given is the current SELECT Statement with opening the cursor.
Is it possible to define a Variable for the View Name and use it whilst able to keep Cursor Functionality?
EXEC SQL .
OPEN dbcur FOR SELECT
PERSID,
PERSNR,
GVON,
FROM TEST_DB0T.TS$$004
ENDEXEC.
Find out if using Dynamic FROM Clause is possible in the given Scenario
Related
Trying to exploit SQL injection for my assignment. Is it possible to execute delete or drop query after order by in select query without using the semicolon in Postgresql?
This is my sample query:
Select *
from table
order by {sql injection payload}
Without using the semicolon in the payload, can we delete data or drop a table?
https://stackoverflow.com/a/6800585
Do we have similar to this Postgrsql?
I tried
Select * from (delete from table_name returning *) a
But getting sql error as 'syntax error at or near from'
Check this document it says we can bypass forbidden character by CHR()
https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection
DELETE cannot be put inside a subquery. Nor can DELETE be part of a UNION.
So aside from running a second query (that is, separated by a semicolon), there's almost no way you can do what you describe.
You could invoke a stored procedure or function, if you knew of an existing function that performs a DELETE. Example:
Select *
from table
order by {sql injection payload}
After your payload modifies this query:
Select *
from table
order by SomeFunctionThatDeletes()
Another type which works because you can select from a procedure in PostgreSQL:
Select *
from table
order by id
UNION
Select *
from SomeProcedureThatDeletes()
You can't create the function or procedure with SQL injection, so that routine must exist already, and you would need to know its name and how to call it.
DELETE or DROP TABLE are not the only bad things that can happen from SQL injection. It could be a problem if the query returns data that the current user shouldn't have privilege to see. For example, records about a different user's purchases or medical history.
SQL injection can also be accidental instead of malicious. I would even say that most instances of SQL injection result in simple errors instead of data breaches. Those aren't really attacks, but they lead to an unsatisfactory experience for your users.
I have this query
SELECT id, UTL_I18N.RAW_TO_NCHAR(DBMS_CRYPTO.DECRYPT(password,
pkg_so_42979606.cipher_type(),
UTL_ENCODE.BASE64_DECODE(UTL_I18N.STRING_TO_RAW('pMV3D4xhyfNxp3YyfLWzAErGcKkIjK3X6uc/WIeVTls=', 'AL32UTF8'))),
'AL32UTF8') password
FROM customeren;
I want to select this table. But i don't want to write this code again and again. What i need to do? How select data from this table in easier way? Oracle 11g XE
You could create a view with the selection criteria above and then just call your select query on the view. Not sure if Oracle syntax is the same but in SQL Server it would be
CREATE VIEW myschema.SomeViewName AS
SELECT id, UTL_I18N.RAW_TO_NCHAR(DBMS_CRYPTO.DECRYPT(password,
pkg_so_42979606.cipher_type(),
UTL_ENCODE.BASE64_DECODE(UTL_I18N.STRING_TO_RAW('pMV3D4xhyfNxp3YyfLWzAErGcKkIjK3X6uc/WIeVTls=', 'AL32UTF8'))),
'AL32UTF8') password
FROM customeren;
Then you can call SELECT * FROM myschema.SomeViewName, although using wildcards is generally not a good idea because you return all columns, when you may not require them. If you want to pass in parameters dynamically then you could consider using a function instead.
I got a table rules with dynamic sql statements in it. With a procedure a specific rule (calculation) can be applied on a table. But now i want to apply all rules (from a select) on that table. Is there any way of doing this without using cursors?
First i tried to use functions. But those doesn't let me execute dynamic sql. So i ended up with procedures and cursors.
From what i suspect, you have some text to a rules table e.g. RuleID = 1, Rule = '(field1*field2)+field3'. So you resort to dynamic sql to build a statement actually apply the rule. Fair enough, since there is nothing else you can do with that text. This way yes, you probably have to resort to cursor and build sql + execute at every row.
Another workaround if rules are not many and not user defined would be to convert the rule to actual statement and apply with a join if enabled. The above example would be like:
SELECT
...
,CASE WHEN RuleID = 1 THEN (field1*field2)+field3 ELSE NULL END AS Rule1Result
FROM mytable JOIN rulestable ...
I'm just wondering if there's any way to do a pivot query, with dynamic column names, without resorting to dynamic sql (declare #sql_text varchar(max) = 'select ...' etc.)
Dynamic SQL just rubs me the wrong way.
Basically I have a query like this (and I had to change all the table/column names to protect IP so if there's a syntax error somewhere don't worry about it)
declare #sec_class_ids table (CLASS_ID varchar(50));
insert #sec_class_ids (CLASS_ID) values
('987987987'), -- END USER - SAVE AND EXPORT [987987987]
('654654654'), -- END USER - SAVE [654654654]
('321321321') -- 'END USER - SPECIAL - SAVE AND EXPORT [321321321]'
select * from (
select
class.NAME as sec_class_name,
sec_attr.NAME as sec_attr,
'YES' as granted
from sec_class class
inner join class_sec_attr
on class.class_id = class_sec_attr.class_id
inner join sec_attr
on sec_attr.sec_attr_id = class_sec_attr.sec_attr_id
inner join #sec_class_ids input
on input.class_id = class.class_id
) as sec_attrs
pivot (
max(sec_attrs.granted)
--for sec_attrs.sec_class_id in (#sec_class_ids)
for sec_points.sec_class_name in ([END USER - SAVE AND EXPORT],[END USER - SAVE],[END USER - SPECIAL - SAVE AND EXPORT])
) as sec_class_comparison
;
I would like to be able to use the table var (shown in the comment) rather than manually setting the columns for each query. I am aware this is possible and quite easy with dynamic SQL, but I'd like to avoid doing that if possible in any way.
Unfortunately there is no way to do this without dynamic SQL. PIVOT requires that the values are known when the query is executed so if you have unknown names, then you have to use dynamic SQL.
I have never heard of a way to do this with a query, however I remember I was able to set this up in a report (SSRS) which was really neat. Depending on what you plan to do with the data this might work for you.
I would like to view parameterized update, select, and delete statements executed on an oracle database.
I can see the query by running the following:
select * from v$sqlarea where parsing_schema_name = 'SCHEMA_NAME' order by last_active_time desc
But I want to also view the parameters that go with the SQL in the SQL_TEXT column. Is there a way to do this?
If by parameterized you mean bind variables, you need V$SQL_BIND_CAPTURE. Search it by the SQL_ID you found in V$SQLAREA.
Each row represents a variable captured by position, so you'll have to match it up with your names from your query.