

- Previous
  - 1
    - ERROR, insert into mining model ......... i try to process datamining with DMX first i create new mining: CREATE MINING model ForexData ( timeseri DATE KEY, Xhnow TEXT DISCRETE, Muccl TEXT DISCRETE, Change TEXT DISCRETE, XH5be TEXT DISCRETE, XH3be TEXT DISCRETE, XH1be TEXT DISCRETE , XH1ne TEXT DISCRETE PREDICT_only, XH3ne TEXT DISCRETE PREDICT_only, XH5ne TEXT DISCRETE PREDICT_only ) Using Microsoft_Association_Rules (Minimum_Probability = 0.4, Minimum_Support = 0.01) after that i use insert into statement: INSERT INTO mining model ForexData (Change,Muccl,Timeseri ,XH1be,XH1ne,XH3be,XH3ne,XH5be,XH5ne) OPENQUERY ([Forex DB],'Select Change,Muccl,Timeseri ,XH1be,XH1ne,XH3be,XH3ne,XH5be,XH5ne FROM dbo.dataprice') there is the fisrt time i deploy ForexData so, it return an error: Errors in the OLAP storage engine: An error occurred while the 'timeseri' attribute of the 'ForexData_Structure ~MC-timeseri' dimension from the 'Analysis Services Project1' database was being processed. i dont know about it, i have read some docs and comments on web but can solve this problem, can you help me as soon as posible, please i have create a data source and data source view by BI and it return database is 'Analysis Services Project1'. and data source name: 'Forex DB' ;data source VIEW name: 'Forex DB' ; nick yahoo: remember_somebody; contact to me if you can, i really need these infomation Tag: Protect from SQL Injection?
  - 2
    - Add new column into the table using ADO not ADOX Hi Everybody, I want to add new column 'firstaname' into the existing table "geo" already two columns namely 'salcode' 'lastname'.I run the following code it runs without error, when i opened the database see the structure of table, i didn't find new column in the table "geo" here is the snippet of code what i am using. /* FieldsPtr fields; FieldPtr field;*/ _bstr_t name("firstname1"); //pRstTitles->get_Fields(&fields); /* pRstTitles->Fields->Append(name, adVarChar , 15, adFldUnspecified); pRstTitles->CursorLocation = adUseClient ; pRstTitles->LockType = adLockOptimistic ; pRstTitles->Open("geo", _variant_t((IDispatch *)pConnection,true), adOpenStatic, adLockOptimistic, adCmdTable);*/ pls pls pls help me out .. I need it very urgently. Tag: Protect from SQL Injection?
  - 3
    - for loop container to process all Excel files I'm having a problem getting the for loop container to process all excel files in a folder. I set the collection folder to where my .xls files are, and i set a variable in the for loop container to the FileName. I then changed my source connection and added expressions for ConnectionString: "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" + @[User::FileName] + ";Extended Properties=" + @[User::ExtProperties] (the ExtProperties was necessary to get the double quotes in. ) ServerName: @[User::FileName] It cannot connect. I used a similar process to loop thru Access .mdb files, but did not set the ServerName and did not need the ExtProperites because the Access connection did not need them, and I got that to work. Any help would be very much appreciated. Tag: Protect from SQL Injection?
  - 4
    - normalization hi.. using normalization is good or not if we don't follow normalization than what will happen and if follow than what will happen thanx Tag: Protect from SQL Injection?
  - 5
    - Analysis Services 每 Step by Step: Semi-Additive-Account If I set up a measure with semiadditive property LastNotEmpty, the browser shows for all accounttypes the correct aggregation. If I set up a measure with semiadditive property SUM, the browser shows for all accounttypes the correct aggregation. I have a problem, if I'm attempting to set up a measure with semiadditive property of ByAccount. The browser shows for all accounttypes the aggregation SUM. If I start the Business Intelligence Wizard, I can see, that all default accounttypes have Aggregatfunction = Sum. The dimension Account has Typ = Accounts. The measure amount has AggregatFunction = ByAccount. What can I make Tag: Protect from SQL Injection?
  - 6
    - error output - ignore just one column? When configuring error output, I want everything that is good in the row to make it to the destination, and then the offending column that is causing an error to be set to NULL, and then sent to the destination as well. In addition, I want to take the offending column's data, and route it over to an error holding table. I know about the ability to redirect the whole row, but I just sort of want to redirect just that column. For example.... Have a table with 5 columns col1 int null, col2 int null, col3 char(3) null, col4 bit null, col5 int null My data flow loads data from a flat file and has a record that looks like this 1 5 ABC R 3 I want the row to make it to the destination as follows.... 1 5 ABC NULL 3 Then the offending data needs to go over to my error table err# errcolumn errdata errdesc 1 col4 R Could not convert "R" to bit data type Any way to do this Tag: Protect from SQL Injection?
  - 7
    - SQL 2005 High Protection Failover error Hi I am experiencing a problem while performing failover testing on 2005 Standard. I have an application which uses an ODBC connection SQL Native Client with a failover partner. The following is the series of events that cause the problem. I am using a domain admin account whilst testing which has a server login on both servers with the same privileges. Server A (Principle) Server B (Mirror) **Application can connect** Manual failover Server A (Mirror) Server B (Principle) **Application can connect following a restart** Server A is switched off Server B (Principle, disconnected) **Application continues working** ***restarting the application the following error occurs*** ※Connection Failed SQLState 08001 SQL Server Error 53 [Microsoft][SQL Native Client]Named Pipes Provider: Could not open a connectionto SQL Server [53]. Connection failed: SQLState: '08001' SQL Server Error: 53 [Microsoft][SQL Native Client]An error has occured while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. Connection failed: SQLState: 'S1T00' SQL Server Error: 0 [Microsoft][SQL Native Client]Login timeout expired※ Any help with this would be most appreciated Peter Tag: Protect from SQL Injection?
  - 8
    - Need to move 3.2 TB data from CA to IL I am involved in a project to move 3.2 TB of data in 30 - 40 databases from a data center in San Diego to another data center in Chicago. The equipment and data centers are owned by two different MSP's. The data currently resides on two 2-node (a-a) MSSQL 2005 clusters. It will be moved to a managed storage environment, also employing MSSQL 2005. The client requires minimal down time. I'm looking for suggestions as to the fastest/safest way to accomplish this migration. Tag: Protect from SQL Injection?
  - 9
    - Writeback on consolidated member. Hi All, I hope I didn't post this question twice because I posted this once but I can't see it when I refresh my browser. My question is: is it possible to writeback on consolidated member Here is my scenario: Foods is the parent and the rest is child. What I want to do is if I change or update sales amount of parent - Foods, I'd like to spread the change to its child by multiplying child's sales amount with the ratio of (new sales amount / old sales amount) of parent. Year.01-2007 Sales Amt Product Group.Foods 500 Product Group.Pie 100 Product Group.Sandwich 300 Product Group.Steak 100 Product Group.Pasta 0 Product Group.Roasted Chic 0 So, if I change Foods = 1000 then the expected result will be: Year.01-2007 Sales Amt Product Group.Foods 1000 Product Group.Pie 200 Product Group.Sandwich 600 Product Group.Steak 200 Product Group.Pasta 0 Product Group.Roasted Chic 0 Any idea would be much appreciated. Thanks and Regards, Uzzy Tag: Protect from SQL Injection?
  - 10
    - Creating expressions with the query builder Hello, I have a question about using the query builder, or just straight sql, to create expressions. My first example caused the query builder to generate a query configuration error: Expression: EIM_REQUISITION_DETAILS.EST_UNIT_COST * EIM_REQUISITION_DETAILS.REQRD_QTY AS COST Syntax error: Expecting "," or "FROM" after column alias or "*" Initially I thought I was dead in the water but then I decided to just run it anyway and it worked! I got my cost. OK so fine the query tool doesn't recognize some sql expressions. Because I am trying to make a large flat file I thought I'd concatenate 2 fields to generate a recognizable requisition, which everyone knows is the year followed by a hyphen then the req number: My old Access query had this: Req: Right([REQ_YR],2) & "-" & [REQ_NO] and I tried to change it to this: substring (EIM_REQUISITIONS.REQ_YR from 2 for 2) || '-' || EIM_REQUISITIONS.REQ_NO AS REQ So apparently my older sql book doesn't have the syntax right. Since I plan to do more of this could someone point me to a reliable book or site that could help me with sql syntax Thanks, Dana Tag: Protect from SQL Injection?
  - 11
    - I have problem in Date format in C# .NET 1.1 !!! HI Friends, My .NET application devloped in C# used mainly class file (OOAD) and user controls etc and it is desktop application not web based application. Database is SQL server 2000. Now I have problem in Date format. Scenario is : If my application is running in the following setup, i.e The SQL server2000 is installed with DDMMY format and PC setting also DDMMYY. Now when the user enters the date like e.g 19-04-2007 (user can enter only numeric no char allowed here i.e only Any 2 digit numbers for month and date and 4 digit number for year in the respective place) in the user interface, it is generating error (Erro msg is : The conversion of char dat type to smalldatetime data type resulted in an out of range small datetime value.) BUT If the PC set up is in MMDDYY format and SQL server too then no problem. i.e Application will allow/Fetch the record when the user enter date like 19-04-2007. Brief about Architecture: My Application has four tier architecture. i.e Presentation, Business Facade (Remoting used here to call Business service), Business service (BS), Datatransfer. This .NET application is generalised application,Means it is not for any specific country. So I need best way to fix this problem. Please help me out to solve this problem. Thank you so much.... Thanks Radhakrishnan.R Tag: Protect from SQL Injection?
  - 12
    - Report with constant number of detail lines I am developing a report analog of a machine readable form that has to display a static number of detail rows regardless of the number returned from the database - i.e. if a record set has only three detail records, I need to display three blank rows, while if the record set has ten detail records, I need to display six detail records, print the footer, start a new page, repeat the header information, print the remaining 4 detail records and 2 blank rows, print the footer again and move on to the remaining recordset. I am new to report development and I'm having to pick it up on the fly. I can't seem to locate any documentation about how to handle this scenario. I don't have the time or inclination to re-invent the wheel here, is there anyone who has solved this problem who can point me in the direction of some help Tag: Protect from SQL Injection?
  - 13
    - Moving SSRS directory Hello - I'm new to reporting Services. I have just configured SSRS using the RS configuration manager. It has created the RS directory and databases on my "C" drive, how can I move this to the "D" drive Tag: Protect from SQL Injection?
  - 14
    - SQL Server Agent Are there any down sides to running the SQL Server Agent What is this agent used for Tag: Protect from SQL Injection?
  - 15
    - Minimun SP Level for Cluster Upgrade I'm upgrading MSSQL2000 (RTM) cluster to 2005. I haven't seen any information regarding a minimum service pack level for 2000. This upgrade just makes me overly caution. Tag: Protect from SQL Injection?
  - 16
    - SQL Server 2000 Job Problems I'm trying to run a T-SQL job, but it won't let me use more than 3200 characters in the script. Do I have to create a DTS package to run this script since it is much longer than 3200 chars Or is there an easier way to do this -Kyle Tag: Protect from SQL Injection?
- Next
  - 1
    - Deployment Of SSIS With Config Files I went through other threads and links on this subject. Still one thing which concerns me is the config files. My current folder path is C:\Karunakaran\folder1\folder2\ Under folder2 I have the following files 4 dtsx files 1 .database file 1 .dtproj file 1 .dtproj.user file 1 .sln file 1 .suo file Config folder ( C:\Karunakaran\folder1\folder2\Config\) common.dtsConfig oracle.dtsConfig Based on some of the threads, when I enabled package configuration, I changed the path from C:\Karunakaran\folder1\folder2\Config\common.dtsconfig -> common.dtsconfig Once I did this, when I open the project I get a dozen of warning similar to the one below Warning loading <package1>.dtsx: Failed to load at least one of the configuration entries for the package. Check configurations entries and previous warnings to see descriptions of which configuration failed. What am I doing wrong here If I have to deploy this to another box, what should I do to ensure that nothing breaks once its copied / installed Thanks Tag: Protect from SQL Injection?
  - 2
    - Possible to stop SSRS GUI from destroying hand rolled mdx in datasets by silently reverting to design mode? Since as soon as you extend your mdx datasets manually you can no longer switch back into design mode without losing your changes, right If that's the case, is there some way to disable design mode completely i'm finding that the GUI has the tendency to SILENTLY revert the dataset editor back to design mode while I'm busy editing a layout, thereby losing my carefully crafted MDX. Tag: Protect from SQL Injection?
  - 3
    - why any function related to prior period in my data does not work? Hi, all, I am encountering a very strange problem that I cant get any value for prior period for my KPI. E.g, I am defining a KPI goal which will be the value of the prior period multiplies 1.2, but then no result returned for this definition, only result returned for value of current period, if I defined the goal as anything of current period Why is that I am very much looking forward for your help. Thanks. With best regards, Yours sincerely, Tag: Protect from SQL Injection?
  - 4
    - new to SQL - create table command question hi can someone please explain the following please why does this fail with specified owner testdb does not exist or you do not have permissions create testdb.testtable ( testval int ) yet if i create testdb and then run the following against this new db create testtable ( testval int ) command command completes successfully......what am i not understanding or doing wrong thank you Tag: Protect from SQL Injection?
  - 5
    - SP_Change_Users_Login I am moving several databases that belongs to a single application from MSSQL2000 to MSSQL2005. After sucessfully moved and converted the databases I need to fix the users login and I am using sp_change_users_login procedure to do so. My questions are: I have an application user that needs to be fixed in several databases - how can I fixed the login all once Also is there a way to turned the check_policy off at the same time I fixed the logins thank you Tag: Protect from SQL Injection?
  - 6
    - Trying to figure out number of pages in report Greetings, I have a report that is created that is typically 2-3 pages long. I've tried the "ExecutionInfo.NumPages" but it always results in "1" as the answer. Code is something like this: ============ ... Dim reportHistoryParameters As sqlprod1_res.ParameterValue() = Nothing Dim SessionId As String Dim execInfo As New ExecutionInfo Dim execHeader As New ExecutionHeader() Dim result As Byte () = Nothing Dim format As String = "PDF" Dim devInfo As String = "<DeviceInfo><Toolbar>False</Toolbar></DeviceInfo>" Dim extension As String = "" Dim encoding As String = "" Dim mimeType As String = "" Dim warnings As sqlprod1_res.Warning() = Nothing Dim streamIDs As String () = Nothing result = rs.Render(format, devInfo, extension, encoding, mimeType, warnings, streamIDs) execInfo = rs.GetExecutionInfo() Dim Pages As Integer = execInfo.NumPages ============ Also tried to count streams with the same result. Any ideas Thanks Dan Ribar Tag: Protect from SQL Injection?
  - 7
    - Login scripting to a file I am new to DMO and I am trying to find a way where I can create a script file containing all server logins. THis needs to run on a daily basis. Anyone have any examples to share Tag: Protect from SQL Injection?
  - 8
    - truncation error message Ok, this is starting to drive me nuts, I've been trying to get this to work for 2 days now. I have a .csv file that I'm reading and importing the data into my table. I defined Derived columns for the type and the lengths as well. I have one column that keeps kicking out this error: The column in the db has a length of 50, the column in my derived column is set to 50, now there are some strings in the colum from the csv file that contain more then 50 characters so I have this in my derived column section: to get the first 50 characters. (DT_WSTR,50)NAME [Flat File Source [1]] Error: Data conversion failed. The data conversion for column "NAME" returned status value 4 and status text "Text was truncated or one or more characters had no match in the target code page.". [DTS.Pipeline] Error: SSIS Error Code DTS_E_PRIMEOUTPUTFAILED. The PrimeOutput method on component "Flat File Source" (1) returned error code 0xC0202092. The component returned a failure code when the pipeline engine called PrimeOutput(). The meaning of the failure code is defined by the component, but the error is fatal and the pipeline stopped executing. There may be error messages posted before this with more information about the failure. so to some it up. My field (name) in my .csv file can contain 2 to 80 characters but I only want the first 50 and if the field contains greater then 50 characters I'm getting the error above. Has anyone else run into something like this If so how did you get it working Tag: Protect from SQL Injection?
  - 9
    - SQL Parameter and wildcards, how to make it work? Hello, I have what should be a very simple problem, but I cant solve it. I want to have a stored procedure return a table query (no problems here) but I also need to supply several parameters to the stored procedure (again, no problem!) Here is the problem, I need to be able to supply a wildcard into the stored procedure as an argument somehow. I can do this already, but the results are incorrect!!! It seems like when local variables are used, the wildcard argument gets ignored. for example, I have included the following example: DECLARE @Dv_id nchar ( 15 ) SET @Drv_id = '%' SELECT Diver .*, ( ROW_NUMBER () OVER ( ORDER BY Dv_id )) as RowNum FROM Diver WHERE Dv_id LIKE @Dv_id SELECT Diver .*, ( ROW_NUMBER () OVER ( ORDER BY Dv_id )) as RowNum FROM Diver WHERE Dv_id LIKE '%' OK, this is an example of my problem, the results I get from this are that the fist SELECT return 0 rows. The second SELECT returns the correct number of rows (everything in the table). Why is there a difference between: WHERE Drv_id LIKE @Drv_id and WHERE Drv_id LIKE '%' The wildcard statement '%' is supposed match everything, correct It seems like the local variable SET command syntax eats up my value of '%' and turns it into a NULL. Is there any way around this Tag: Protect from SQL Injection?
  - 10
    - SSIS Logs Following the blog of jamie, I was trying to aply it to my project... but my requirments are a little different than him... http://blogs.conchango.com/jamiethomson/archive/2005/06/11/SSIS_3A00_-Custom-Logging-Using-Event-Handlers.aspx CommentPosted=true#commentmessage I have inside the ControlFlow several sequence containers and inside each container I have several dataflows. I want to get the time of each dataflow execution and the rows inserted in each. So I added a row count transform for each dataflow and added a global variable to save the rows count value. In each dataflow I need to initialize this global variable to 0. And my problem is that using event handlers in OnPostExecute it repeats several times for each dataflow... how can I save info only once for each dataflow using eventhandlers How can make eventhandler execute only once to save the related information for each dataflow Understood regards Code Snippet "INSERT INTO SSISLog(TaskStartTime, EventType, PackageName, TaskName, PackageDuration, ContainerDuration, InsertCount, UpdateCount, DeleteCount, Host) VALUES( '" + (DT_STR, 4, 1252) DATEPART("yyyy", @[System::EventHandlerStartTime]) + "-" +(DT_STR, 4, 1252) DATEPART("mm", @[System::EventHandlerStartTime]) + "-" +(DT_STR, 4, 1252) DATEPART("dd", @[System::EventHandlerStartTime]) + " " +(DT_STR, 4, 1252) DATEPART("hh", @[System::EventHandlerStartTime]) + ":" +(DT_STR, 4, 1252) DATEPART("mi", @[System::EventHandlerStartTime]) + ":" +(DT_STR, 4, 1252) DATEPART("ss", @[System::EventHandlerStartTime]) +"', 'OnPostExecute', '" +@[System::PackageName]+"' , '" +@[System::TaskName]+"' , "+ (DT_STR, 6, 1252)DATEDIFF( "ss", @[System::StartTime] , GETDATE() ) + ", "+ (DT_STR, 6, 1252)DATEDIFF( "ss", @[System::ContainerStartTime] , GETDATE() ) + ", " + (DT_STR, 4, 1252) @[User::SSIS_Rows] + ", 2, 3, '"+ @[System::SourceDescription] +"')" Tag: Protect from SQL Injection?
  - 11
    - Received message constantly processed. Hello, when is seemd that everything works some weird behaviours comes out. I try to summarize the problem without to post the complete code. Service Broker is set to have a dialog between two databases on the same SQL Server instance. The Initiator queue has retention=on and there is an activation SP to handle errors and Target's end dialog message. The Target queue has retention=off, MAX_READER =1 and there is an activation SP to receive the message (WAIT FOR (RECEIVE (1) ...), TIMEOUT 30000 and do something with this message (sample insert into a DB). The conversation has a Timeout Dialog to end the dialog after a while. The problem that the message is constantly processed. The Process doens't stop is I end the dialof after the processing either. n.b.the Receive is within a Transation that I commit at the end. some other informations that in the meanwhile I found out : This was my complete WAIT FOR(RECEIVE : WAITFOR ( RECEIVE top(1) -- just handle one message at a time @message_type=message_type_id, --the type of message received @messagetypename=message_type_name, @message_body=message_body, -- the message contents @dialog = conversation_handle -- the identifier of the dialog this message was received on FROM [TargetQueue] ), timeout 1000; if (@@ROWCOUNT = 0) BEGIN COMMIT; BREAK; END IF I delet TIMEOUT 1000, everything works as expected ... Inside if (@@ROWCOUNT = 0)BEGIN..END I wrote also an Insert into a table to see wheter the end of the queue was reached but this insert never occurs (neither with not without timeout) I'm happy that it works what if this is the solution, it make no sense to me! Any ideas Thank you! M.B. Thank you very much M.B. Tag: Protect from SQL Injection?
  - 12
    - How to Send a SQL Server notification to Messenger Hello, I'm trying to send a SQL Server notification to MSNMessenger and also to Yahoo Messenger, but I didn't find the way. If you have some information about it, please answer this question as soon as possible. Thank you so much Tag: Protect from SQL Injection?
  - 13
    - Error with SMO.TransferData() (Exception from HRESULT: 0xC0011008) OK, I have tried just about everything over the past 9 hours. I think I've read through every forum regarding anything similar to errors with SMO and TransferData(). However, I still can't fix my problem. What I'm trying to accomplish is a workaround for deploying my database application using ClickOnce. Since I can't include the database when upgrading (which would wipe out users' data), I want to have a 'Master Database' that is used as a reference to both initially create, and to selectively update, the main 'User Database'. I'm not sure if that is possible, yet...because SMO is not working for me (I'm sure there are more laborious methods to do what I want, but SMO should work...I can't help but think there is a bug). Here is my current code: Code Snippet 'Master Database Dim dbName_Master As String Dim SqlCon_Master As SqlClient.SqlConnection = New SqlClient.SqlConnection( My .Settings.LM_Master_SQLConStr) SqlCon_Master.Open() dbName_Master = SqlCon_Master.Database.ToString() Dim SC As New ServerConnection(SqlCon_Master) Dim srv As New Smo.Server(SC) 'Verify User Instance connection Console.WriteLine( "User Instance Server: " & srv.InstanceName.ToString) 'Select the Master Database as the source db Dim dbMaster As Smo.Database dbMaster = srv.Databases(dbName_Master) 'Define a Transfer object and set the required options and properties. Dim xfr As Smo.Transfer xfr = New Smo.Transfer(dbMaster) xfr.CopyAllObjects = True xfr.CopyAllUsers = True xfr.CopyData = True xfr.CreateTargetDatabase = True xfr.DropDestinationObjectsFirst = True xfr.DestinationDatabase = "TestDB" xfr.DestinationServer = srv.Name xfr.DestinationLoginSecure = True xfr.CopySchema = True xfr.Options.WithDependencies = True xfr.Options.ContinueScriptingOnError = True xfr.Options.NoIdentities = False xfr.Options.NoCollation = True xfr.Options.Indexes = True xfr.CopyAllDefaults = True xfr.Options.AllowSystemObjects = True xfr.Options.DriAll = True xfr.Options.XmlIndexes = True 'Script the transfer. Alternatively perform immediate data transfer with TransferData method. Dim StrColl As New System.Collections.Specialized.StringCollection StrColl = xfr.ScriptTransfer() For Each str As String In StrColl Console.WriteLine(str) Next xfr.TransferData() The final error is: ***** DtsRuntimeException was unhandled... Exception from HRESULT: 0xC0011008 ***** I also have not seen any examples or documentation on how to store the new database in a specific location on the hard drive, once the transfer is complete. In fact, SMO has surprisingly little documentation that I can find (which is why the code above may seem a little redundant when setting the xfr options...). I would really appreciate some help. Thank you, AL Tag: Protect from SQL Injection?
  - 14
    - Report Builder Is Report Builder capable of building any complex reports that Visual Studio Report Designer can build What are the limitations of using Report Builder with SQL Server Databases Tag: Protect from SQL Injection?
  - 15
    - 64-Bit SQL Server 2005 (Enterprise), SQL Agent Notifications and Database Mail We have database mail configured on our 64-Bit SQL Server Enterprise 2005 (SP1) and are able to send test messages from the context menu that appears when selecting database mail component. However for some reason when a SQL Agent Job fails, no emails are sent to the 'operator' that has been defined for the job. I have confirmed that we have the operators correctly configured. We also have a small SQL Agent Job that just sends a test email via the sp_send_dbmail command and that works properly. However if I deliberately create a malformed parameter in the sp_send_dbmail command to 'break' it...no notification of a job failure message is sent. I have verified that the service_broker component is enabled...and the status of database mail in the MSDB database is 'started.' We have setup several other 32-bit SQL Server 2005 systems using database mail...and they all work flawlessly. After reviewing existing message posts...I am unsure if there is a problem with database mail on a 64-bit SQL Server box. Some say 'yes' other say 'no'. There are several MSDN notes about the problem...however these appeared prior to the release of SP1 of SQL Server 2005. Thank you for your assistance. ...cordell... Tag: Protect from SQL Injection?
  - 16
    - importing from excel into SQL Server 2005 changing values to NULL I can't figure this one out... I have an Excel spreadsheet (Excel 2003 format) with a column of values. The column is formated to General (although I've tried it formated to text). The values are alphanumeric. However, there are a few values that are completely numeric. Example: _ITEMNUMBER_ 1-528 K214-5 184PR 45678 As can be seen, the last value is completely numeric. I am importing into a table with one column that is formated as nvarchar(50). I use dtswizard.exe and do a simple import into the table and the alphanumeric values import just fine but anytime a value is completely numeric it has a NULL value in the table instead of the value that should be there. I've tried changing the format of the column to nchar, char, etc, etc. Always comes in NULL. Any ideas Tag: Protect from SQL Injection?

Stephen_Sbh

Hi,

Just read about SQL injection, and tested it out with sample database, and it does hack my database, the article show to prevent SQL injection by using application code to remove those keywords and change single quote to double quote, is there any method to prevent SQL injection directly using the database system itself, maybe stored procedure or anything

Thanks.

Re: Protect from SQL Injection?

Arnie Rowland

Stored Procedures are a major line of defense against SQL injection attacks.

Re: Protect from SQL Injection?

StephenSaw

Hi,

Do we need to write any codes or statement inside our stored procedure to avoid SQL injection

Re: Protect from SQL Injection?

Arnie Rowland

Under most circumstances, passing in string parameters will cause the parameter value to be handled as a string (enclosed with quotes).

If it is a keyword, then that keyword will most likely be contextually ignored, or cause an error.

If there are embedded quotes or comment indicators, then that parameter is stripped upon entry and the offending part is discarded.

There is still the possiblity for 'cross-site' scripting issues related to causing the storage of embedded html, and then displaying that embedded html on the web page.

You may find a visit to (and do a search for 'sql injection' to be worthwhile:

www.sqlservercentral.com

www.sqlteam.com

Re: Protect from SQL Injection?

StephenSaw

Hi, got some query on SQL Injection. I tried to inject my own database, my user password is encrypted, but when I write the injection script in the login form, it has been hashed and it doesn't run the injection at all, but the script does the injecting when I code it direct to my page. So is that mean hashing password can prevent SQL injection (those inject from the login form)

Re: Protect from SQL Injection?

Raul Garcia - MS

I would recommend to visit the following link:

http://msdn2.microsoft.com/en-us/library/ms161953.aspx

Please let us know if you have further questions.

-Raul Garcia

SDE/T

SQL Server Engine