Can anyone see what I'm doing wrong here with the "Condition" option. No matter what I pass it is always showing up in the "if no" flow.
Should be in the Yes flow, but appears in No:
Appears correctly in No
Related
i have a package in SSIS where i try to put data flow task's into a variable, once the data flow tasks fails.
What is the best way to do that ?
Please share screen shots if you can,
thanks in advance,
There are only a few steps and involve the use of an expression. Listed below is an example using an Execute SQL Task. Note that I'm applying SQL Server 2008 R2 with BIDS. Later version may differ somewhat.
Steps:
Create a new user variable called "SQLTask" with a Scope of "Package", Data Type "String" and a value of "SQL - Process Employee SQL". (It is a good idea to name your control and data flow tasks clearly. You'll be grateful later when troubleshooting.)
Add an Execute SQL Task into the Control Flow. Double-click on it to view the Execute SQL Task Editor.
On the left side of the Editor window, select Expressions. When you do so you'll see "Misc" with Expressions appearing on the next line underneath.
Select Expressions under Misc and then select the small browse button icon when it appears. This should open the "Property Expression Editor" window.
The Property Expression Editor will show two columns, Property and Expression. Select the empty box under Property and select the drop-down when it appears. Scroll down until you find "Name" and select it.
In the right-column under Expression, select the empty box to the right of Name and then select the small browse button when it appears. This will open the Expression builder window.
In the Expression builder window there will be two list areas at the top, with the one on the right showing "Variables". Open the Variables folder, which should then list mostly System variables. But the one just created will be prefaced with "User" called "User:SQLTask". Drag it into the Expression box below.
Select the "Evaluate Expression button". Doing so should now show "SQL - Process Employee SQL" in the grayed-out "Evaluate value" box. It confirms that it is correctly picking up the variable value.
Select the OK button in the Expression Builder window.
Select the OK button in the Property Expression Editor window.
And select the OK button in the Execute SQL Task Editor window.
While the task name from the variable does not get captured when viewed in the Control/Data flow, it will show up when a failure takes place. But because of this, it would still be a good idea to use clear task names in your SSIS package for yourself and others who need to understand the logic/decisions in the process.
On that note, I always recommend a good consistent naming convention for control and data flow tasks beginning with the recommendations discussed in the following link.
Suggested Best Practices and naming conventions
Hope this helps.
I'm doing some webpentesting exercises and there is this one task saying that I need to make a new account with this name and this password by using SQL injection. On the web page there is a text input username and another text input 'password'. I can enter whatever characters I want inside the username text-input but inside the password text input I need to type a specific injection.
I know I need to inject insert query but the thing is I don't know the table name. In order to insert a new user I need to know the table name so I'm wondering how can I make the web showing me an error with tablename revealed.
The error showing should be like:
Unexpected end of command in statement [SELECT * FROM (tablename) WHERE...]
I tried to enter with just one character (maybe >1 chars are required) inside the password field to make the error show or even delete the parameter text input password. But it just won't show the SQL syntax error.
So the question is: How can I make use of the exploit to make the web page view the SQL syntax error with table name revealed?
And why doesn't injection work on username field but it does on password field?
The first thing is understand the difference between "application" errors (for example, "the user doesn't exist") and execution errors, in which the application fails itself, like the "Unexpected end of command" you mention. The first case is not usually a problem from the security point of view (unless the application is very badly programmed), the second one is what could allow hacking.
A well programmed web application should ideally only have application errors, but the more realistic approach is cope with unexpected execution errors in way that don't make it vulnerable. Also, application should process any user input in a way that don't cause an execution error.
It seems that they are teaching you the most flagrant case that allows SQL injection, apps than don't do any processing to user input (so it's very easy put text in an input field that cause an execution error), and that don't cope with execution errors (in this case, showing the internal execution message to the user).
A common mistake in web applications is constructing the SQL query with string concatenation, so the simplest way of make it fail is using the string delimiter (') in a field, causing the string value to end prematurely. In an sloppy web app it would cause an execution error that shows the full error message, usually including the table name.
From there you craft a SQL query in the input field that insert the user in the table, you could find examples online (note that you need at least basic knowledge on SQL and PHP (or ASP, Java, etc.), in order to do SQL injection, since you need to know how the database access works in order to make it fail).
Finally, SQL injection could work in any input field that is not properly processed, but it depends on how the application is programmed. I suppose that both fields would work but it will be easy do that with the password field because probably is the last one in the SQL query.
I am using PDI to delete and insert some data from a DB. I have the following issue. I create two variables called START_DATE and END_DATE that are used to select the data that will be deleted from my DB. I am able to get them and run my transformation with no erors in the log file, but when I checked if data was deleted, I find it didn't. I send checked my "DeleteProcedure" step, and it says "Conversion error: null". I have tried different approached to take the variables and pass them as Strings, but I haven't been able to solve this issue. It cannot be a SQL mistake as I tested it with a constant and it works.
Any ideas? I attach some pics. Thanks!
As a documentation of the Execute SQL script says:
Note: When you have an issue, that the SQL is started at the initialization phase of the transformation and not for each row, make sure to check the option "Execute for each row" (see description below).
In your case it executes during the initialization phase of the transformation that's why it gets null values instead of ones from previous step.
Is it possible to change the Error Output of an OLE DB Destination between "Fail component" and "Redirect row" at run time using an expression/variable?
One of the ways I debug my packages is by redirecting error rows in the data flow to a Row Count transformation, then adding a data viewer to display the row throwing the error, the record number, and error code/column so I can see the actual value of the column that is causing the error and know where it is located in the data file.
The problem is, when setting up a new package, sometimes there can be many errors on several different columns and I'm looking for a faster easier way to toggle this on and off.
If not expressions/variables, is there a way to do this programmatically?
Thank you for any help you can provide,
CTB
These properties are not exposed that you would be able to set them with an expression or variable. The fastest way to set them, especially if you have lots of columns, would be to update the package xml. In the solution explorer, right click your package and go to view code. In the XML, do a find for: errorRowDisposition="FailComponent"
and replace with: errorRowDisposition="RedirectRow"
Also, you can use a derived column instead of a rowcount so that you do not have to actually modify the component (create and set the variable for the row count so that it validates).
I have a stored procedure named CreateUpdateNewOrder and i call another SP in it named CreateClinicalDocument Now i want to see what exact values my second SP is getting for execution. I can run a sql profiler tool to see what input values CreateUpdateNewOrder is getting but I can't think of any other way of getting input values for inner SP call other than print them in query. Anyone has better way to do it?
You can run SQL Profiler and select the SPS template instead of the default one.This will show you every statement executed, even if it's inside a stored procedure.To use the SPS template you need to do the following:
File -> New trace
In the dialog that opens go to combo "Use this template" and select TSQL_SPs.
Now continue setting up your profiling session as you would normally.
Once you start the trace you will notice it's much more verbose. It will break down each procedure and will show what's executed line by line.Please let me know if you would need any other details.
It all depends on how you need to access and use the information, but it could be useful to log the values to a table. You could also try Debug in SSMS and set appropriate break points.
If you look at the standard template in profiler you'll see that on the Events Selection tab under the Stored Procedures heading it only includes "RPC:Completed". The T_SQL_SPs template includes "SP:Completed", "SP_Starting" and "SP:StmtStarting". I believe you just need to include those in whatever template you choose.