I am trying to combine the results of xp_cmdshell with a select query.
I have tried union & read about creating a temp table, but as my result will be having only 1 column. To be more precise i need a smaller query to combine the results of xp_cmdshell with select query as am trying to use it in union based sql injection
For example:
Select name from employee
union
exec xp_cmdshell 'whoami'
I know this wont work but somewhat similar would be great :)
You should know what this stored procedure returns and what outputs. Then when you know the table schema this procedure returns you may use the following syntax:
DECLARE #procedureOutput nvarchar(max)
SET #procedureOutput=Exec xp_cmdshell 'dir'
SELECT name FROM employee union #procedureOutput
If you need convert two different data types, CAST and CONVERT commands are for you.
Create a temp table and do insert into #temp EXEC.. or use OPENROESET. Refer this
http://beyondrelational.com/modules/2/blogs/70/posts/10812/select-columns-from-exec-procedurename-is-this-possible.aspx
Related
I have a stored procedure, which is returning a table. I just want the count of the records is it possible
My Procedure
create procedure Test
as begin
select * From Student
end
exec Test
will give the records out put
I want the count
NB: I need the sp to return the results of select statement.In another place I need the count of the records returned by sp and columns in the student table is dynamic.
I am expecting an answer without modifying stored procedure.
You can select the data into a temporary table like below. However, you have to use OPENQUERY to do so. You must also enable data access on your server first.
Exec sp_serveroption 'ServerName', 'data access', 'true'
SELECT * INTO #TempTable
FROM OPENQUERY("ServerName", 'EXEC Test')
SELECT COUNT(*) FROM #TempTable
NB: I need the sp to return the results of select statement.
Use your stored procedure as is. That is,
create procedure Test
as begin
select * From Student
end
In another place I need the count of the records returned by sp and
columns in the student table is dynamic.
If this other place is another SP, then use rowcount. You use it this way :
EXEC [sp_WhateverTheSPNameIs]
select ##rowcount
Read about ##RowCount. This is all you need.
I am creating a SQL Query dynamically. After it's been created I want to execute it and store it as a temporary table.
WITH [VALIDACCOUNTS] AS( EXEC (#sqlQuery))
You have two solutions for this:
As a first solution you can simply use an INSERT EXEC. This will work if you have a specified result set. This could be used if your procedure just returns one result set with a fixed result design.
Simply create your temporary table with matching columns and datatypes. After that you can call this:
INSERT INTO #yourTemporaryTable
EXEC(#sql)
The second solution would be the usage of OPENROWSET for this, which may have some sideeffects.
You can read more about it here.
INSERT INTO #yourTemptable
SELECT *
FROM OPENROWSET('SQLNCLI', 'DRIVER={SQL Server};',
'EXEC (''+#sql+''))'
I'm writing a stored procedure in SQL Server 2008 which contains a SELECT DISTINCT statement and another simple Select statement which is based on the result of first statement.
How to use the table returned by the SELECT DISTINCT statement i.e the UnitNumber column value in second Select statement?
Stored procedure:
CREATE PROCEDURE ExtractPacket
AS
BEGIN
SET NOCOUNT ON;
-- Select statements to check the number of unit
SELECT DISTINCT UnitNumber from dbo.CP_TemplateHandler
END
GO
you can create a temp table and fill it by first SELECT DISTINCT and then in second Select use that.
Excuse me for answer in order comment(i can comment yet :( )
I suggest that use First Select Distinct as a sub query of second Select Distinct query.
Let's say I have a stored procedure which returns a large set of data. Can I write another query to filter the result of stored procedure?
For example:
select * from
EXEC xp_readerrorlog
where LogDate = '2011-02-15'
You would need to first insert the results of the stored procedure on a table, and then query those results.
create table #result (LogDate datetime, ProcessInfo varchar(20),Text text)
INSERT INTO #Result
EXEC xp_readerrorlog
SELECT *
FROM #Result
WHERE datepart(yy,LogDate) = '2012'
You can't make it part of a query, BUT you could insert the resulting data into a temp table or table variable and then use that for your query.
Does returning the error log for just an entire day make the result any more useful? I think it will still be full of useless entries. If you're looking for specific events, why not use one of the filter parameters for xp_readerrorlog? The following wil return all rows in the current log that contain the string 'fail':
EXEC xp_readerrorlog 0, 1, 'fail';
You can copy output from sp to temporaty table.
insert into #temp
EXEC xp_readerrorlog
and then use where clause with the temp table
or you can make a Table-valued Function
I need to make a SELECT with a call of a stored procedure in the WHERE clause.
It should be something like that....
SELECT distinct top 10 i.x, d.droit
FROM v_droit d, v_info i
WHERE d.nomdroit='yy'
AND i.id<>2
AND (select val from (exec up_droits(i.x, d.droit)) <>3
But it does not work...
Any idea?
Don't say to replace the stored procedure with a function because is not possible to use the existing code in a function. So the function is not a valid option. I really need to be able to use a stored procedure
This is achieved by first executing the stored procedure, capturing the output into a #temp table or a #tabel variable, then running your query against the table. Something like this:
declare #droits_table (val ,... );
insert into #droits_table
exec up_droits(param, param);
SELECT distinct top 10 i.x, d.droit FROM v_droit d, v_info i WHERE d.nomdroit='yy' AND i.id<>2 AND (select val from #droits) <>3
Of course this will not work for you because the up_droits needs the i.x and d.droit parameters from the query. This indicates that your stored procedure should probably be a a view or table valued function.
Sorry but, make it a table valued function rather than stored procedure.
Eg:
Scalar - SELECT id, name FROM test WHERE id < (SELECT dbo.mytestfunction())
Table - SELECT id, name FROM test WHERE id = (SELECT col1 from dbo.mytestfunction())
You can't. The content of the WHERE clause must be a search expression.
Is the reason that the code doesn't work as a function because it modifies some data? If so, then you're out of luck, functions used in where clauses must be immutable.
If the stored procedure doesn't modify any data, you may be able to wrap it inside of a function.
If you are on SQL Server I don't think you can do what you propose.
But one thing you can do is build dynamic queries, but be careful doing it because they open up many interesting problemareas.
The syntax is :
EXEC #<query>
But anotherthing you can do, which is probably much better for you, is to make the up_droits function deliver it's results in a temp table, if you select into a #table it is temporary for the duration of your function/procedure scope
declare procedure up_droits() as
select val .. into #temp
So what you do is create a procedure
create procedure Top10FromDroit
begin
exec up_droits
SELECT distinct top 10 i.x, d.droit FROM v_droit d, v_info i WHERE d.nomdroit='yy' AND i.id2 AND (select val from (#temp) 3
Hopefully that will give you the results you want to achieve.
If at first you don't succeed, code around it^^
Could anyone of you explain reasons for executing dynamic SQl inside stored procedure. I know very few situations when you need them - but really very few. 99.9% (or 999 of a 1000) of execute strings could be rewritten as normal sql statements with parameters.
The very same is with Selects that have functions inside select or where clauses.
Try to think about your sets of data, not about procedural ways how to solve it.