Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12345»»»

Multi-statement execution Expand / Collapse
Author
Message
Posted Wednesday, February 3, 2010 3:35 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Tuesday, December 9, 2014 7:48 AM
Points: 1,135, Visits: 3,148
Interesting question - I guessed 0 rows - I thought that the dynamic SQL would execute and the results from the last statement - the delete statement would be inserted. Not really tried anything like this before - going to have a play with executing multiple statements in EXEC() and find out how it affects other things like @@rowcount as well.
Post #858488
Posted Wednesday, February 3, 2010 3:37 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Monday, December 8, 2014 6:07 AM
Points: 2,301, Visits: 1,436
Really This is not easy for sql newbies .Tricky question
But You Can Learn more knowledge by this
Post #858489
Posted Wednesday, February 3, 2010 3:45 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Tuesday, December 9, 2014 7:48 AM
Points: 1,135, Visits: 3,148
Simon Liddle (2/3/2010)
I thought that the dynamic SQL would execute and the results from the last statement - the delete statement would be inserted.


...and that is nonsense the more I think about it! :)
Post #858491
Posted Wednesday, February 3, 2010 3:47 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Monday, December 15, 2014 1:46 AM
Points: 1,593, Visits: 2,661
Ninja's_RGR'us (2/3/2010)
Joy Smith San (2/3/2010)
Wel, Usualy I answer the question by reading it on the screen itself. I never copy and paste it in query analyzer.Had I copied it in query analyzer and read I would have definetly give right answer. Hence I dint feel it's a good question.


So good questions are only the ones you can answer???


I dint mean it. I mean to say, this question is just tricky.
Playing with words and nothing else.

Post #858493
Posted Wednesday, February 3, 2010 3:55 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Monday, December 15, 2014 1:46 AM
Points: 1,593, Visits: 2,661
Simon Liddle (2/3/2010)
Joy Smith San (2/3/2010)
Wel, Usualy I answer the question by reading it on the screen itself. I never copy and paste it in query analyzer.Had I copied it in query analyzer and read I would have definetly give right answer. Hence I dint feel it's a good question.


I don't understand how your reliance on reading the code in QA to get it right has any bearing on the question being good or not.... How would reading it in QA (I assume you do mean reading and not executing) have caused you to work out a different answer?


Yes, you are right. I dont execute and just read it.
The difference is that, as you know when you copy it in QA color changes. I would have easily found that delete statement was a string appended to the insert statement.

Anyways, I was just saying my opinion. Hope I have the freedom to post what I feel, instead of simply praising always.

And yes, probably for a beginner it might be a good question. I agree.
Post #858495
Posted Wednesday, February 3, 2010 4:32 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, November 27, 2014 5:23 AM
Points: 1,425, Visits: 1,316
Very nice question. Nice SQL inject with a side effect.
I hope I will never use something like this one.




See, understand, learn, try, use efficient
© Dr.Plch
Post #858512
Posted Wednesday, February 3, 2010 5:39 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Thursday, December 18, 2014 6:41 AM
Points: 907, Visits: 892
An excellent question. The best questions get you thinking in new ways about tools you use all the time, and this certainly fits the bill.

Ultimately it came down to a coin-flip for me (which I consider a fail regardless of the fact that I picked the right answer), but once I read the explanation it made perfect sense. Of course the DSQL is going to execute completely before the insert takes place. Duh!

That said, I would never write code like this, but who knows... some day I might need a magic trick, and this example might point me in the right direction!


-----
a haiku...

NULL is not zero
NULL is not an empty string
NULL is the unknown
Post #858548
Posted Wednesday, February 3, 2010 6:11 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Thursday, December 11, 2014 5:03 PM
Points: 2,262, Visits: 5,427
nice question sir
Post #858568
Posted Wednesday, February 3, 2010 6:45 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Wednesday, October 9, 2013 5:08 AM
Points: 1,123, Visits: 603
I guess the color coding in QA/SSMS does it? Paste it instead into Notepad++ or an equal text editor that has color coding for SQL, so you can't accidentally execute the code...

Anyone who has to deal with SQL injection can learn from this though, so I think it's a good question.


Ronald Hensbergen

Help us, help yourself... Post data so we can read and use it: http://www.sqlservercentral.com/articles/Best+Practices/61537/
-------------------------------------------------------------------------
2+2=5 for significant large values of 2
Post #858602
Posted Wednesday, February 3, 2010 7:38 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Friday, October 31, 2014 9:32 AM
Points: 1,014, Visits: 8,661
Thanks for a good question. For some reason, I was thinking that what would be inserted would be the deletion of the table.



Steve Eckhart
Post #858669
« Prev Topic | Next Topic »

Add to briefcase ««12345»»»

Permissions Expand / Collapse