Adding restriction to a SQL Server stored procedure script - sql

How I can add to these 2 scripts below a restriction, so it wont allow creating a hero with less than 3 characters in its name or when changing the name of the hero it wont allow less than 3 characters as well?
Currently everyone can create a hero with name: 1 or change their name .. basically all possible variations are available. I want to restrict it to minimum 3 characters name.
SQL Server stored procedure script [creating a hero]: http://pastebin.com/pg9zt3Ps
SQL Server stored procedure script [changing a hero name]: http://pastebin.com/TB3ZzvyP
I'm using Microsoft SQL Server 2005 / 64 bit
Will be much appreciated.
Kind Regards.

At the start of your CREATE_NEW_CHAR procedure, you could do this...
IF LEN(LTRIM(#CharID)) < 3 -- LEN() does an RTRIM()
BEGIN
SET #nRet = 7
RETURN
END
The same in the CHANGE_NEW_ID procedure, but use IF LEN(LTRIM(#NewCharID)) < 3 instead.
The calling application is probably already checking the value of #nRet after executing the procedure. Hopefully it will give a generic error message if #nRet!=0. But, you may want to enhance that code, so that if #nRet=7 it can show a specific error message about the name entered being too short.
I've updated Pastebin also: CREATE_NEW_CHAR & CHANGE_NEW_ID

Related

Oracle Sql - Time based sql injection

When trying to do an SQL injection on an Oracle SQL database I have the problem that most of the examples in the tutorials do not work. I already found out that I only can use CASE WHEN a THEN b ELSE c END instead of normal if statements.
The question I have now is how do I get time delay into the injection? Benchmark() and sleep() do not work either.
I already now that the table is named "flag" and the field name I want to read out is named "password".
My only information i get from the database is the time it needed to execute my input (or query since I bypass the input to inject SQL)
I found the following SQL statement on the web at SQL Injection Tutorial
select dbms_pipe.receive_message(('a'),10) from dual;
I am not certain I should be participating in this sort of thing, but since I found it with my first Google Search, I will go ahead and post it.
I tested it and it delayed the result by 10 seconds.

SQL Server Management Studio - how to specify UTF-8 parameter to stored procedure arguments?

I have a stored procedure which searches by text passed by a parameter. I noticed that if the text is not in English (i.e. Hebrew, Arabic), the query finishes without returning any rows. I am sure there is data to be found
I dont know which SQL server is being used : it is whatever is provided by GoDaddy on shared Windows hosting plan.
The thing is, I have a asp.net site which can search and fetch the data from this column encoded as UTF-8. The path which does not work is the MS SQL Management Studio. Even when I manually run same stored procedures which work from inside asp.net - they dont manage to find non English characters. The parameters I pass to the query are prefixed by N qualifier.
Try using the N character like the sample :
Select * from students where name like N'%بیژن%'
and as mentioned in the comment the column data type should be Nvarchar.

SQL queries in batch don't execute

My project is in Visual Foxpro and I use MS SQL server 2008. When I fire sql queries in batch, some of the queries don't execute. However, no error is thrown. I haven't used BEGIN TRAN and ROLLBACK yet. What should be done ??
that all depends... You don't have any sample of your queries posted to give us an indication of possible failure. However, one thing I've had good response with from VFP to SQL is to build into a string (I prefer using TEXT/ENDTEXT for readabilty), then send that entire value to SQL. If there are any "parameter" based values that are from VFP locally, you can use "?" to indicate it will come from a variable to SQL. Then you can batch all in a single vs multiple individual queries...
vfpField = 28
vfpString = 'Smith'
text to lcSqlCmd noshow
select
YT.blah,
YT.blah2
into
#tempSqlResult
from
yourTable YT
where
YT.SomeKey = ?vfpField
select
ost.Xblah,
t.blah,
t.blah2
from
OtherSQLTable ost
join #tempSqlResult t
on ost.Xblah = t.blahKey;
drop table #tempSqlResult;
endtext
nHandle = sqlconnect( "your connection string" )
nAns = sqlexec( nHandle, lcSqlCmd, "LocalVFPCursorName" )
No I don't have error trapping in here, just to show principle and readability. I know the sample query could have easily been done via a join, but if you are working with some pre-aggregations and want to put them into temp work areas like Localized VFP cursors from a query to be used as your next step, this would work via #tempSqlResult as "#" indicates temporary table on SQL for whatever the current connection handle is.
If you want to return MULTIPLE RESULT SETs from a single SQL call, you can do that too, just add another query that doesn't have an "into #tmpSQLblah" context. Then, all instances of those result cursors will be brought back down to VFP based on the "LocalVFPCursorName" prefix. If you are returning 3 result sets, then VFP will have 3 cursors open called
LocalVFPCursorName
LocalVFPCursorName1
LocalVFPCursorName2
and will be based on the sequence of the queries in the SqlExec() call. But if you can provide more on what you ARE trying to do and their samples, we can offer more specific help too.

Store Procedures in SQuirrel 3.2.1 when using it with a JDBC driver for a DB2 database

I expend a lot of time trying to retrieve data from a Stored Procedure, here is the code
CREATE PROCEDURE aprocedure(
IN idin CHAR,
OUT returnvalue CHAR)
AS:
SET returnvalue=
(SELECT something
FROM sometable
WHERE id=idin)
I could create it, with no problems, but when I tried to call it like this:
call someprocedure('theid', ?)
Error -313 kept poping out, I did my homework and check the web, IBM forums were no help at all, I couldnt find any documentation, specifications, or anything that make this more clear, also SQL error code -313 means that the number of parameters in the procedure does not match the number of parameters you're using when you call it. So, after too much research, I started thinking that DB2 with JDBC driver and or SQuirreL have trouble when returning OUT values, (I also installed a DB2 CTL client, created a local database, created a table, created the procedure, I called, and everything worked nicely) so I change my code to this (to use a Result Set instead of an OUT):
CREATE PROCEDURE someprocedure(IN idin CHAR (22))
DYNAMIC RESULT SETS 1
P1: BEGIN
DECLARE cursor1 CURSOR WITH RETURN FOR
SELECT something FROM sometable WHERE id=idin;
OPEN cursor1;
END P1
aaaaaaaaaaaand NOTHING, SQuirreL gave me some error codes, when trying to create it, so... I enter that same code in Aqua Data Studio 4.7, and worked like a charm, I call the procedure from Aqua Data like this:
call someprocedure('theid');
and it returned what was supposed to return, I tried that same sentence with SQuirreL...
and it WORKED too !!
Im sure that my sintaxys was correct all along, even with the OUT type of return, so, my question, finally is this.
Does SQuirreL check the input you enter before passing it to the JDBC?
Also
Where do I can find how exactly DB2 is altering SQL code?? because we all know that all DBM change the SQL a bit, but MySQL have great documentation... and i honestly couldnt find any good one on DB2, also im talking about "pure" SQL since in DB2 you can enter stored procedures in C , Java etc...

Is there a size limit for the SQL text in a PeopleSoft App Engine SQL Step/Action?

I'm getting the following error: AeSymResolveStatement [775] ... Meta-SQL error at or near position 34338 in statement (108,512). The SQL statement itself is over 40,000 chars long, hence the question.
The DB is oracle. Running on Tools 8.49.24.
I know that there is a limit on the size of the SQL used in an Application Engine (SQL Step). I had once recieved a similar error while trying to use an exceptionally long SQL in an Application Engine.
I wouldn't be surprised if that same limit applies to SQL Objects.
To fix the problem, I was able to split the SQL into 2 (was an update statement). Hopefully that's possible in your case as well.
There is no such limit.
You can confirm this yourself by creating an SQL like:
select 'x' from PS_INSTALLATION where
1 = 1 and
1 = 1 and
1 = 1 and
1 = 1 and
/* ... copy paste '1 = 1 and' 90000 times or so times more */
1 = 1
Although it makes pside quite slow, It saves and validates just fine.
There are limits within PeopleCode, mostly due to the limits on string length, however I have never found a limit on stored SQL statements.
Personally I'd look at breaking the statement into pieces in some way.
You could:
Using the inbuilt looping mechanism of App Engines
Use a mixture of SQL and PeopleCode
Use a temporary table and perform intermediate SQLs, storing in the temp table
Apart from giving your database a heart seizure, not the mention the DBA when he sees the statement in the SQL monitor. You are saving yourself a world of pain if you ever have to look at the statement again.
I think the SQLs in App Engines are stored as longs, so it would be 4GB under Oracle, something similarly huge under DB2.