I would like to view parameterized update, select, and delete statements executed on an oracle database.
I can see the query by running the following:
select * from v$sqlarea where parsing_schema_name = 'SCHEMA_NAME' order by last_active_time desc
But I want to also view the parameters that go with the SQL in the SQL_TEXT column. Is there a way to do this?
If by parameterized you mean bind variables, you need V$SQL_BIND_CAPTURE. Search it by the SQL_ID you found in V$SQLAREA.
Each row represents a variable captured by position, so you'll have to match it up with your names from your query.
Related
Trying to exploit SQL injection for my assignment. Is it possible to execute delete or drop query after order by in select query without using the semicolon in Postgresql?
This is my sample query:
Select *
from table
order by {sql injection payload}
Without using the semicolon in the payload, can we delete data or drop a table?
https://stackoverflow.com/a/6800585
Do we have similar to this Postgrsql?
I tried
Select * from (delete from table_name returning *) a
But getting sql error as 'syntax error at or near from'
Check this document it says we can bypass forbidden character by CHR()
https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection
DELETE cannot be put inside a subquery. Nor can DELETE be part of a UNION.
So aside from running a second query (that is, separated by a semicolon), there's almost no way you can do what you describe.
You could invoke a stored procedure or function, if you knew of an existing function that performs a DELETE. Example:
Select *
from table
order by {sql injection payload}
After your payload modifies this query:
Select *
from table
order by SomeFunctionThatDeletes()
Another type which works because you can select from a procedure in PostgreSQL:
Select *
from table
order by id
UNION
Select *
from SomeProcedureThatDeletes()
You can't create the function or procedure with SQL injection, so that routine must exist already, and you would need to know its name and how to call it.
DELETE or DROP TABLE are not the only bad things that can happen from SQL injection. It could be a problem if the query returns data that the current user shouldn't have privilege to see. For example, records about a different user's purchases or medical history.
SQL injection can also be accidental instead of malicious. I would even say that most instances of SQL injection result in simple errors instead of data breaches. Those aren't really attacks, but they lead to an unsatisfactory experience for your users.
So, I am working with redshift and SQL for the first time. I have run into this problem due to my limted knowledge of SQL.
I have this first query which return me tables with the columnA. (TableX, TableY... etc)
SELECT tablename
FROM PG_TABLE_DEF
WHERE ("column" = 'columnA');
Also I have this second query which returns me all the rows from the table containig certain value of columnA.
SELECT *
FROM TableX
WHERE columnA='123934'
What I want to achieve is take the result from the first query which is list of tables, and for each table run the second query i.e. get the rows with value of columnA=123934 for each table returned from first query.
What you want to achieve is done using dynamic SQL. Dynamic queries let you run a query from a string.
I am not an Redshit user but to generate the SQL string you need to run you could use the following query:
SELECT 'SELECT * FROM '||tablename ||' WHERE ColumnA= ''123934''; '
FROM PG_TABLE_DEF
WHERE ("column" = 'columnA');
You can try running it manually.
I want to write a query that examines all the tables in an SQLite database for a piece of information in order to simplify my post-incident diagnostics (performance doesn't matter).
I was hoping to write a query that uses the sqlite_master table to get a list of tables and then query them, all in one query:
SELECT Name
FROM sqlite_master
WHERE Type = 'table' AND (
SELECT count(*)
FROM Name
WHERE conditions
) > 0;
However when attempting to execute this style of query, I receive an error no such table: Name. Is there an alternate syntax that allows this, or is it simply not supported?
SQLite is designed as an embedded database, i.e., to be used together with a 'real' programming language.
To be able to use such dynamic constructs, you must go outside of SQLite itself:
cursor.execute("SELECT name FROM sqlite_master")
rows = cursor.fetchall()
for row in rows:
sql = "SELECT ... FROM {} WHERE ...".format(row[0])
cursor.execute(sql)
I have a table A with columns 1.Column 1 contains a query select * from tableD;
I need to execute the query inside column1 using single query if possible..How to do this..
Database is netezza.If u provide ans for oracle Db also fine.
This seems Dynamic query problem for me ..
In Oracle you can create a procedure to call this query which is actually stored in a table.
In my knowledge you can not directly run query stored as text.
You need to create a procedure or function where you can call this query as dynamically with execute immediate command.
I'm using Oracle DB and I would like to write a SQL query that I could then call with JDBC. I'm not very familiar with SQL so if someone can help me, that could be great ! Here is the problem. I have a table MY_TABLE wich contains a list of another tables, and I would like to keep only the nonempty tables and those that their names start by a particular string.
The query I wrote is the following :
select TABLE_NAME
from MY_TABLE
where TABLE_NAME like '%myString%'
and (select count(*) from TABLE_NAME where rownum=1)<>0
order by TABLE_NAME;`
The problem comes from the second SELECT, but I don't know how can I do to use the TABLE_NAME value.
Does someone have an idea ?
Thanks.
[Added from comments]
Actually, I need to test the V$ views contained in the ALL_CATALOG table. But if I can find another table where all these views are contained too and with a NUM_ROWS column too, it would be perfect !
Standard versions of SQL do not allow you to replace 'structural elements' of the query, such as table name or column name, with variable values or place-holders.
There are a few ways to approach this.
Generate a separate SQL statement for each table name listed in MY_TABLE, and execute each in turn. Brute force, but effective.
Interrogate the system catalog directly.
Investigate whether there are JDBC metadata operations that allow you to find out about the number of rows in a table without being tied to the system catalog of the specific DBMS you are using.
Can you use oracle view USER_TABLES? then query will be much easier
select TABLE_NAME
from USER_TABLES
where TABLE_NAME like '%myString%'
and Num_ROWS > 0
order by TABLE_NAME;`