I have problem, I need to explode my input to my stored procedure, but don't know how I can do it.
My stored procedure has a VARCHAR(256) input which I need to split and generate insert statements.
i what to explode this varchar "1,2,3,7,8,9" so I need to split that string on "," and iterate through the result
Yes, please see this forum thread on replicating the functionality in mysql that tsql provides.
That thread also discusses some of the downfalls of this method. Also, I think you want to be using VARCHAR(255) or just VARCHAR(MAX) because there is no benefit to a 256, it uses a 2 byte size prefix and yet only stores 256 characters.
Have you considered using xml and xpath syntax to extract the values instead? I think going forward this will become a more readable and maintainable method.
Here is a split_string() function
http://forge.mysql.com/tools/tool.php?id=4
Try my SQL Library: http://ondra.zizka.cz/stranky/programovani/sql/mysql_stored_procedures.texy
Related
I need to read in Delphi the output from a SQL Server procedure that returns a XML as output (#MSG1)
PROCEDURE dbo.PROC_ZUND_XML
(#LOTEPC VARCHAR(10),
#MSG1 NVARCHAR(MAX) OUTPUT)
I've tried to get this output using a TFDStoredProc component as well as a TFDQuery, however, it doesn't matter the variable type I use in the parameters configuration in Delphi (ftWideString, ftWideMemo etc.) it always store just the first 8000 characters of the output. A count statement in the SQL Command section of the Delphi's FireDAC Query Editor shows that the output of the procedure have more than 8000 characters.
So, the problem seems to be occurring internally, when the value is assigned to the variable. Does anybody have an idea about how to fix it? Maybe a different approach to the problem... Thanks in advance.
I'm using SQL Server 2008 and Delphi 10.2
If you need to export this xml file to a specific folder, I advise you to use SQL SERVER itself to export this file to a SHARED NETWORK FOLDER.
With BCP, you can generate your XML, and save directly to an XML file, in the directory you want ..
Some useful tips:
If necessary, I recommend using the -w argument to avoid confusion
with Wrong CHARACTERS (À, É, È, Ó, Ò)
Useful Documentations:
http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=171529
https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2012/ms162802(v=sql.110)
https://sqlsouth.wordpress.com/2014/05/23/export-xml-from-sql-server-using-bcp/
Apologies for the rather basic question.
I have an error string that is built dynamically. The data in the string is passed by various third parties so I don't have any control, nor do I know the ultimate size of the string.
I have a transaction table that currently logs details and I want to include the string so that I can reference back to it if necessary.
2 questions:
How should I store it in the database?
Should I do anything else such as contrain the string in code?
I'm using Sql Server 2008 Web.
If you want to store non unicode text, you can use:
varchar(max) or nvarchar(max)
Maximum length is 2GB.
Other alternatives are:
binary or varbinary
Drawbacks: you can't search into these fields and index and order them
and the maximum size : 2GB.
There are TEXT and NTEXT, but they will be deprecated in the future,
so I don't suggest to use them.
They have the same drawbacks as binary.
So the best choice is one of varchar(max) or nvarchar(max).
You can use SQL Server nvarchar(MAX).
Check out this too.
Eventualy, you can enable and use a FILESTREAM feature of SQL Server 2008 (it's supported by WEB edition), and deal with extra large amount of data in sense of documents.
Of course, you need to be sure that you will use a benefit of this service.
I'm using sqlite3_exec() function in order to execute an SQL Insert command. The problem starts when I need to insert strings that need to be encoded.
For example, I want to insert the following string: "f('hello')". If I want to insert this string I need to change "'" to "''".
My question is, how do I encode these strings? Is there a function I can count on? or a table that details all the needed encodes?
Thanks! :-)
Instead of manually escaping strings (which is error-prone and invites SQL injection attacks), I'd strongly recommend using prepared statements and bind values; read up on sqlite3_bind_XXX and sqlite3_prepare_v2
Using bind values will solve this problem and it will also make sqlite faster because it remembers previously executed sql statements and it can reuse their execution plans. This doesn't work when the sql statement is always slightly different because it hashes the complete sql statement.
sqlite_mprintf supports %q for that.
"Maybe" you should use something like a prepared statement. I am not an expert in SQLite, but I found this link (http://www.sqlite.org/c3ref/stmt.html) and it could help you. It is about SQL Statement Object.
What is the best, most preferable (and, if possible, efficient) way to pass an array of strings from a .NET application to a SQL Server 2005 stored procedure?
1) Pass the array of strings as a comma- or semicolon-delimited string and parse it into a temporary table?
2) Pass the array as XML and use SQL Server 2005 methods to parse it into a temporary table?
3) Write an ancilliary stored procedure to deal with each string individually and having .NET calling it for every element in the array?
4) Other... What?
I would say solution 2) is the most elegant one, but it is certainly not the most efficient... Is it?
Read this article.
Arrays and Lists in SQL Server 2005
The other related articles:
Arrays and Lists in SQL Server
Edit:
Sorry I did not realized that it is already mentioned in comments.
It depends upon your requirements.
In case I am importing then pass the XML and use SQL Server 2005 methods to parse it into a temporary table
If the records are not in bulk, I can use semicolon-delimited string.
If it is like you have some enumeration values like filtering the records on the basis of multiple status then I can use In
Good and Bad points about array passing
Hope this will help you. :)
The website i worked was recently attempted to be hacked by the following SQL injection script
boys' and 3=8 union
select 1,
concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30), char(9),0x252423),
3,4,5,6,7,8,9
from `information_schema`.`tables`
where table_schema=0x62646B3032 limit 44,1 -- And '8'='8
This injection returned the mysql table name. This was reported by the error reporting system on that website and we managed to fix that part however I am not able to understand what does the above injection mean?
Anyone can explain this?
Penuel
They're using a select from the Information Schema views in mysql server :
http://dev.mysql.com/doc/refman/5.0/en/information-schema.html
They use some clever hacks to rout out simple sql injection prevention techniques.
According to this the MySQL concat()
Returns the string that results from
concatenating the arguments. May have
one or more arguments. If all
arguments are nonbinary strings, the
result is a nonbinary string. If the
arguments include any binary strings,
the result is a binary string. A
numeric argument is converted to its
equivalent binary string form
So 0x232425 is converted to #$% which is simply added to the begining and end of the table_name field. Maybe just to make it easier for them to pull out the Table names later using Regex.
Later on the char(9) is equivalent to a tab as you can see here and is just there to format the output nicer.
The 3,4,5,6,7,8,9 is just there so that the columns match the boys table that they are performing the Union on.
This injection returned the mysql table name.
Do you mean that your website displayed the table name when you gave it this input, or that the query returns that when run from the mysql client? If it showed on your website, then the attacker has the ability to inject much more harmful queries. Check your data.