asp:SqlDataSource - Debugging a parameterized query - asp.net

Is there any way to see what the SQL looks like after the parameters are resolved?
For example here is a small part of my SQL:
([Event].[Start_Time] LIKE #StartTimeValue)
And my parm:
SqlDataSourceObject.SelectParameters.Add("StartTimeValue", TypeCode.DateTime, StartTimeValue)
But what does the final SQL look like when the parm #StartTimeValue is replaced with the value in StartTimeValue?
How can I see that?
Thanks for your help.

Do you have access to the database server? From there you could run a tool like SQL Profiler.
Another way is to set a break point just before the query is executed and examine the variables that went in. Usually the issue lies somewhere with the variables you're passing in (they are null, etc) and not with the resolved query itself. You could also set it up in a SQL query window like so:
-- Declare the variable to be used.
DECLARE #StartTimeValue datetime;
-- Initialize the variable.
SET #StartTimeValue = '<PASTE VARIABLE VALUE YOU GOT FROM DEBUGGING HERE>';
SELECT * FROM [Event] WHERE ([Event].[Start_Time] LIKE #StartTimeValue);

Related

Error with SQLite query, What am I missing?

I've been attempting to increase my knowledge and trying out some challenges. I've been going at this for a solid two weeks now finished most of the challenge but this one part remains. The error is shown below, what am i not understanding?
Error in sqlite query: update users set last_browser= 'mozilla' + select sql from sqlite_master'', last_time= '13-04-2019' where id = '14'
edited for clarity:
I'm trying a CTF challenge and I'm completely new to this kind of thing so I'm learning as I go. There is a login page with test credentials we can use for obtaining many of the flags. I have obtained most of the flags and this is the last one that remains.
After I login on the webapp with the provided test credentials, the following messages appear: this link
The question for the flag is "What value is hidden in the database table secret?"
So from the previous image, I have attempted to use sql injection to obtain value. This is done by using burp suite and attempting to inject through the user-agent.
I have gone through trying to use many variants of the injection attempt shown above. Im struggling to find out where I am going wrong, especially since the second single-quote is added automatically in the query. I've gone through the sqlite documentation and examples of sql injection, but I cannot sem to understand what I am doing wrong or how to get that to work.
A subquery such as select sql from sqlite_master should be enclosed in brackets.
So you'd want
update user set last_browser= 'mozilla' + (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
Although I don't think that will achieve what you want, which isn't clear. A simple test results in :-
You may want a concatenation of the strings, so instead of + use ||. e.g.
update user set last_browser= 'mozilla' || (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
In which case you'd get something like :-
Thanks for everyone's input, I've worked this out.
The sql query was set up like this:
update users set last_browser= '$user-agent', last_time= '$current_date' where id = '$id_of_user'
edited user-agent with burp suite to be:
Mozilla', last_browser=(select sql from sqlite_master where type='table' limit 0,1), last_time='13-04-2019
Iterated with that found all tables and columns and flags. Rather time consuming but could not find a way to optimise.

Getting out a single value from a sql database (asp.net)

I'm trying to get a single value from my table in a database. They are all given a unique id when stored. Here is the code I use to put the in:
With SqlDataSource1
.InsertParameters("page").DefaultValue = ViewState("TrueURL")
If My.User.IsAuthenticated Then
.InsertParameters("sender").DefaultValue = My.User.Name
Else
.InsertParameters("sender").DefaultValue = Request.UserHostAddress.ToString
End If
.InsertParameters("details").DefaultValue = PrepareText(TextBox2.Text)
.InsertParameters("date").DefaultValue = Now()
.Insert()
End With
That was so you could get an idea of what I was looking for, I'm not looking for sql statements, I don't know how to use them.
Just keep in mind, this is all vb.net/asp.net.
Thanks!
--EDIT--
I think I found something useful but I can't find how to use it. The Select function. It returns something and accepts parameters like the insert one I mentioned above... any ideas?
You cant extract it without first running an SQL query to extract it.
If you've got this far, read a little further in the MS help pages about how to run the select querys, this is where you would put your SQL statements.

The full-text query parameter for Fulltext Query String is not valid

I am using Full Text Search with LINQ in my application and as this is not supported by LINQ I use a table-valued function workaround. The function is created on SQL Server 2008.
Surprisingly, I get error “The full-text query parameter for Fulltext Query String is not valid” when I search for a simply text e.g. “manager”
I used SQL Server Profiler and found out that LINQ generated the parameter as nvarchar(4000) instead of nvarchar(250) which is in my function.
The biggest surprise came when I changed my SQL Server function so it accepts parameter as nvarchar(4000) instead of nvarchar(250) and the problem is solved.
I was also playing to change the parameter to nvarchar(2000) and less but this also didn’t work.
Does anybody know why this behaves this way?
Updated on 18th November 2013 - Good news and bad news
Good news - I am now using Entity Framework 6 for this particular example and it is not anymore needed to use nvarchar(4000)
Bad news - You have to use instead nvarchar(max) :-(
For an expanation see the following link http://social.msdn.microsoft.com/Forums/en-US/linqtosql/thread/1a46d676-32f0-44a4-b39f-61a17bccb8e3/.
In my case I had to force JAVA to call my Table-Value-Function with matching datatype as below
query.setParameter(0, variable, new **StringNVarcharType**() )
You need to ensure the size of the varchar (or nvarchar) variables are the same in your sql function and where they are declared.
In my case I had a function that declared the variable as nvarchar(100) but the stored procedure that called the function declared the variable passed in as nvarchar(200). Changing the function to be the same as the stored procedure variable fixed this.
Code below shows the non-working case with the inconsistently sized nvarchars.
CREATE FUNCTION [dbo].[udf_FullTextSearch](#searchExpression nvarchar(100))
RETURNS TABLE
AS
RETURN
SELECT *
FROM Company c
WHERE contains(c.Name, #searchExpression)
GO
DECLARE #searchExpression nvarchar(200) = '"ltd"'
SELECT * FROM [dbo].[udf_FullTextSearch](#searchExpression)

SQL Server 2005 - Pass In Name of Table to be Queried via Parameter

Here's the situation. Due to the design of the database I have to work with, I need to write a stored procedure in such a way that I can pass in the name of the table to be queried against if at all possible. The program in question does its processing by jobs, and each job gets its own table created in the database, IE table-jobid1, table-jobid2, table-jobid3, etc. Unfortunately, there's nothing I can do about this design - I'm stuck with it.
However, now, I need to do data mining against these individualized tables. I'd like to avoid doing the SQL in the code files at all costs if possible. Ideally, I'd like to have a stored procedure similar to:
SELECT *
FROM #TableName AS tbl
WHERE #Filter
Is this even possible in SQL Server 2005? Any help or suggestions would be greatly appreciated. Alternate ways to keep the SQL out of the code behind would be welcome too, if this isn't possible.
Thanks for your time.
best solution I can think of is to build your sql in the stored proc such as:
#query = 'SELECT * FROM ' + #TableName + ' as tbl WHERE ' + #Filter
exec(#query)
not an ideal solution probably, but it works.
The best answer I can think of is to build a view that unions all the tables together, with an id column in the view telling you where the data in the view came from. Then you can simply pass that id into a stored proc which will go against the view. This is assuming that the tables you are looking at all have identical schema.
example:
create view test1 as
select * , 'tbl1' as src
from job-1
union all
select * , 'tbl2' as src
from job-2
union all
select * , 'tbl3' as src
from job-3
Now you can select * from test1 where src = 'tbl3' and you will only get records from the table job-3
This would be a meaningless stored proc. Select from some table using some parameters? You are basically defining the entire query again in whatever you are using to call this proc, so you may as well generate the sql yourself.
the only reason I would do a dynamic sql writing proc is if you want to do something that you can change without redeploying your codebase.
But, in this case, you are just SELECT *'ing. You can't define the columns, where clause, or order by differently since you are trying to use it for multiple tables, so there is no meaningful change you could make to it.
In short: it's not even worth doing. Just slop down your table specific sprocs or write your sql in strings (but make sure it's parameterized) in your code.

SQL Server Error: "Cannot use empty object or column names"

I get the following error:
Cannot use empty object or column names. Use a single space if necessary.
Msg 1038, Level 15, State 3, Line 1
and the query command looks like:
SELECT TOP 100 PERCENT
[].[cms_page].[pa_id], [].[cms_page].[pa_key],
[].[cms_page].[pa_title], [].[cms_page].[pa_keywords],
[].[cms_page].[pa_description], [].[cms_page].[pa_header],
[].[cms_page].[pa_created], [].[cms_page].[pa_modified],
[].[cms_page].[pa_language] FROM [cms_page]
WHERE
[cms_page].[pa_key] = #pa_key0
ORDER BY
[pa_id] ASC;
Strange indeed. Why does this happen? I'm using SubSonic 2.1.
Connectionstring:
<add name="OCDB" connectionString="Network Library=DBMSSOCN;Data Source=127.0.0.1,1433;Initial Catalog=test_db;User ID=test;Password=testpwd"/>
Edit: Well the solution was just to simply generate and rebuild the Data Access Layer and I was good to go.
You seem to be using a 3 part name with part of it empty, i.e. '[].'
It looks as though the query text is being constructed with an empty table schema.
Those empty [] square brackets should contain something like "dbo" to make the query syntactically valid. I don't know enough about SubSonic to give you a code sample though.
I'm not familiar with SubSonic, but have you tried a simpler query to test if you have your syntax correct? Does this query even work in SQL Server (Management Studio / Query Analyzer)?
Just looking at this from the perspective of SQL Server, you are using way too many brackets. If I was writing that query in SQL Server, it would look more like what I wrote below. I'm not sure about the variable #pa_key0, is this query part of a stored procedure or does SunSonic replace this variable when the query is ran?
SELECT
pa_id,
pa_key,
pa_title,
pa_keywords,
pa_description,
pa_header,
pa_created,
pa_modified,
pa_language
FROM
cms_page
WHERE
pa_key = #pa_key0
ORDER BY
pa_id ASC;
I think you need to set the schema for Subsonic to use. This thread seems to have some information:
Subsonic - How to use SQL Schema / Owner name as part of the namespace?

Resources