I need to run a procedure manually for a large set of records that meet a certain criteria. It works fine if I manually include an ID but for some reason it does not work if I just tell it to get a list of ids from a table. No errors; but the missing data doesn't get added to a table from the procedure.
As far as I understand it, this should work fine but it doesn't:
select fa_sptl_cross(id, geom) from focus_area where generation_id = 3;
But this works fine
select fa_sptl_cross(id, geom) from focus_area where id = 312231;
Even this should work, should it not?
select fa_sptl_cross(id, geom) from focus_area
Ideas?
AFAIK, it cannot be the procedure that is the issue because trying to do this fails with any procedure I try
Please explain to me what does this function (fa_sptl_cross) does? If you can write the source code of this function that I could analyze this.
In general, I understand that when you are using where id = 312231 your query returns one record, that's why your function works fine. Because your function has an input parameter id. In other ways query return, many records, many id's, so and your function doesn't work. So I must view the source code of this function. I think so.
I got it to work using the information provided in PL/pgSQL perform vs execute
My solution is as follows:
DO $$
BEGIN
PERFORM habits4.fav_sptl_cross(focus_area_id, geom) from habits4.focus_area_version where generation_id = 3;
END;
$$;
Related
I'm a bit confused by the stored procedure syntax in Oracle.
I started with a simple:
select * from test_table;
It works, then I put it in a proc:
CREATE OR REPLACE PROCEDURE example
IS
BEGIN
select * from test_table;
END;
Doesn't work. Expected "INTO" is the error message I get. Now, I've seen syntax examples of SQL Server code that just shoves a select statement into a proc and it works instantly, but that doesn't seem to be the case here.
T-SQL and PL/SQL are completely different languages. In particular, for PL/SQL you have to select the result into some variable or cursor. Depending on what you plan to do with the record data - process in the procedure - or return to the caller, will drive what you have to do.
In your example, if you want to return the record set, you would do something like this:
CREATE OR REPLACE PROCEDURE example (
p_recordset OUT SYS_REFCURSOR) AS
BEGIN
OPEN p_recordset FOR
select * from test_table;
END example ;
See this link for examples.
Hello and welcome to SO.
I assume the full error you're seeing would be PLS-00428: an INTO clause is expected in this SELECT statement and it is correct, you must have an INTO statement in a stored procedure.
I recommend this link for syntax relating to the SELECT INTO statement.
For your code I recommend this (I've changed from your test_table example to dba_user):
CREATE OR REPLACE PROCEDURE example
IS
l_username VARCHAR(25);
BEGIN
select username INTO l_username from dba_users where user_id=1;
END;
/
Note: The INTO clause works with 1 column from 1 row. You cannot select multiple records or columns into this. You would need to reference the BULK COLLECT feature to do that. For examples of that feel free to read here.
select * from test_table;
SQL and PL/SQL are nor the same. To execute a SQL in a procedure, the parser expects an INTO clause to store the value returned by the sql statement. In PL/SQL, there is a reason to execute a SQL statement. You want to use the result set later to process. Not just retrieve and do nothing.
Also, it is a bad idea to use select * in any production system. You don't want to dump all the columns data of the table on an application screen. There are many other reasons, however, not in the scope of this question.
You need to modify your SQL like following -
SELECT column_name INTO variable FROM table_name
There are several ways to fetch the data via SQL statement in PL/SQL. You need to elaborate your requirement and narrow down to specific steps here.
If you are learning about these concepts, I would recommend you to start reading the Oracle documentation first. Try and understand the concepts, and if you find any issues, then prepare a test case, explain your issue in words and then post a question. Too broad questions are difficult to answer, and are mostly considered out of scope.
I want to demonstrate the insecurity of some webservices that we have. These send unsanitized user input to an Oracle database Select statements.
SQL injection on SELECT statements is possible (through the WHERE clause), however I am having a hard time to demonstrate it as the same parameter gets placed in other queries as well during the same webservice call.
E.g:
' or client_id = 999'--
will exploit the first query but as the same WS request calls runs other SQL SELECTs, it will return an oracle error on the next query because the client_id is referred to by an alias in the second table.
I am looking to find something more convincing rather than just having an ORA error returned such as managing to drop a table in the process. However I do not think this is possible from a Select statement.
Any ideas how I can cause some data to change, or maybe get sensitive data to be included as part of an ORA error?
It's not very easy to change data, but it's still possible. Function that created with pragma autonomous_transaction can contain dml and may be called in where. For instance,
CREATE OR REPLACE FUNCTION test_funct return int
IS
pragma autonomous_transaction;
BEGIN
DELETE FROM test_del;
commit;
return 0;
end;
-- and then
SELECT null from dual where test_funct()=1;
Another option you try creating huge subquery in WHERE which in turn may cause huge performance issue on server.
You do not need a custom function, you can use a sub-query:
" or client_id = (SELECT 999 FROM secret_table WHERE username = 'Admin' AND password_hash = '0123456789ABCD')"
If the query succeeds then you know that:
There is a table called secret_table that can be seen by the user executing this query (even if there is not a user interface that would typically be used to directly interact with that table);
That it has the columns username and password_hash;
That there is a user called Admin; and
That the admin user has a password that hashes to 0123456789ABCD.
You can repeat this and map the structure of the entire database and check for any values in the database.
I came across an example of UPSERT in postgresql manual here and I implemented it such that it works perfectly when I call the function and pass the arguments select myfunction(arg1,arg2,arg3). Now my problem is that I want to run a query that will select a number of records and insert/update a table using myfunction. The issue is how to pass each result from my select statement to the function as variables. I should probably use triggers but am lost as to where to start from. I hope you guys understand me. ofcourse if there is an entirely different and better way to go about this am all ears. Help pls
select myfunction(arg1,arg2,arg3)
from (
select arg1, arg2, arg3
from data_table
where something='something-other'
) as _;
I execute the following simple query in IBExpert firebird2.5 and it works fine:
SELECT
pd.NOME_PRODUTO,
es.QTDE_MINIMA
FROM
TBL_ESTOQUE es,
TBL_PRODUTO pd
WHERE
es.qtde_estoque = 0
AND es.produto = pd.id
ORDER BY
pd.NOME_PRODUTO
But, if I create a stored procedure with two output parameters (see below)
begin
SELECT
pd.NOME_PRODUTO,
es.QTDE_MINIMA
FROM
TBL_ESTOQUE es,
TBL_PRODUTO pd
WHERE
es.qtde_estoque = 0
AND es.produto = pd.id
ORDER BY
pd.NOME_PRODUTO
into :nome_produto, :qtde_minima;
suspend;
end
I get a message like this:
multiple rows in singleton select. multiple rows in singleton
select. At proceddure 'SPD_SALDO_PROD_ZERADO_ESTOQUE' line: 7, col:3"
What is this? I don't understand what is happening...
FOR SELECT ...
INTO ...
DO SUSPEND;
rstrelba's answer shows how to fix the problem. If you want to understand it, here's what's going on.
suspend inside a Firebird stored procedure returns a row to the caller. It can be used in various different ways, and can be thought of as similar to Python's yield statement: suspend operation and send back a single value (or row, in this case), then continue when the caller asks for more data. (It has to be done this way for technical reasons, because database drivers don't always pull the entire result set all at once.)
You've got a select query that can return an arbitrary number of values, followed by a single suspend. Firebird is erroring out, telling you that this is probably wrong. What you want to do is put the select in a for loop, which will loop over the result set and suspend once for each row, as rstrelba's answer demonstrates. This makes sure that the caller gets all the results back.
I have a cursor which returns two values: one which I will use (and therefore will assign to an out variable) and another which I've only had returned to make the ROWNUM thing work.
If I run the cursor as a query, it works as expected. But if I execute the procedure the out variable comes empty. Is my approach somehow not supported? I mean, returning two values but only using one of them?
Here is my procedure code: (Don't delve too much on the query itself. It works, I know it's a bit ugly but it works. It was the only way I found to return the second-last row)
procedure retorna_infos_tabela_164(i_nip in varchar,
o_CODSDPANTERIOR out number) is
cursor c_tabela_164 is
select *
from(
select CODSDP,ROWNUM rn
from
(
select NRONIP,CODTIPOMOV,CODSDP
from TB164_HISTORICOMOVIMENTACOES
where NRONIP = i_nip and
CODTIPOMOV='S1'
order by DTHMOV desc
)
)
where rn=2;
v_temp_nr number;
begin
open c_tabela_164;
fetch c_tabela_164 into o_CODSDPANTERIOR,v_temp_nr;
close c_tabela_164;
end retorna_infos_tabela_164;
EDIT The way I've tried to run this procedure was by dbms_output.put_line(o_CODSDPANTERIOR) which didn't work. Then I googled a little bit and saw I should TO_CHAR() my var first and then have it output. Didn't work either.
There's no problem with passing a number to DBMS_OUTPUT.PUT_LINE. Oracle will silently convert other built-in types to VARCHAR2 using the default format. You only need to use TO_CHAR if you want to control the format used -- which is often a good idea, but not generally necessary.
One possibility, though, is that you are not seeing the output because you have not enabled it. If you are running your test in SQLPlus, make sure you SET SERVEROUTPUT ON before running code that includes DBMS_OUTPUT calls. If you are using some other client, consult its documentation for the proper way to enable DBMS_OUTPUT. (You can of course test if it's enabled by adding another call to output a string literal.)
There's nothing inherently wrong with the technique you're using to populate the out parameter. However, it's not necessary to return two columns from the cursor; your select * could simply be select CODSDP. You seem to be under the misconception that any column referenced in the predicates has to be in the select list, but that's not the case. In your innermost query, the select list does not need to include NRONIP or CODTIPOMOV, because they are not referenced in the outer blocks; the WHERE clause in that query can reference any column in the table, regardless of whether it is in the select list.
So, my first guess is that you simply don't have server output enabled. The only other possibility I can think of right now is that you're running your query and the procedure in two different sessions, and one of them has uncommitted transaction against the table, so they are actually seeing different data.
If those suggestions don't seem to be the problem, I'd suggest you run your tests of the standalone query and the procedure in a single SQLPlus session, then copy and paste the entire session here, so we can see exactly what you're doing.
I'm sorry I've had you guys take the time to answer me when the answer was something to do with the tool I'm using. I hope all you guys have learnt something.
The query does work for me at least, I've not come across any edge cases where it doesn't work, but I haven't tested it exhaustively.
The problem was that TOAD, the tool I'm using to run the procedures, sometimes populates the procedures with the parameters I tell it to but sometimes it doesn't. The issue here was that I was trying to execute the procedure with no parameters, yielding no results...
Lesson Learnt: double check the generated procedure code when you run a Procedure using Right Click > Run Procedure on TOAD version 9.