September 17, 2014 at 5:29 pm
Sean Lange (9/17/2014)
WayneS (9/17/2014)
Sean Lange (9/17/2014)
ROFLMAO!!!! I just got a dev ticket to look into a website that was written and deployed about 3 years before I got here. The ONLY page on the entire site that does anything more than deliver static content is a page with a form that allows the user to upload a file. I was told this is really important because the last submission received was in 2010. Obviously mission critical functionality here. Add to that it is written in classic asp. I opened the thing for the first time ever today and it is wide open the sql injection, javascript injection and probably more. There is only 1 way to fix this, take it out to the pasture and shoot it. 😛Is this a public facing website? Care to send me a link? 😉
Not really. 😛 Not wanting to turn something that I can easily blow off for at least 4 years into something I have to fix immediately. It is public facing and truly horrible. It just takes the text boxes and build a pass through query blindly. Not even an attempt made to protect anything. Add to that the ability to upload files with no checking on file type or anything at all. The URL alone is enough to gain access to the network and I am not handing out that key. YUCK!!!
Please????? (I have this neat SQL Injection demo that I do... it would be neat to incorporate this into it and show a real world hack!) :cool::w00t:
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
September 17, 2014 at 6:39 pm
WayneS (9/17/2014)
Sean Lange (9/17/2014)
WayneS (9/17/2014)
Sean Lange (9/17/2014)
ROFLMAO!!!! I just got a dev ticket to look into a website that was written and deployed about 3 years before I got here. The ONLY page on the entire site that does anything more than deliver static content is a page with a form that allows the user to upload a file. I was told this is really important because the last submission received was in 2010. Obviously mission critical functionality here. Add to that it is written in classic asp. I opened the thing for the first time ever today and it is wide open the sql injection, javascript injection and probably more. There is only 1 way to fix this, take it out to the pasture and shoot it. 😛Is this a public facing website? Care to send me a link? 😉
Not really. 😛 Not wanting to turn something that I can easily blow off for at least 4 years into something I have to fix immediately. It is public facing and truly horrible. It just takes the text boxes and build a pass through query blindly. Not even an attempt made to protect anything. Add to that the ability to upload files with no checking on file type or anything at all. The URL alone is enough to gain access to the network and I am not handing out that key. YUCK!!!
Please????? (I have this neat SQL Injection demo that I do... it would be neat to incorporate this into it and show a real world hack!) :cool::w00t:
You could just use any number of e-commerce sites out there for that demo...;)
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
September 17, 2014 at 6:53 pm
Roy Ernest (9/17/2014)
I got someone asking if Cursor will work fast on memory based objects.It felt like the OP would upgrade to SQL 2014 so that he/she can make the cursor run faster.
If there is no set based solution (and, yes... I do understand that a lot of people think there isn't when there is) and there's a WHILE loop involved, you can (oddly enough) make it run a fair bit faster by putting the entire loop (outside the WHILE/END) in an explicit transaction. It makes it so the system doesn't do a whole bunch of implicit commits... it just does one big one at the end.
--Jeff Moden
Change is inevitable... Change for the better is not.
September 17, 2014 at 7:07 pm
Roy Ernest (9/17/2014)
I advised the OP to go for Set based. I hope he does not think that SQL 2014 will magically get everything to run faster.
Oddly enough, I hope he DOES think that. Tell him to take performance stats before and after so that he can write an article about how it didn't work as well as he thought it would. 😉
--Jeff Moden
Change is inevitable... Change for the better is not.
September 17, 2014 at 7:12 pm
SQLRNNR (9/17/2014)
Ahhh but SQL 2014 does come with a turbo button.:w00t:
BWAAA-HAAAAA!!!!! SQL Server has always had that "button". Just set "Boost SQL Server Priority" setting to "ON" so that pesky OS uses less CPU time, right? 😀
--Jeff Moden
Change is inevitable... Change for the better is not.
September 18, 2014 at 2:56 am
Stefan Krzywicki (9/17/2014)
SQLRNNR (9/17/2014)
Roy Ernest (9/17/2014)
I got someone asking if Cursor will work fast on memory based objects.It felt like the OP would upgrade to SQL 2014 so that he/she can make the cursor run faster.
It could. It could also be just as bad. Boils down to what objects are involved and how complex the cursor might be.
In the end, a set based would most likely be better for them. Sell them on the idea that 2014 has a much improved cardinality estimator that can make a lot of queries run faster by itself.:-D
I wrote a cursor this week. I needed to run sp_estimate_data_compression_savings against every table in the database. I probably could have opened the proc & figured out what tables it was querying and used that to write a set based query and I might in the future, but this works well enough for now.
I wouldn't bother to be honest. Firstly because that proc has multiple cursors in it anyway, second because it does stuff like
create table [#sample_tableDBA05385A6FF40F888204D05C7D56D2B]([dummyDBA05385A6FF40F888204D05C7D56D2B] [int]);
It works by taking a sample of the table you specify, creating a temp table in, adding indexes, inserting the sample data and then compressing it.
Nothing wrong with cursors/loops where appropriate, and when creating and altering objects is usually such a place
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
September 18, 2014 at 5:21 am
Sean Lange (9/17/2014)
WayneS (9/17/2014)
Sean Lange (9/17/2014)
ROFLMAO!!!! I just got a dev ticket to look into a website that was written and deployed about 3 years before I got here. The ONLY page on the entire site that does anything more than deliver static content is a page with a form that allows the user to upload a file. I was told this is really important because the last submission received was in 2010. Obviously mission critical functionality here. Add to that it is written in classic asp. I opened the thing for the first time ever today and it is wide open the sql injection, javascript injection and probably more. There is only 1 way to fix this, take it out to the pasture and shoot it. 😛Is this a public facing website? Care to send me a link? 😉
Not really. 😛 Not wanting to turn something that I can easily blow off for at least 4 years into something I have to fix immediately. It is public facing and truly horrible. It just takes the text boxes and build a pass through query blindly. Not even an attempt made to protect anything. Add to that the ability to upload files with no checking on file type or anything at all. The URL alone is enough to gain access to the network and I am not handing out that key. YUCK!!!
As long as it doesn't check file type, does it also open the file and do something with it? Or is it boring and just save it to disk and let someone else open it to do the damage read the data?
September 18, 2014 at 6:00 am
Grant Fritchey (9/17/2014)
Jack Corbett (9/17/2014)
Grant Fritchey (9/17/2014)
So this is happening[/url]. If any of the Threadizens are inclined to make a blog post (or three) in support, I'd be appreciative.Just saw that in the PASS Connector email. I have to admit I was surprised to see your name on the candidate list. I was about to get on twitter for the first time in awhile to see the conversation.
No yelling or screaming yet. Maybe people aren't awake.
Perhaps yelling and screaming would help... to the best of my knowledge, I didn't receive a ballot even though I'm a member of PASS. The page did say that only members who "updated their profile by June 1, 2014" would be sent a ballot. Nothing changed on my profile so I didn't do an update. I didn't realize than an update would be required as a triggering mechanism (and it shouldn't be required if that's what happened).
Regardless, you DO definitely have the passion and the knowledge for the job. There's no doubt in my mind. Not that it would matter but you definitely have my recommendation! Knock 'em dead when you get there!
--Jeff Moden
Change is inevitable... Change for the better is not.
September 18, 2014 at 6:05 am
Jeff Moden (9/18/2014)
Grant Fritchey (9/17/2014)
Jack Corbett (9/17/2014)
Grant Fritchey (9/17/2014)
So this is happening[/url]. If any of the Threadizens are inclined to make a blog post (or three) in support, I'd be appreciative.Just saw that in the PASS Connector email. I have to admit I was surprised to see your name on the candidate list. I was about to get on twitter for the first time in awhile to see the conversation.
No yelling or screaming yet. Maybe people aren't awake.
Perhaps yelling and screaming would help... to the best of my knowledge, I didn't receive a ballot even though I'm a member of PASS. The page did say that only members who "updated their profile by June 1, 2014" would be sent a ballot. Nothing changed on my profile so I didn't do an update. I didn't realize than an update would be required as a triggering mechanism (and it shouldn't be required if that's what happened).
Regardless, you DO definitely have the passion and the knowledge for the job. There's no doubt in my mind. Not that it would matter but you definitely have my recommendation! Knock 'em dead when you get there!
Grant, I should receive a ballot and you have my vote. No questions required. No answers required. I hope you win and have fun once you get there.
September 18, 2014 at 6:08 am
Why would SQL Pass want to list the candidates in the order of committee ranking? The slate has been ratified, so it should be just the names of the candidates in no order.
Sorry, dont agree with the wording of that email.
-Roy
September 18, 2014 at 6:10 am
Roy Ernest (9/18/2014)
Why would SQL Pass want to list the candidates in the order of committee ranking? The slate has been ratified, so it should be just the names of the candidates in no order.Sorry, dont agree with the wording of that email.
What email? Did you receive a ballot email?
September 18, 2014 at 6:23 am
Ed Wagner (9/18/2014)
Roy Ernest (9/18/2014)
Why would SQL Pass want to list the candidates in the order of committee ranking? The slate has been ratified, so it should be just the names of the candidates in no order.Sorry, dont agree with the wording of that email.
What email? Did you receive a ballot email?
Connector from PASS. Their wordings "The candidates, listed in order of their Nomination Committee ranking, are James Rowland-Jones, Sri Sridharan, Wendy Pastrick, and Grant Fritchey. "
-Roy
September 18, 2014 at 6:35 am
Roy Ernest (9/18/2014)
Ed Wagner (9/18/2014)
Roy Ernest (9/18/2014)
Why would SQL Pass want to list the candidates in the order of committee ranking? The slate has been ratified, so it should be just the names of the candidates in no order.Sorry, dont agree with the wording of that email.
What email? Did you receive a ballot email?
Connector from PASS. Their wordings "The candidates, listed in order of their Nomination Committee ranking, are James Rowland-Jones, Sri Sridharan, Wendy Pastrick, and Grant Fritchey. "
Okay, thanks. I see the voting email will be sent on 9/24/2014.
September 18, 2014 at 6:37 am
Jeff Moden (9/18/2014)
Grant Fritchey (9/17/2014)
Jack Corbett (9/17/2014)
Grant Fritchey (9/17/2014)
So this is happening[/url]. If any of the Threadizens are inclined to make a blog post (or three) in support, I'd be appreciative.Just saw that in the PASS Connector email. I have to admit I was surprised to see your name on the candidate list. I was about to get on twitter for the first time in awhile to see the conversation.
No yelling or screaming yet. Maybe people aren't awake.
Perhaps yelling and screaming would help... to the best of my knowledge, I didn't receive a ballot even though I'm a member of PASS. The page did say that only members who "updated their profile by June 1, 2014" would be sent a ballot. Nothing changed on my profile so I didn't do an update. I didn't realize than an update would be required as a triggering mechanism (and it shouldn't be required if that's what happened).
Regardless, you DO definitely have the passion and the knowledge for the job. There's no doubt in my mind. Not that it would matter but you definitely have my recommendation! Knock 'em dead when you get there!
Thank you sir!
Ballots don't go out until the 24th of this month, so you might still get one.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
September 18, 2014 at 6:38 am
Roy Ernest (9/18/2014)
Why would SQL Pass want to list the candidates in the order of committee ranking? The slate has been ratified, so it should be just the names of the candidates in no order.Sorry, dont agree with the wording of that email.
Politics. Ain't it fun!
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
Viewing 15 posts - 45,751 through 45,765 (of 66,712 total)
You must be logged in to reply to this topic. Login to reply