How can i make query to PL/SQL local collections like TABLE OF and VARRAY?
I searched the web , but whatever I found is to iterate over them eg. FOR LOOP!
Is there any facility to make query to them?
Thanks.
The SQL engine can make queries, the PL/SQL engine cannot. So you need to cast your collections to table types that are known to the SQL engine.
SQL doesn't know about types declared in packages, so you have to declare them at the global level.
Judging by your comment it seems like you pretty much figured it out already.
Related
I'm working on some R-scripts which require the use of database queries. My IT department mentioned to me that these scripts require too much of the database (shared pool) and I should use bind-variables.
I am not very familiar with database designing, but I found out that bind variables are like variables i.e. if you use for example and date=:var in a statement.
Is it possible to use such statements when working with R (RODBC)?
Thank u very much
It seems that using bind variables is a part of the SQL query you write. So I presume that when you connect to the Oracle database using RODBC, you can pass an valid SQL query that contains bind variable syntax, and that this would simply work.
I started to use Flyway in my current project for database migrations and I like it very much. I currently use Oracle in PROD- and Derby in TEST-Environment.
Pretty soon, I did run in the problem of database specific sql commands, e.g.
ALTER TABLE T1 MODIFY F1 VARCHAR(256); on Oracle vs
ALTER TABLE T1 ALTER F1 SET DATA TYPE VARCHAR(256); on Derby.
I can't see a way to write a "vendor neutral alter table modify column datatype" sql.
What's the best way to deal with this problem using Flyway?
You can use the flyway.locations property.
In test in would look like this:
flyway.locations=sql/common,sql/derby
and in prod:
flyway.locations=sql/common,sql/oracle
You could then have the common statements (V1__Create_table.sql) in common and different copies of the DB-specific statements (V2__Alter_table.sql) in the db-specific locations.
An even better solution, in my opinion, is to have the same DB in prod and test. Yes, you do lose a bit of performance, but on the other hand you also eliminate another difference (and potential source of errors) between the environments.
The differences in SQL between Oracle and some of these desktop databases is minor. Is it possible for a developer to insert custom code to do some light-weight dynamic stripping of the SQL at runtime based on the environment (e.g. remove tablespace designation)?
I prefer this approach to relying on each developer to manually keep two sets of SQL in sync.
In ASP.NET, can I store parameterized sql queries in .resx files and not get into trouble when I have several users logged in at the same time?
For example, i'll put my user detail query in a .resx file:
SELECT * FROM User WHERE UserId = #UserId
How will ASP.NET treat it? Like a "Session" (different users have different results) or like a "public static"/"Application" ?
resource files are typically for storing language specific strings, not for storing queries to execute, I guess you could do it, but why? It seems that there is a piece missing from your question, what is driving this requirement on your end?
EDIT: If you only have access to mysql, why not use an ORM tool like subsonic or nhibernate
I'm not intending to comment so much on whether this is a good idea or not, but basically, aren't you just storing strings? When you use a parameterized query, in ADO.NET at least, you will add the parameters before running the query.
#UserID would have to come from your code, which needs to somehow obtain the value from the logged-in user (or however your app works), so it doesn't matter how static or not the strings are.
That said, you should be using stored procedures if possible instead of this.
I have used parameterized query number of times I know it helps in preventing SQL injection.
But, I was wondering if I can know what is basic logic working inside a parameterized query
to prevent SQL injection may be it is very simple but I don't know about it. I tried to search google what are the basic of it but every time I found an example that how to use parameterized query in Asp.net.
I know about making a special class which stops those special characters like (',-- etc) which are used in SQL injection, but does stopping only special characters totally prevent SQL injection?
And one last thing does .net parameterized query can fully stop SQL injection?
I think parametrized queries are not dependent on prepared queries database support. Database driver itself passing values the safe way, and how is it done depends on driver itself.
The PostgreSQL manual explains basics about parametrized queries on database level.
On the other hand, parametrized queries simplifies you passing locale sensitive data.
For example, user enters 100,00 decimal, but your server expects 100.00 value.
In every database engine I know, using "prepared" (aka "parametrized", or "static") queries prevents SQL injection. You don't need to filter any characters if they're being passed to parameters. If you ever write SQL that is concatenated together in code rather than prepared with parameters, you are probably at risk for SQL injection. You should the security manual for the database you're using, it will very likely have a section on SQL injection, but just read all of it. I bet it will take under an hour and will give you solid instruction and confidence that you're following best the practices that apply to your database.
I'm currently looking at a terrible legacy ColdFusion app written with very few stored procedures and lots of nasty inline SQL statements (it has a similarly bad database too).
Does anyone know of any app which could be used to search the files of the app picking out any SQL statements and listing the tables/stored procedures which are referenced?
Dreamweaver will allow you to search the code of the entire site. If the site is setup properly including the RDS password and provide a data source it can tell you a lot of information. I've only set it up once so I can't remember exactly what information it gives you, I think maybe just the DB structure. Application window > databases. Even if it isn't set up properly just searching for "cfquery" will quickly find all your queries.
You could also write a CF script using CFDirectory/CFFile to loop the .cfm files and parse everything between cfquery and /cfquery tags.
CFBuilder may have some features like that but I'm not to familiar with it yet.
edit I've heard that CFBuilder can't natively find all your cfqueries that don't have cfqueryparam but you can use CF to extend CFB to do so. I imagine you could find/write something for CFB to help you with your problem.
another edit
I know it isn't indexing the contents of the query, but you can use regex to search using the editor as well. searching for <cfquery.+(select|insert|update|delete) checking the regex box should find the queries that aren't using cfstoredProc (be sure to uncheck the match case option if there is one). I know Dreamweaver and Eclipse can both search for Regex.
HTH
As mentioned above I would try a grep with a regex looking for
"<cfquery*" "</cfquery>" and "<cfstoredproc*" "</cfstoredproc>"
In addition if you have tests that have good code coverage or even just feel like the app is fully exercised in production you could try turning on "Log Database Calls" in Admin - > Datasources or maybe even at the JDBC driver level, just monitor performance to make sure it does not slow the site down unacceptably.
In short: no. You'd have to do alot of tricky parsing to make sure you get all the SQL. And because you can glob SQL together from lots of strings, you'll almost always miss some of it.
The best you're likely to do will be a case insensitive grep for "SELECT|INSERT|UPDATE|DELETE" and then manually pulling out the table names.
Depending on how the code is structured, you might be able to get the table names by regexing the SQL from clause. But that's not foolproof. Alot of people use string concatenation to build SQL statements. This is bad because it can introduce SQL injection attacks, and it also make this particular problem harder.