I am using Softerra LDAP Browser 4.5 and it is failing on the most basic SQL Query. I cannot figure out any mistakes in the query. I am sure it is correct.
It is throwing an unexpected COUNT error which is super strange as it doesn't make any sense at all.
SELECT COUNT(*) Queries work fine with same ldap path.
I have tried with and without the $ symbol. Didn't help.
Do the Wizards of Stack Overflow see what exactly the problem here might be?
Regards
Related
I am completely baffled by SQL Server and OPENROWSET permissions.
Our team has an AD Group. This group is included in the DEV server's Windows Administrators local group. This same AD group has SysAdmin privilege on the local installation of SQL Server 2017.
Attempting to run the command:
SELECT *
FROM OPENROWSET('Microsoft.ACE.OLEDB.12.0','Excel 12.0;Database=C:\Work\test.xls;HDR=YES',['sheet1$'])
works for me, but for none of my teammates.
If there is a definitive document on the security requirements for using the OPENROWSET command - I have not found it (and please - don't refer me to learn.microsoft.com - that documentation is not written in any way that I understand).
There are other issues I have found including if I change the name of the sheet in the Excel workbook - the command fails (and yes - I closed the book after making the change).
Finally - some feedback on the use of OPENROWSET - is it generally a good idea? a bad idea? pretty much neutral but be prepared for these kinds of problems?
I hope this question is specific enough to be answered - I have probably spent 20+ hours trying to figure out how to understand how this works so I can make it work and use it consistently.
Thanks!
So honestly troubleshooting security/permissions and errors with SQL Server is probably the most frustrating aspects of my job.
First few questions and thoughts about your dilemma.
Do you really want to be granting your team connected to your db
sysadmin rights? I wouldn't do that period, full-stop.
Will the data be refreshed? If yes, I suggest you ingest this data
into a sql table with a process, perhaps python, ssis, dts package,
powershell, whatever you fancy.
If the data will always be static in that one excel file, I'd suggest perhaps making it act like a linked server for (hopefully) fewer permission issues? Also, it's easier to query that way, from my memory.
In any event, this article (non msdn link) may help? I've done it this way once before and had slightly less of a difficult time, but then again it involves adding a driver (usually) to the sql server. BUT, then I did not have to allow multiple users sysadmin - and I think ANYTHING is better than that.
https://www.sqlshack.com/query-excel-data-using-sql-server-linked-servers/
Sometimes the issue is not with the user running the query, but SQL Server using the account it runs as - to get permissions on the file. This article goes over that aspect as well. I'm not sure that is your issue as you say it works for me but not for thee, but maybe read that portion of the article at least?
I have look everywhere for this issue. And after six hours yesterday and an hour today I decided to break down and ask the good fellows of stack overflow.
I set up Oracle 10.2.0 (which was an uphill battle) and finally got sql loader working, which I need because TOAD takes 15+hours to load 400k records. So my question is not how to resolve this error, I know the error. I have read nearly 4 tutorials on fixing the error. I want to know, since my TOAD is connected to the database just fine, is there a way I can get all the info from TOAD to populate/verify that my TNSNAMES.ora and sqlnet.ora files are correctly configured? I copy and pasted the information but it won't work anyway.
Also, aside from those two files, are there any other issues that could be preventing this, as a bit of background, I had to reinstall oracle 10g because the admin tools were not in place for the sql loader. Since the sql loader runs, I figured the install is just fine. If you need more info from me comment and I will edit.
Thanks guys,
Instead of using a tns name you can try connecting using ezconnect:
sqlldr username/password#//localhost:1521/orcl
If this solves the issue the tns name used could not be resolved properly. As you say you had to reinstall oracle to get the admin tools I suspect you might be looking at the tnsnames.ora file from the wrong oracle home.
I just took over management for a webservice and today i got a user report about this error. Now i'm no sql injection expert but does this error make this attack possible?
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[MySQL][ODBC 3.51 Driver][mysqld-4.1.22-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY TCOL_date desc' at line 1
I'm asking because for some reason i'm not given access to the code and the previous guy insists that the site is safe so i need to come with some proof or facts that it's actually vulnerable.
Thanks in advance for any help.
In short Not really... but.
While this might provide more information than you're comfortable with (version of MySQL running, drivers being used, and a little about a couple of columns), it's not going to open you up to an attack as much as showing the whole SQL line would. Someone could try to blind hack it to get more information, and the fact that it's showing any info at all is a lot worse for you from the standpoint of an attacker trying to get in than showing info only in the logs. Feedback, even a little can aid an attack[er].
If by trying to insert various bits of code into the form you can get a response that prints your own content you're inserting this would be much more beneficial to an attacker. The fact that this application breaks when you insert a ' leads me to believe that it's not as secure as the programmer claims. This might also lead an attacker to look for another avenue of attack. If they can insert javascript code into a form and have it display in a profile, or if they can inject code that's executed upon return from the server, then they could exploit the server and use it to launch their own attacks.
The problems with SQL injection come back to [code] implementation and the types of things allowed (and blindly processed) by the forms. For instance if you could escape a single quote \' in your current situation, someone could open and close the SQL statement and possibly UNION their own statement when pulling a query. If they could close the statement and append another statement, they might add delete from users where 1=1 or something of that nature. Another way might be if you can type in <marquee>Test</marquee> and it prints the word "test" scrolling when it finds no results then you can perform injections because it's not stripping out code.
This all leads back to permissions. The permissions on the server should make it so the users on the front end of the site only have access to the permission levels they need. If they're only querying the database (SELECT), they should not have access to INSERT, UPDATE, DROP TABLES, or DELETE.
I have a database that I am trying to connect to through SQL Plus. I run this command from the command line:
sqlplus username/password#//hostname:port/sid
I use this connection string instead of using tsnames. The error I keep getting is
ERROR:
ORA-12514: TNS:listener does not currently know of service requested in connect
descriptor
The weird thing is that using the same connection information I can connect just fine through SQL Developer. I can see the tables, users, and everything else. Anyone know what could be going on?
P.S. I tried setting up tsnames but it just gave the same thing as using the connection string.
So my boss found the solution. Turns out the sid is different when connecting through SQL Plus then through SQL Developer. Seemingly in just this one case. I have no idea why this is but that was the reason. Very odd and I don't understand why.
My server was hacked like many others yesterday by this one SQL injection attack. I have two tables that have the alien script put in.
My options are:
-Manually delete the script from thousands of database entries.
-Find copies of the tables and replace them.
How I would like to have a SQL query that finds the script beginning with the **"></title>\****<script** and ending with **</script><!--** and removing it from all the database entries that have it.
Example:
So the query would see a databse entry like "></title><script> </script><!--Aland Islands
and remove "></title><script> </script><!--
leaving just Aland Islands behind.
P.S. I post the full script I want to remove just in case. Sorry for some reason stackoverflow isnt letting post some of this info.
One option is to take the DB offline, export the tables into load scripts, then use a text editor or sed to remove the malicious text, then truncate the tables and load them back in using the load scripts.
An example:
DELETE FROM infected_table
FROM
infected_table i
WHERE
i.script_column LIKE '>%'
Please do try the LIKE clause using a SELECT before running it though or run it in a transaction checking that the result is correct before committing.
1st find all the vulnerable Links on your site then change the version of mysql you are using because the error which help to attacker to find your site is vulnerable or not is due to the error. If your web application on php there are several other error which help to attacker to find site is vulnerable or not. You can use acunetix web vulnerability scanner for find all venerability on web application.