How can we find out that how many applications are there in a database?
Not entirely sure what you're asking for here. I'm assuming you mean "Applications written using SQL Server 2005 as the database.".
If that's what you want to know, I don't know of any single place you could get that information by it's always a good idea to try starting here.
Do you mean stored procedures? You can have multiple applications using the same login credentials accessing a given database from the same web server, so you can't simply count databases or tables to get that number.
Related
Somewhere recently I read of a method to connect one SQL Server to another, so clients could connect and run queries that appeared to come only from the first server. I cannot remember the proper terminology for this technique, and Google searches have not helped. I thought it was called "external connection", or "external source", but I cannot find this again.
Have I remembered correctly, and can someone give me an overview how to do this..?
To explain further, my preferred SQL client DBeaver only allows one connection in each query. As such, if I wish to join tables from two different servers, there's no direct way to do it...except perhaps this method which I can't remember how to do.
Take a look at the linked server in MsSQL.
https://www.sqlshack.com/how-to-create-and-configure-a-linked-server-in-sql-server-management-studio/
https://learn.microsoft.com/en-us/sql/relational-databases/linked-servers/create-linked-servers-sql-server-database-engine?view=sql-server-ver15
Use DBVisualizer instead of Dbeaver, if you are on Linux.
It seems that one could stop all threat of Sql injection once and for all by simply rejecting all queries that don't use named parameters. Any way to configure Sql server to do that? Or else any way to enforce that at the application level by inspecting each query without writing an entire SQL parser? Thanks.
Remove the grants for a role to be able to SELECT/UPDATE/INSERT/DELETE against the table(s) involved
Grant EXECUTE on the role for stored procedures/functions/etc
Associate the role to database user(s) you want to secure
It won't stop an account that also has the ability to GRANT access, but it will stop the users associated to the role (assuming no other grants on a per user basis) from being able to execute queries outside of the stored procedure/functions/etc that exist.
There are only a couple ways to do this. OMG Ponies has the best answer: don't allow direct sql statements against your database and instead leverage the tools and security sql server can provide.
An alternative way would be to add an additional tier which all queries would have to go through. In short you'd pass all queries (SOA architecture) to a new app which would evaluate the query for passing on to sql server. I've seen exactly one company do this in reaction to sql injection issues their site had.
Of course, this is a horrible way of doing things because SQL injection is only one potential problem.
Beyond SQL Injection, you also have issues of what happens when the site itself is cracked. Once you can write a new page to a web server it becomes trivial to pass any query you want to the associated database server. This would easily bypass any code level thing you could put in place. And it would allow the attacker to just write select * from ... or truncate table ... Heck, an internal person could potentially just directly connect to the sql server using the sites credentials and run any query they wanted.
The point is, if you leverage the security built into sql server to prevent direct table access then you can control through stored procedures the full range of actions availble to anyone attempting to connect to the server.
And how do you want to check for that? Queries sometimes have constant values that would just as easy be added to the query. For instance, I have a database that is prepared to be multi lingual, but not all code is, so my query looks like this:
SELECT NAME FROM SOMETABLE WHERE ID = :ID AND LANGUAGEID = 1
The ID is a parameter, but the language id isn't. Should this query be blocked?
You ask to block queries that don't use named parameters. That can be easily enforced. Just block any query that doesn't specify any parameters. You can do this in your application layer. But it will be hard to block queries like the one above, where one value is a parameter and the other one isn't. You'll need to parse that query to detect it, and it will be hard too.
I don't think sql server has any built in features to do this.
Is there a way to show table relationships as can be done in Access? Consider two tables:
Services
serviceid
application id
Application
application id
application name
I have already set up the diagram.
When opening the table service id I want to see the related application details like in Access.
Is this possible?
First of all, you an always use access to connect to SQL Server and see relationships through it.
The built in database diagram feature will also show relationships, as you describe. You can find it under the database in question in the diagrams node.
Here is an article about different options to produce an ERD.
Update:
In order to see results, I would suggest using access to connect to SQL Server, as described in the link above.
The SQL Server GUI does not have this facility, and if you want to see results from several tables you need to write the SQL queries that will generate the wanted data.
You could also create a VIEW:
CREATE VIEW ServicesApplication AS
SELECT S.ServiceID, S.ApplicationID, A.ApplicationName
FROM Services AS S
LEFT JOIN Applications AS A
ON S.ApplicationID = A.ApplicationID
That way you can always access the coupled data easily by manipulating the ServicesApplication view instead of the separate tables.
SQL 2008 doesn't have anything built in to provide that functionality. Almost sounds like you're looking to trouble shoot an application by looking at database entries...if thats true I'd recommend learning tsql well enough to write these statements as you need and not rely on another application to provide a visual interface. heh, if I'm completely wrong with that, ignore me :)
If you still want the 3rd party application route...I beleive TOAD has that functionality within it, though I've never connected it to a MS SQL 2008 server before. There are other third party applications out there that will provide this functionality, though I imagine they aren't all free. If you're looking for a free solution and already have Access going, Oded probably has the best idea here...connect MS access to the SQL 2008 server (linked tables) and use MS access to provide the features you want from ms access :)
This is a simple question yet I was unable to find any information at all about this.
Is it possible to have sub-schemas in SQL Server 2005/2008?
Example:
Having a HR (Human Resources) schema with a sub-schema called Training (with tables related to this). It would end up like HR.Training.* where * would be the tables.
No. You could fake this with roles by putting different users into different roles and allowing those roles to use objects.
Maybe you could fake it in the naming of the schema, like HR_Training.* and HR_Reviews.* and so forth. Cheesy, I know.
Are you coming from an Oracle background by any chance ? Oracle has the concept of Schemas I believe. In SQL Server the closest equivalent is a Database.
You can cross-query from one database to another on the same SQL server very easily and that would give you virtually the same kind of calling syntax
e.g server.database.owner.object
In you case it might look like HRSvr.HR.dbo.xxx and HRSvr.Training.dbo.xxxx.
yea you can make schemas but doesn't seem like you can make sub-schemas. I come from IBM db2 background but our IT folks here don't seen to know that you can other schemas beside the default 'dbo'.
I need to query the Total Physical Memory, Available Physical Memory and Total Commit Charge of the server. Basically values circled in the picture. Is it possible using SQL Server 2005?
alt text http://www.angryhacker.com/toys/task.png
You can try using the sys.dm_os_sys_info table. Wich returns a miscellaneous set of useful information about the computer, and about the resources available to and consumed by SQL Server.
USE [master];
SELECT * FROM sys.dm_os_sys_info
Bye.
It's not entirely clear what you're asking. You can use a subset of SQL called WQL to get information from WMI, and I'm pretty sure all the data you're asking for is available via WMI, so you should be able to get it all via a SQL query. That SQL query won't be talking to the actual SQL server at the time though, it'll be talking to the WMI provider via the WQL adapter.
I'm not sure about the entire box, but you can use DBCC MemoryStatus to get the consumption of SQL Server itself.
Here's an article about it.
I don't think you really mean SQL as in Database information, it looks to me like you're trying to query the operating system for performance information. Is that right?
You'd need to perform WMI queries for that, instead of SQL queries (which are designed for database access)
Here's an example for getting memory information:
http://www.computerperformance.co.uk/vbscript/wmi_memory.htm#Scenario_-_When_to_use_this_WMI_Memory_Script_
The web site included in the link above has all kinds of samples, and I think you'd be able to get to what you want by researching there.