To fight against SQL injection risks, I would like to check for hardcoded values (string, dates, boolean, numeric) in SQL statement using SQL Server Profiler 2012. The problem is that there is too much statements to read those one by one.
Do you see a way to filter all my statements and get only those with hardcoded values?
Related
We have a linked server (OraOLEDB.Oracle) defined in the SQL Server environment. Oracle 12c, SQL Server 2016. There is also an Oracle client (64 bit) installed on SQL Server.
When retrieving data from Oracle (a simple query, getting all columns from a 3M row, fairly narrow table, with varchars, dates and integers), we are seeing the following performance numbers:
sqlplus: select from Oracle > OS File on the SQL Server itself
less than 2k rows/sec
SSMS: insert into a SQL Server table select from Oracle using OpenQuery (passthrough to Oracle, so remote execution)
less than 2k rows/sec
SQL Export/Import tool (in essence, SSIS): insert into a SQL Server table, using the OLEDB Oracle for source and OLEDB SQL Server for target
over 30k rows/second
Looking for ways to improve throughput using OpenQuery/OpenResultSet, to match SSIS throughput. There is probably some buffer/flag somewhere that allows to achieve the same?
Please advise...
Thank you!
--Alex
There is probably some buffer/flag somewhere that allows to achieve the same?
Probably looking for the FetchSize parameter
FetchSize - specifies the number of rows the provider will fetch at a
time (fetch array). It must be set on the basis of data size and the
response time of the network. If the value is set too high, then this
could result in more wait time during the execution of the query. If
the value is set too low, then this could result in many more round
trips to the database. Valid values are 1 to 429,496, and 296. The
default is 100.
eg
exec sp_addlinkedserver N'MyOracle', 'Oracle', 'ORAOLEDB.Oracle', N'//172.16.8.119/xe', N'FetchSize=2000', ''
See, eg https://blogs.msdn.microsoft.com/dbrowne/2013/10/02/creating-a-linked-server-for-oracle-in-64bit-sql-server/
I think there are many way to enhance the performance on the INSERT query, I suggest reading the following article to get more information about data loading performance.
The Data Loading Performance Guide
There are one method you can try which is minimizing the logging by using clustered index. check the link below for more information:
New update on minimal logging for SQL Server 2008
I have SQL Server 2008 R2 and linked SQL Server 2012.
When I do the following
SELECT * INTO dbo.Local_table FROM dbo.Linked_table
all decimal columns automatically get converted into numeric.
What is the reason and how can I get rid of it?
This is automatic conversion that occurs with most SQL Servers. You'll find this happening with at least, but not limited to, server year versions 2000-2014. I don't know of a way to get rid of this restriction because it's a built in server feature which restricts arithmetic equations via query statements.
Here is another SO question/answer which might help you:
T-SQL Decimal Division Accuracy
Here is some MSDN for clarification:
https://msdn.microsoft.com/en-us/library/ms187746.aspx
I'm not that experienced in sql server and even less so in using SSRS. I'm working with 2008 R2 edition.
Question: Is it possible to use a sql table that has expressions in a report, so that the report will evaluate the expressions before it is run? I just tried and the expressions don't get evaluated and show up as string. The expressions are stored as string in the sql table. Not sure if there is another way to store the expressions?
Thanks in advance for your help.
Cheers,
In SSRS, it sends the query to database engine and execute. Once the data is retrieved from database, the data is fixed. Then report will process the data and render it. And the query is executed only one time. You can't make the query re-process the expression within the cell again.
I have a code which is up and running but the problem that I have is that it includes a lot of MERGE clauses as it was intended to be run from SQL Server 2008 and forward. But the problem is that a new customer is running SQL Server 2005 and as you know the Merge clause is not available till SQL Server 2008, so my question is if there is not a way to parse the this clauses automatically or if there is another solution (apart from rewriting all the clauses in clasical clauses ) as the customer is not willing to upgrade the DB.
Thanks a lot in advance.
I am afraid that you will need to re-write all of your MERGE clauses for SQL Server 2005.
You can use the 2005 friendly output clause to achieve the same functionality but with more verbose SQL. This approach will also work on SQL Server 2008.
http://sqlserver-tips.blogspot.co.uk/2006/09/mimicking-merge-statement-in-sql.html
You could put together a C# (or whatever) app to parse the merge statements and create insert/update statements from them. I mean, that's a horrible idea, but you can do it...
You'd have to pull out the "ON" part, add it to a check IF EXISTS and the update part, then add the column list to the insert part. You could even programmatically (sic?) create SP params and everything.
Heh. Good luck.
I have written SQL statements (stored in a text document) that load data into a SQL Server database. These statements need to be repeated daily. Some of the statements use the NewId() function to populate a keyed field in the database, and this works fine.
While I'm in the process of writing an application to replicate these statements, I want to use Access queries and macros instead of copying and pasting queries into SQL Server, thus saving me time on a daily basis. All is working fine but I can't find any function that will replace the SQL Server NewId() function. Does one exist or is there a work around?
I'm using SQL Server 2005 and Access 2007.
On top of matt's answer, you could simply use a pass-through query and just use your existing, working queries from MS Access.
A solution would be to insert the stguidgen() function in your code, as you can find it here: http://trigeminal.fmsinc.com/code/guids.bas https://web.archive.org/web/20190129105748/http://trigeminal.fmsinc.com/code/guids.bas
The only workaround I can think of would be to define the column in your access database of type "Replication ID" and make it an autonumber field. That will automatically generate a unique GUID for each row and you won't need to use newid() at all. In SQL server, you would just make the default value for the column "newid()".
Again, there seems to be confusion here.
If I'm understanding correctly:
You have an Access front end.
You have a SQL Server 2005 back end.
What you need is the ability to generate the GUID in the SQL Server table. So, answers taht suggest adding an AutoNumber field of type ReplicationID in Access aren't going to help, as the table isn't a Jet table, but a SQL Server table.
The SQL can certainly be executed as a passthrough query, which will hand off everything to the SQL Server for processing, but I wonder why there isn't a default value for this field in SQL Server? Can SQL Server 2005 tables not have NewId() as the default value? Or is there some other method for having a field populate with a new GUID? I seem to recall something about using GUIDs and marking them "not for replication" (I don't have access to a SQL Server right at the moment to look this up).
Seems to me it's better to let the database engine do this kind of thing, rather than executing a function in your SQL to do it, but perhaps someone can enlighten me on why I'm wrong on that.