I am trying to run a stored proc "dbname..rr_deck_type_wrap_proc" through SQLDeveloper worksheet using the following code:
declare #return int, #message varchar(255)
exec #return = DBname..rr_deck_type_wrap_proc
#new_id = '123456789',
#remarks = 'Test',
#error_cd = #message output
select #return "#return", #message "#message"
However, I always get the message:
Error report - Invalid JDBC escape syntax at line position 22 '='
character expected.
This code works perfectly fine when run through another software/interface. It is probably a syntax issue with SQLDeveloper, tried different things but nothing worked. Can someone suggest anything. Thank you!
You're using 'Oracle SQL Developer' - the keyword there, being 'Oracle.'
You're connected to a SAP Sybase database. Which is perfectly fine. We provide this connectivity support for one reason, and one reason only:
To allow you to migrate it to Oracle Database.
It is NOT a T-SQL IDE. It does not provide any support really for running, debugging, playing with T-SQL.
If you have ANSI-SQL, then our parser will probably be OK with it.
If you need/want a hack, and are desperate to make your code go, then you can provide a hint to our parser, to just let the code go through to the driver, and hope it works.
An example:
/sqldev:query*/sp_help;
You could also try adding this
/*sqldev:stmt*/
This advice applies to MySQL, DB2, SQL Server, Teradata, or any other 3rd party JDBC driver we allow you to use in SQL Developer. It's there to help you move your schema and application code over into an Oracle Database.
Related
I have rails code that is consuming an oracle view/function.
This is my code:
def run_query
connection.exec_query(
"SELECT * FROM TABLE(FN_REQ(#{demo_type_param},#{demo_tid_param}}))")
end
When run Brakeman analyzer it warns of possible "sql injection attack"
I need to understand if this is a valid warning, if so, how do I remediate it?
Since this is a function & not an actual table, I am not sure what's the right way.
If it was a normal model, i would have just followed this pattern:
Model.where("mycolumn1= ? AND mycolumn2= ?", demo_type_param, demo_tid_param).first
Yes, it is real. Almost every time, you build any SQL query from simply concatenating variables, you are vulnerable to SQL injection. Generally, an SQL injection happens each time when data inserted into the query can look like valid SQL and can result in additional queries executed.
The only solution is to manually enforce appropriate escaping or to use prepared statements, with the latter being the preferred solution.
With ActiveRecord / Rails, you can use exec_query with binds directly
sql = 'SELECT * FROM TABLE(FN_REQ(?,?))'
connection.exec_query(sql, 'my query', [demo_type_param, demo_tid_param])
Here, Rails will prepare the statement on the database and add the parameters to it on execution, ensuring that everything is correctly escaped and save from SQL injection.
Running Rails 4.0.13 with TinyTDS connected to Microsoft SQL Server 2012, I'm trying to run the following query:
sql = Model.where(:foo => bar).select(:open, :high, :low, :close).to_sql
Model.connection.execute(sql)
The problem is, the generated sql is
"SELECT open, high, low, close FROM [models]"
Which gives me an error as the column names open and close are protected.
TinyTds::Error: Incorrect syntax near the keyword 'open'
If I use #pluck, I can see the correct SQL is generated (with column names escaped):
"SELECT [models].[open], [models].[high], [models].[low], [models].[close] FROM [models]"
However, this produces an array, which is not what I want.
My question is how can i get #select to correctly quote the column names?
Thank you
I don't think you can make the select method to protect your column names when using symbols (maybe because different DBMS use different quoting identifiers), but you could pass your selection as a string :
sql = Model.where(:foo => bar).select("[open], [high], [low], [close]").to_sql
Model.connection.execute(sql)
I attempted to submit a bug report to Rails, however in doing so I saw the problem did not appear to exists using SQLite test case, this leads me to believe the issue is with the SQL Server Adapter.
Since I am on Rails 4 and not the latest version of the adapter I left it and wrote the following (horrible) method as wrapping the column names was not enough, I needed to prefix the table to prevent ambiguous column names. Yuck
def self.quote(*columns, klass)
columns.map { |col| "[#{klass.table_name}].[#{col}]" }.join(', ')
end
Recently I was tasked with creating a SQL Server Job to automate the creation of a CSV file. There was existing code, which was using an assortment of #temp tables.
When I set up the job to execute using BCP calling the existing code (converted into a procedure), I kept getting errors:
SQLState = S0002, NativeError = 208
Error = [Microsoft][SQL Native Client][SQL Server]Invalid object name #xyz
As described in other post(s), to resolve the problem lots of people recommend converting all the #tempTables to #tableVariables.
However, I would like to understand WHY BCP doesn't seem to be able to use #tempTables?
When I execute the same procedure from within SSMS it works though!? Why?
I did do a quick and simple test using global temp tables within a procedure and that seemed to succeed via a job using BCP, so I am assuming it is related to the scope of the #tempTables!?
Thanks in advance for your responses/clarifications.
DTML
You are correct in guessing that it's a scope issue for the #temp tables.
BCP is spawned as a separate process, so the tables are no longer in scope for the new processes. SSMS likely uses sub-processes, so they would still have access to the #temp tables.
A simple Rails 3 application tries to talk to SQL Server 2000 using activerecord-jdbc-adapter. I tried both microsoft jdbc driver and jtds driver. seems to connect to database OK.
when it is time to SHOW data I get this error:
ActiveRecord::StatementInvalid in PencilsController#show
ActiveRecord::JDBCError: 'ROW_NUMBER' is not a recognized function name.: SELECT t.* FROM (SELECT ROW_NUMBER() OVER(ORDER BY [pencils].id) AS _row_num, [pencils].* FROM [pencils] WHERE [pencils].[id] = 1) AS t WHERE t._row_num BETWEEN 1 AND 1
The real problem here is the DB do not support proper LIMIT and OFFSET functions. Rails 2 would have the same problem.
For one of my old projects I had to use Sybase15, which is quite similar to old SQL Server. To make limit and offset work with that DB I had to write my own adapter:
https://github.com/arkadiyk/ar-sybase-jdbc-adapter .
It uses scrollable cursors to simulate offset. You can try to use it as it is with SQL SERVER 2000 or feel free to clone it and modify for your specific needs.
Update:
The ROW_NUMBER function is called at https://github.com/jruby/activerecord-jdbc-adapter/blob/master/lib/arjdbc/mssql/limit_helpers.rb line 82 (SqlServerReplaceLimitOffset)
There is no replacement for this function. There are other ways of implementing OFFSET but there is no straight forward one.
This is kind a old, but if anyone is passing through here, i put together another solution that uses activerecord-sqlserver-adapter that can be used to connect a rails 3.2 app to sqlserver 2000
https://bitbucket.org/jose_schmidt/rails-sqlserver-adapter-sql-server-2000-friendly
I have a bunch of SQL statements to execute on a database. (I'm doing things that Rails doesn't provide methods for, as far as I know: creating views, adding foreign keys, etc. It's mostly for non-Rails interaction with the data.) In essence, I'm doing the following:
sql = "statement_1; statement_2; statement_3; etc;"
ActiveRecord::Base.connection.execute(sql)
Or with newlines, like so:
sql = <<EOF
statement_1;
statement_2;
statement_3;
etc;
EOF
ActiveRecord::Base.connection.execute(sql)
(Obviously, these statements are just place holders, but I don't think their content matters, according to my tests.)
In either case, only the first statement is executed and the others seem to be ignored. Is that what's going on? I'm only seeing the effects of the first statement whenever I try more than one at a time. Do I need to execute each one separately? One set of statements is coming from a file, so it'd be nice to just load the contents of the file and execute. If there are better strategies I could adopt, I'd be interested in them.
I was hoping the documentation on execute would shed some light, but besides using the singular ("statement"), it doesn't. Perhaps it's because of the database engine I'm using? (For reference, I'm using SQLite at the moment.)
UPDATE: I ended up writing a method that does the following:
def extract_sql_statements(sql)
statements = []
sql.split(';').each do |statement|
statement.strip!
unless statement.empty?
statement += ';'
statements << statement
end
end
return statements
end
...and then looping over statements. It's fixed the problem, but if there are more elegant solutions, I would be interested in hearing about them.
If you look at the rails code then you will find that execute method runs the passed sql, so it should essentially run all your queries as long as they are ';' separated and valid.
EDIT: Sorry! No it won't because it will add ';' in between your query string and complain about wrong syntax