I have the following stored procedure
CREATE OR REPLACE PROCEDURE MyProcedure(nKey IN INTEGER, pcResult OUTCustomType) IS
BEGIN
OPEN pcResult FOR
SELECT MyPackage.IsBool1(nKey) AS IsBool1,
MyPackage.IsBool2(nKey) AS IsBool2,
MyPackage.IsBool3(nKey) AS IsBool3
FROM DUAL;
END;
We have an external team to test security, they use a tool to achieve that.
Our procedure is consumed in our .Net app via EF.
The security report shows that all procedures with a cursor as output have a risk for SQL injection.
Could you please explain me how SQL injection could be exlpoited on pcResult ?
Thank you for your help,
Bile
Related
I am new to plsql and trying to use oracle sql developer, I try to run a simple procedure with dbms output line and i get the following error,
ora-00904
, the code is
create or replace PROCEDURE proc_101 IS
v_string_tx VARCHAR2(256) := 'Hello World';
BEGIN
dbms_output.put_line(v_string_tx);
END;
whether i click the run(green colour) or debug(red colour) i get the same error.
You can see from the above code, procedure doesn't access any objects but still i get the same error.
Your procedure is fine. You may not have permissions to be able to Create a Procedure. If this is the case test your procedure/code without actually Creating it in the Database first. For example, when I'm testing code in my Production database my oracle user cannot Create Procedures, Packages, Tables etc... And so I test my Procedures within my Own PL/SQL Blocks. When the code is good to go I can get a database administrator to Create the Procedures and/or Packages for me.
The below screenshot is code that simply tests the Procedure:
The below screenshot is code that does much more and tests the Procedure from within a PL/SQL Block
For more advanced situations this allows you to do so much more as you can create all sorts of Procedures/Functions and/or Cursors and test them immediately without needing to CREATE these objects in your Oracle Database.
I'd say that there's some other code in the worksheet which raises that error, not just the CREATE PROCEDURE you posted. For example, something like this SQL*Plus example (just to show what's going on - you'd get the same result in SQL Developer):
SQL> select pixie from dual;
select pixie from dual
*
ERROR at line 1:
ORA-00904: "PIXIE": invalid identifier
SQL>
SQL> create or replace PROCEDURE proc_101 IS
2 v_string_tx VARCHAR2(256) := 'Hello World';
3 BEGIN
4 dbms_output.put_line(v_string_tx);
5 END;
6 /
Procedure created.
SQL>
See? The first part raised ORA-00904 as there's no PIXIE column in DUAL, while the procedure is created correctly.
So - remove code which fails and everything should be OK.
Check with your DBA to make sure the dbms_output package has been installed on your database, and that you have permissions on it.
Is it possible to execute SQLScript without creating a procedure? I would like to write ad-hoc queries using cursors, but by default, the "SQL Console" within HANA Studio uses HANA SQL instead of HANA SQLScript, which does not support cursors.
Since HANA SP10 there is the possibility to use anonymous blocks:
DO BEGIN
-- your logic
END
http://scn.sap.com/community/developer-center/hana/blog/2015/06/29/new-sqlscript-features-in-sap-hana-10-sps-10
At least you do not need to create the procedure as hdbprocedure file.
You can type in the SQL Console e.g. the following:
DROP PROCEDURE test; //from previous execution
CREATE PROCEDURE TEST()
LANGUAGE SQLSCRIPT
SQL SECURITY INVOKER
AS
BEGIN
--- Type your procedure code here. All features of procedures should be available
END;
CALL TEST();
I am trying to write an Oracle SQL query that can take a dynamically-generated string and convert it to a mathematical expression, for example: '1*2*1*3*2' would evaluate to 12.
I have done Google searches, but the only Oracle-specific examples I can find are ones that require using a PL/SQL Stored Function. That isn't an option for me, because I do not have 'CREATE' privileges on my organization's production database. Since I often need to troubleshoot SQL code against the production DB, I avoid using Stored Procedures or Stored Functions in my report development tool (LogiInfo).
So...what I am hoping to find is some type of 'built-in' function I can place directly into an SQL statement, that will perform the conversion and evaluation described in my opening sentence. Any guidance will be appreciated.
P.S. I am using Oracle 11g
If you can use SQLPLus you can execute anonymous plsql blocks of code.
Example:
set serveroutput on
declare
i pls_integer;
begin
execute immediate 'select 1*2*1*3*2 from dual'
into i;
dbms_output.put_line(i);
end;
/
Is there a way to check when and with what parameter values a stored procedure has been executed in SQL Server 2008 R2?
As usr said there is no way to do this at all, but you can do this as workaround, which I did in my projects.
Create a log table and implement in each procedure a INSERT INTO log_table statement where you insert time with GetDate(), procedure name and logged user. This table you can seek for your informations then.
This for sure only works for the future and not if you want to look for "old-use".
No, sorry. There is no way to do this.
You can use profiler for the task.
See other threads:
How to implement logging and error reporting in SQL stored procedures?
"Debug"(get information) on a running stored procedure in MS Sql Server
I have a procedure like :
CREATE OR REPLACE PROCEDURE test is
BEGIN
DBMS_OUTPUT.PUT_LINE('This is a Test');
END;
I want to run some sql scripts stored in the current directory.
I could run them from sqlplus with '#scriptname.sql' but how can i do it from inside the procedure ? For ex:
CREATE OR REPLACE PROCEDURE test is
BEGIN
DBMS_OUTPUT.PUT_LINE('This is a Test');
#scriptname.sql
END;
This doesn't seem to work ! Is there a specific to run sql scripts from pl/sql procedures ?
You can't, in general, because the pl/sql is run in the database, on the server, and sqlplus is a client process. The server can't rely on even being on the same system as the client and its files, much less knowing anything about how to find the file the client is referring to. Even if the syntax were supported (and it isn't), your sql script would have to be on the server, in a location the server knew about and had access to.
Actually, you can do this in SQL*Plus - you just need to ensure the # is the first character on the line, e.g.:
CREATE OR REPLACE PROCEDURE test is
BEGIN
DBMS_OUTPUT.PUT_LINE('This is a Test');
#scriptname.sql
END;
SQL*Plus will read the entire contents of the script and insert it at that point in the procedure, then create the procedure as it is given. That means you can't have SQL*Plus commands in scriptname.sql. Also, there won't be any reference to #scriptname.sql in the actual procedure created on the database.
You could execute an OS command to start SQLPlus and have that execute the scripts. You can pass a filename into SQLplus at start up and it will execute it.
Google External Procedures and extproc or this article. Or something like call OS command with Java
You could write a Java Stored Procedure to open the file and return its contents as a String and then call Execute Immediate on the String.
Be VERY CAREFUL doing this though as any malicious sql in those files can do pretty much whatever it wants.
Even if there should be a solution, I would not recommend to to this. A PL/SQL procedure basically is a SQL script. Either
1. run your SQL scripts from outside the database, e.g. via shell script or
2. move the SQL code inside your procedure.