From aspx page, I am trying to send the parameter to SSAS in the format [DimLocation].[Location ID].&[1012]. but when I look at the profiler for the query the "&" gets changed to [DimLocation].[Location ID].&[1012] and the query execution fails. How to retain the ampersand sign
I'm happy to review a code sample but likely you just need to change your MDX query to do StrToMember:
WHERE (
StrToMember(#Location,CONSTRAINED)
)
Related
I am making a query with ASP.NET with SqlConnection and SqlCommand. I am adding parameters to the query with the AddWithValue method, to avoid SQL injection.
I want to check the resultant query after the parameters have been included, for debug purposes. If I have "WHERE name = #myName", I want to see the query after #myName has been replaced. Is this possible?
Thank you.
Not really, because .NET never sends the complete query. The query is assembled by the database when it receives the SQL string and the parameter values.
The most you can do is log the SQL string, and log the values of the parameters you passed to it. From that you should still be able to easily infer what query was actually executed.
I'm doing some webpentesting exercises and there is this one task saying that I need to make a new account with this name and this password by using SQL injection. On the web page there is a text input username and another text input 'password'. I can enter whatever characters I want inside the username text-input but inside the password text input I need to type a specific injection.
I know I need to inject insert query but the thing is I don't know the table name. In order to insert a new user I need to know the table name so I'm wondering how can I make the web showing me an error with tablename revealed.
The error showing should be like:
Unexpected end of command in statement [SELECT * FROM (tablename) WHERE...]
I tried to enter with just one character (maybe >1 chars are required) inside the password field to make the error show or even delete the parameter text input password. But it just won't show the SQL syntax error.
So the question is: How can I make use of the exploit to make the web page view the SQL syntax error with table name revealed?
And why doesn't injection work on username field but it does on password field?
The first thing is understand the difference between "application" errors (for example, "the user doesn't exist") and execution errors, in which the application fails itself, like the "Unexpected end of command" you mention. The first case is not usually a problem from the security point of view (unless the application is very badly programmed), the second one is what could allow hacking.
A well programmed web application should ideally only have application errors, but the more realistic approach is cope with unexpected execution errors in way that don't make it vulnerable. Also, application should process any user input in a way that don't cause an execution error.
It seems that they are teaching you the most flagrant case that allows SQL injection, apps than don't do any processing to user input (so it's very easy put text in an input field that cause an execution error), and that don't cope with execution errors (in this case, showing the internal execution message to the user).
A common mistake in web applications is constructing the SQL query with string concatenation, so the simplest way of make it fail is using the string delimiter (') in a field, causing the string value to end prematurely. In an sloppy web app it would cause an execution error that shows the full error message, usually including the table name.
From there you craft a SQL query in the input field that insert the user in the table, you could find examples online (note that you need at least basic knowledge on SQL and PHP (or ASP, Java, etc.), in order to do SQL injection, since you need to know how the database access works in order to make it fail).
Finally, SQL injection could work in any input field that is not properly processed, but it depends on how the application is programmed. I suppose that both fields would work but it will be easy do that with the password field because probably is the last one in the SQL query.
To proceed with a Database validation, I am having a need of comparing a record in the DB along with a data which is dynamically generated in the previous REST response, using SoapUI.
I have already captured the property value using a Property Transfer step and stored the required value in a custom property in Test-Case successfully i.e., using property expansion, say ${TestCase#customerId}
My intention is to use that particular value stored in the custom properties to query the result I am expecting, in the JDBC Request test step.
The query which I have drafted with the parameter is as below :
Select *
From ABC.SEC_CUST
Where ABC.SEC_CUST.CUSTOMER_ID = ${TestCase#customerId}
The response I receive after executing is as below.
Error getting response; java.sql.SQLSyntaxErrorException : ORA-00911: Invalid character.
But, when I run the query without the parameterized value it executes perfectly. Where, I tend the conclusion as there is a syntax issue in the way I have mentioned the parameter in the query.
But, I am unable to find the correct way to mention the parameter in the query in SoapUI.
Can anyone with experience in SoapUI, please assist me on this?
That is not working because of the use of property expansion which is only known to SoapUI, but not for the SQL query.
In order to get it work for the same, you need to define the variables in the top for all the parameters that are going to be used in the sql query.
Here the screen shot which explains how to use the same:
You forgot a '#'
Select *
From ABC.SEC_CUST
Where ABC.SEC_CUST.CUSTOMER_ID = ${#TestCase#customerId}
Try this.
Select * From ABC.SEC_CUST
Where ABC.SEC_CUST.CUSTOMER_ID = :customerId
strugggling with what is probably fairly simple jsp code so any assistance appreciated.
Have a sql:query which runs successfully and want to save one of the fields from that query and use it in another that runs some time later, on the same page.
Attempted to save the correct row.id value (outside of the query) with -
String currentid ="<c:out value="${row.id}"/>
and then reuse in another sql:query with -
Select from etc etc where
asset.id=${currentid}
Suspect these are basic SQL syntax errors on my part.
Regards
I am developing an SSRS 2008 report, but instead of using stored procedures, I want to use all Text queries. This report was working with stored procedures, but when I changed this report to use same logic but via text queries, I got the following error:
An error occurred during local report processing
Query execution failed for dataset 'BRSR_Totals'
The variable name '#END_yEAR' has already been declared. Variable names must be unique within a query batch or stored procedure.
Operation cancelled by user.
The problem is that some of my datasets (text queries) re-use the same parameters and END_YEAR is one of these parameters. How do I make this report run correctly?
One area that you might want to check is case sensitivity. SSRS is case-sensitive when considering parameter names but T-SQL does not have that case sensitivity. Take another look at your code and make sure that all parameters are using the same case.
I just resolved a similar issue using a text query to populate a dataset. It worked in SQL Server Management Studio and it worked in the Query Designer within BIDS, but failed at runtime.
The issue turned out to be BIDS helpfully adding parameters to the Dataset that this query was referencing. Switching to the Parameters tab of the Dataset Properties showed that BIDS had duplicated the parameters I had already added earlier. Deleting the duplicates resolved my problem.
To respond to the suggestion that the logic be off-loaded into a stored procedure: in this case, the report is a custom report for a single customer. The query will only ever be used in this report and makes a few assumptions about the customer's configuration that should not be available globally
I also just fixed this same issue in one of my queries. I was using a text query and had datetime variables/parameters. SSRS added a second set into the parameters for the dataset properties. I deleted them and my query ran fine after that and my graph populated.
I ran into a similar issue on a report where I had declare a substantial number of parameters at the beginning that I didn't want the end user to see. The issue I had was I was using a comma at the beginning of the line, so I had:
DECLARE #Parameter VARCHAR(4) = 'text'
, #Parameter VARCHAR(4) = 'text2'
It worked just fine in SSMS, but when I ran it in Report Builder 3.0 it threw the error shown in this thread. I changed it to remove the comma and to restate DECLARE at the beginning of each line and it worked perfectly.
Check that you didn't declare it twice, once in the CREATE PROC statement you're creating and another in the actual code...I've seen this problem while testing changes to SP code.