| Author |
Topic |
|
ferrethouse
Constraint Violating Yak Guru
352 Posts |
 Posted - 2011-11-17 : 17:07:46
|
I see quite a few functions in our database that do something similar. This one in particular is called 18 times per second so I'm guessing that getting rid of the cursor would greatly improve performance...ALTER FUNCTION [dbo].[FuncGetSmartDepartmentRules] ( -- Add the parameters for the function here @DepartmentID INT)RETURNS VARCHAR(MAX)ASBEGIN -- Declare the return variable here DECLARE @Sql VARCHAR (MAX),@SqlFilter VARCHAR(MAX) -- Declare cursor DECLARE smart_deps CURSOR FAST_FORWARD FOR SELECT SQLFilter FROM SmartDepartments WHERE DepartmentID = @DepartmentID OPEN smart_deps FETCH NEXT FROM smart_deps INTO @SqlFilter --first part of sql SET @Sql = @SqlFilter FETCH NEXT FROM smart_deps INTO @SqlFilter WHILE @@FETCH_STATUS = 0 BEGIN SET @Sql = @Sql + ' OR ' + @SqlFilter FETCH NEXT FROM smart_deps INTO @SqlFilter END CLOSE smart_deps DEALLOCATE smart_deps -- Return the result of the function RETURN @SqlEND |
|
|
Lamprey
Master Smack Fu Yak Hacker
4614 Posts |
|
|
Transact Charlie
Master Smack Fu Yak Hacker
3451 Posts |
Posted - 2011-11-17 : 17:22:20
|
Ok.................You may not be aware of this but It's pretty obvious that your database is WIDE OPEN potentially vulnerable to SQL INJECTION attack.If anyone manages to get some malicious sql into [SQLFilter] in the SmartDepartments table then this is going to spit out a really compromised dynamic string back to some proc that'll just blindly execute it? or do you sanity check the results from the func??Anyway, to answer your question (get rid of cursor)You can concatenate strings using a vanilla SELECT statement. No need for the cursorExample:DECLARE @sql NVARCHAR(MAX)SET @sql = N'SELECT *FROM someTableWHERE 1 = 0'DECLARE @foo TABLE ( [injectionAttack] NVARCHAR(MAX) )INSERT @foo ([injectionAttack]) SELECT '1 = 1'UNION SELECT '1 = 1; DROP TABLE Sales; --'UNION SELECT 'x = y'-- Concatenate the stringSELECT @sql = sql + ' OR ' + [InjectionAttack]FROM @fooPRINT @sql which would eliminate the need for a cursor but wouldn't help your vulnerability anyIf you are going to do shit like this then you NEED TO CHECK ALL INPUTS. Regardless of if they are user generated or come from some database table. Just because the strings are in the db already doesn't mean they are safe.EDIT -- too harshCharlie===============================================================Msg 3903, Level 16, State 1, Line 1736The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION |
 |
|
|
sanjnep
Posting Yak Master
191 Posts |
Posted - 2011-11-17 : 17:45:02
|
| I think so... |
|
|
|
ferrethouse
Constraint Violating Yak Guru
352 Posts |
Posted - 2011-11-17 : 17:51:44
|
| The inputs are checked when put into table SmartDepartments |
|
|
|
Transact Charlie
Master Smack Fu Yak Hacker
3451 Posts |
Posted - 2011-11-17 : 17:59:06
|
| cool. Do you ever check them again once they are in there?At least you can remove that cursor now!Charlie===============================================================Msg 3903, Level 16, State 1, Line 1736The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION |
|
|
|
ferrethouse
Constraint Violating Yak Guru
352 Posts |
Posted - 2011-11-17 : 18:01:17
|
quote:
Originally posted by Transact Charlie
cool. Do you ever check them again once they are in there?At least you can remove that cursor now!Charlie===============================================================Msg 3903, Level 16, State 1, Line 1736The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION
Why would I need to check them again? |
|
|
|
Transact Charlie
Master Smack Fu Yak Hacker
3451 Posts |
Posted - 2011-11-17 : 18:19:51
|
| bulk import / some other mechanism that bypasses your std insert checks.basically just be really, really, really cautious. I always get nervous when people propose code like that.If I have to do any kind of general purpose search (searching a dynamic number of columns from a table). I'd much rather implement a dynamic sql solution that doesn't run the risk of sql injection at all.Gail posted a good article on 'catch all' queries that might be of interest to you.http://sqlinthewild.co.za/index.php/2009/03/19/catch-all-queries/Charlie===============================================================Msg 3903, Level 16, State 1, Line 1736The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION |
|
|
|
ferrethouse
Constraint Violating Yak Guru
352 Posts |
Posted - 2011-11-17 : 18:30:14
|
quote:
Originally posted by Transact Charlie
bulk import / some other mechanism that bypasses your std insert checks.basically just be really, really, really cautious. I always get nervous when people propose code like that.If I have to do any kind of general purpose search (searching a dynamic number of columns from a table). I'd much rather implement a dynamic sql solution that doesn't run the risk of sql injection at all.Gail posted a good article on 'catch all' queries that might be of interest to you.http://sqlinthewild.co.za/index.php/2009/03/19/catch-all-queries/Charlie===============================================================Msg 3903, Level 16, State 1, Line 1736The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION
I appreciate your feedback Charlie |
|
|
|
Transact Charlie
Master Smack Fu Yak Hacker
3451 Posts |
Posted - 2011-11-17 : 18:42:23
|
| welcomeCharlie===============================================================Msg 3903, Level 16, State 1, Line 1736The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION |
|
|
|
|
Can this be written without a cursor?