SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Updated Brute Force Search Tool


Updated Brute Force Search Tool

Author
Message
jimel 39024
jimel 39024
SSC-Addicted
SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)

Group: General Forum Members
Points: 458 Visits: 215
Comments posted to this topic are about the item Updated Brute Force Search Tool
Sergiy
Sergiy
SSC Guru
SSC Guru (78K reputation)SSC Guru (78K reputation)SSC Guru (78K reputation)SSC Guru (78K reputation)SSC Guru (78K reputation)SSC Guru (78K reputation)SSC Guru (78K reputation)SSC Guru (78K reputation)

Group: General Forum Members
Points: 78201 Visits: 13528
First error - Search Value is defined as a string.
It should be SQL_VARIANT.

Apart from preventing likely errors caused by mismatch in formatting, it will also eliminate necessity of the second parameter @SearchType.
SQL_VAPIANT_PROPERTY of @SearchValue will give you the data type of the value you're looking for.

And I did not analyse the code thoroughly, but it seems quite defenceless against SQL injections.
jimel 39024
jimel 39024
SSC-Addicted
SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)

Group: General Forum Members
Points: 458 Visits: 215
Thanks for your comments, this is not a production script, nor is it designed for anything other than internal use. It only supports text, date and number searches so i didn't see a huge need to use a SQL_Variant type. Sql injections are not an issue as this should not be used in a production environment. If that is your intent i would suggest finding a different script as this returns table and column structures via the sql it returns from matches it has found, which would be a perfect tool for a nefarious person to help sql inject your application. So i see your points but dont see any reason to adjust the script for either cases. Just know that this is a tool for internal use and know that a text search requires a string, dates require a date, and numbers require a number, and it should work fine.
giovanni.tamborini
giovanni.tamborini
Forum Newbie
Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)

Group: General Forum Members
Points: 2 Visits: 4
Hi Jhon,
I fonded very usefull you solution
I think there is only just one error in the fuzzy match = 'ends' becouse you save in resultsql ''''+@SearchValue+'%''' instead of '''%'+@SearchValue+''''
I did my personalizations for my use:
1. CONCAT did problem to me, I use SSMS 2016, I don't know why, I replaced with a simple +
2. I put it under transaction + rollback, to evoid to save on db
3. easy way: I reduced bit parameters in input, I manage them comparing ltrim(rtrim(isnull(@...List,''))) = '' to have less error case to manage
4. I added a Schema manager, with include & exclude metods like table management
5. I renamed @IncludeTableList ==> @IncludeOnlyTableList, just renamed to immediate maining

So it is perfect for me ... by now ;-)
jimel 39024
jimel 39024
SSC-Addicted
SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)SSC-Addicted (458 reputation)

Group: General Forum Members
Points: 458 Visits: 215
Ah good spot on the ends with results query, didnt notice my mess up there. at least it wasnt an issue with the query that does the search just the returned query. For those of you who need that fixed, just replace line 295 with following text
'''%'+@SearchValue+''''


as for CONCAT not working for you, wonder if your database compatibility is set to an older version of sql maybe
, should work fine in sql 2016 as long as the compatibility level is 2012 or higher.

Glad it could help you out, and also that you were able to modify for your usage.

Thanks a bunch

John
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search