Are the posted questions getting worse?
-
Can anyone recommend a powershell forum? Invoke-webrequest loses some of its parsing in powershell 6 (especially the forms part)
- Jo Pattyn wrote:
Can anyone recommend a powershell forum? Invoke-webrequest loses some of its parsing in powershell 6 (especially the forms part)
I tend to google things if I'm honest, not really found a community to ask on. MSDN would probably be a start though.
Do you mean the
-formswitch? It looks like that was added (back?) in 6.1.0, according to the documentation. I actually get more switching available in Powershell Core 6.2.4 than I do in Powershell 5.1.18362.145.Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk -
going back to the original topic - are the questions getting stupider
i got asked if this represents a sql injection risk 🙁
shall we ask if bob can be 1; exec xp_cmdshell ' format c:' --
MVDBA
- MVDBA (Mike Vessey) wrote:
going back to the original topic - are the questions getting stupider
i got asked if this represents a sql injection risk 🙁
It honestly terrifies me how frequently I still see injectable code in questions on forums. I don't know if it's the tutors that aren't teaching people properly, students/developers that can't be "bothered" to code properly in the first place, or that it's because YaDuckIngGle is giving bad information for the first result in the search.
Considering the wealth of information out there and the transparency of reports about data breaches, which are often at least compounded by injection issues, you'd think people would have learned.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk - Thom A wrote:MVDBA (Mike Vessey) wrote:
going back to the original topic - are the questions getting stupider
i got asked if this represents a sql injection risk 🙁
It honestly terrifies me how frequently I still see injectable code in questions on forums. I don't know if it's the tutors that aren't teaching people properly, students/developers that can't be "bothered" to code properly in the first place, or that it's because YaDuckIngGle is giving bad information for the first result in the search.
Considering the wealth of information out there and the transparency of reports about data breaches, which are often at least compounded by injection issues, you'd think people would have learned.
I don't know if my advice was correct (i'm excluding the swear words) - all he wanted to do was pass a list of columns he wanted to select into a query using dynamic sql and a delimited list... how about he uses a stored proc with a TVP, we can verify that the rows in the TVP are column names and then build the dynamic sql in the proc... ok it's not brilliant, we still have query plan issues... but bob can't be exploited any more 🙂
MVDBA
-
and don't ask why we want to choose the columns in sql - I suggested doing a "select as many as you need" and use a show/hide property in the presentation layer... apparently there are just over 1,000 fields in the table ….select * is a bit of a no-go
we do advise, but often we are not heard
MVDBA
- MVDBA (Mike Vessey) wrote:
and don't ask why we want to choose the columns in sql - I suggested doing a "select as many as you need" and use a show/hide property in the presentation layer... apparently there are just over 1,000 fields in the table ….select * is a bit of a no-go
we do advise, but often we are not heard
"Fields"? Wash your keyboard out with soap and water immediately!
If you haven't even tried to resolve your issue, please don't expect the hard-working volunteers here to waste their time providing links to answers which you could easily have found yourself.
- MVDBA (Mike Vessey) wrote:Thom A wrote:MVDBA (Mike Vessey) wrote:
going back to the original topic - are the questions getting stupider
i got asked if this represents a sql injection risk 🙁
It honestly terrifies me how frequently I still see injectable code in questions on forums. I don't know if it's the tutors that aren't teaching people properly, students/developers that can't be "bothered" to code properly in the first place, or that it's because YaDuckIngGle is giving bad information for the first result in the search.
Considering the wealth of information out there and the transparency of reports about data breaches, which are often at least compounded by injection issues, you'd think people would have learned.
I don't know if my advice was correct (i'm excluding the swear words) - all he wanted to do was pass a list of columns he wanted to select into a query using dynamic sql and a delimited list... how about he uses a stored proc with a TVP, we can verify that the rows in the TVP are column names and then build the dynamic sql in the proc... ok it's not brilliant, we still have query plan issues... but bob can't be exploited any more 🙂
Another approach is to have a stored procedure that accepts a CSV list of column names. Treating the string like data, split it into rows and verify each one against sys.columns by name for the appropriate table. Now you can know if any of the provided column names don't match a column in the target table. If there's anything that doesn't match, quietly return without giving anything back (no hints).
-
yeah - data splits on 1000 potential fields, bad use of loops or functions. at least with a TVP you can just do an inner join on syscolumns before you reject the query. I would not want to string split a huge number of values , then validate each one (or build a table). this is what TVP was designed for - pass a table as a parameter
MVDBA
- MVDBA (Mike Vessey) wrote:
yeah - data splits on 1000 potential fields, bad use of loops or functions. at least with a TVP you can just do an inner join on syscolumns before you reject the query. I would not want to string split a huge number of values , then validate each one (or build a table). this is what TVP was designed for - pass a table as a parameter
Fair point on the length of the string, as you don't want to allow a MAX. For set-based splits on non-MAX data types, see the second link in my signature. Eirikur Ericson has an article that improves performance even more on SQL 2012+. For MAXes, all performance bets are off.
- MVDBA (Mike Vessey) wrote:
apparently there are just over 1,000 fields in the table ….select * is a bit of a no-go
we do advise, but often we are not heard
Over 1,000 fields; so 1,024 then? That's the max. 😉
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk -
We had our annual DR test scheduled for last Saturday. It was supposed to commence at 3:00 AM.
Just before 11:00 PM Friday, I get the call from our monitoring company. None of the servers in the secondary data center are accessible. Myself and the network admin spent the next 2 hours scratching our heads.
Our hosting company called. They had a work order for another customer to take down a circuit. Whoops. They took down ours by mistake. They got it back, and the AD groups started syncing.
The DR test did go off without a hitch, except when the DBA couldn't connect to a server. Of course, he was trying to connect to a fat-fingered server name for 20 minutes.
Michael L John
If you assassinate a DBA, would you pull a trigger?
To properly post on a forum:
http://www.sqlservercentral.com/articles/61537/ - Michael L John wrote:
We had our annual DR test scheduled for last Saturday. It was supposed to commence at 3:00 AM.
Just before 11:00 PM Friday, I get the call from our monitoring company. None of the servers in the secondary data center are accessible. Myself and the network admin spent the next 2 hours scratching our heads.
Our hosting company called. They had a work order for another customer to take down a circuit. Whoops. They took down ours by mistake. They got it back, and the AD groups started syncing.
The DR test did go off without a hitch, except when the DBA couldn't connect to a server. Of course, he was trying to connect to a fat-fingered server name for 20 minutes.
Mike, it sounds like a confluence of a comedy of errors. When it rains, it pours. Glad to hear the DR was successful, but sorry to hear about the drama that came along with it.
-
Speaking of a comedy of errors. This past weekend they moved our servers to a new location. After the move they released any jobs that were on HOLD. Now I wasn't part of this move so I don't know the details. I assume they put everything on HOLD before moving the server. They didn't take a look at what was already on Hold. Friday when I left I had a job on hold, it ran Saturday night after the move was done. When I came in today(Monday) I noticed the jobs had ran. My first thought was I'm going to prison, because I'm going to murder someone. I thought I was going to have to restore several tables. Every job started at the same time. Luckily these jobs either failed because it was trying to duplicate keys or another job cleared the 'work' tables so others had nothing to work with. I've calmed down now, but not the way you want to start off the week.
-------------------------------------------------------------
we travel not to escape life but for life not to escape us
Don't fear failure, fear regret. -
Hahaha, had an upgrade weekend myself. Things went fairly smoothly, other than timing being WAY off from estimated and me validating tables in the back of a bowling alley while my son was at a birthday party.
Of course the PM sent out emails saying my part was "completed" when I didn't even have access to the db yet, so I was furiously validating and hoping I didn't have to find something and escalate after he gave it a green light.
Always fun.
-------------------------------------------------------------------------------------------------------------------------------------
Please follow Best Practices For Posting On Forums to receive quicker and higher quality responses
Viewing 15 posts - 64,486 through 64,500 (of 66,547 total)
You must be logged in to reply to this topic. Login to reply