January 27, 2010 at 3:38 pm
Alvin Ramard (1/27/2010)
I'm thinking that I need to get a "desktop replacement" laptop and then turn my desktop into a home server .
i saw a vaio with 8GB ram, 500GB hdd, and a dual core (standard these days).
That would work for me as a desktop
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
January 27, 2010 at 3:41 pm
CirquedeSQLeil (1/27/2010)
Alvin Ramard (1/27/2010)
I'm thinking that I need to get a "desktop replacement" laptop and then turn my desktop into a home server .i saw a vaio with 8GB ram, 500GB hdd, and a dual core (standard these days).
That would work for me as a desktop
It should. I'd like to get one with the i7 processor. I need to do some searching this weekend.
For best practices on asking questions, please read the following article: Forum Etiquette: How to post data/code on a forum to get the best help[/url]
January 27, 2010 at 4:06 pm
Lenovo W510, 15", quad core, only 4GB RAM for now.
January 27, 2010 at 4:36 pm
Alvin Ramard (1/27/2010)
Oh, before I forget Jason, we passed on to our local chapter membership the link to your blog about user group participation. That should be required reading for all SQL professionals and enthusiasts!!!
I'm probably still asleep and missed the link... what is it? It sounds quite interesting.
--Jeff Moden
Change is inevitable... Change for the better is not.
January 27, 2010 at 4:56 pm
Jeff Moden (1/27/2010)
Alvin Ramard (1/27/2010)
Oh, before I forget Jason, we passed on to our local chapter membership the link to your blog about user group participation. That should be required reading for all SQL professionals and enthusiasts!!!I'm probably still asleep and missed the link... what is it? It sounds quite interesting.
Link wasn't shared
Here it is:
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
January 27, 2010 at 5:38 pm
I need a couple of volunteers if any are willing and have some spare time.
I am wrapping up an article and would like somebody else to review it if possible.
Thanks in Advance.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
January 27, 2010 at 6:54 pm
CirquedeSQLeil (1/27/2010)
Jeff Moden (1/27/2010)
Alvin Ramard (1/27/2010)
Oh, before I forget Jason, we passed on to our local chapter membership the link to your blog about user group participation. That should be required reading for all SQL professionals and enthusiasts!!!I'm probably still asleep and missed the link... what is it? It sounds quite interesting.
Link wasn't shared
Here it is:
Nice Jason. And thought-provoking.
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
January 27, 2010 at 8:40 pm
Greg Edwards-268690 (1/27/2010)
Paul White (1/26/2010)
CirquedeSQLeil (1/26/2010)
Alas, that was before my time here at SSC.Really? Wow. I thought it was reasonably recent - and also that you had been around for quite some time now. Genuinely surprised. BTW that bug in 2008 I was talking about: https://connect.microsoft.com/SQLServer/feedback/ViewFeedback.aspx?FeedbackID=382235. Sucks.
I wonder what they are really considering the next major relaese?
It could be the current CPT that's out.
Although I'd expect some kind of hotfix if that's the case.
Greg E
My expectation was, and is, that they are referring to the next full version - i.e. not 2008 R2 which appears to be a minor version. The odd thing is that the 'wrong thread' problem is usually a fairly easy thing to fix, so either it's more complex internally for some reason, or they have higher priorities. I don't suppose it will affect too many people, but not being able to pass a stream to a TVF is rather limiting - and a shame since several of the improvements made in 2008 were to lift the 8000 byte restriction on UDAs and UDTs.
Paul White
SQLPerformance.com
SQLkiwi blog
@SQL_Kiwi
January 27, 2010 at 8:46 pm
CirquedeSQLeil (1/27/2010)
I need a couple of volunteers if any are willing and have some spare time. I am wrapping up an article and would like somebody else to review it if possible.
If it covers a subject I'm familiar with, I'd be happy to take a look.
Paul White
SQLPerformance.com
SQLkiwi blog
@SQL_Kiwi
January 27, 2010 at 9:10 pm
Paul White (1/27/2010)
CirquedeSQLeil (1/27/2010)
I need a couple of volunteers if any are willing and have some spare time. I am wrapping up an article and would like somebody else to review it if possible.If it covers a subject I'm familiar with, I'd be happy to take a look.
I think you would have no problem with the subject matter.
Thanks. I will get you the article shortly.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
January 27, 2010 at 9:14 pm
WayneS (1/27/2010)
CirquedeSQLeil (1/27/2010)
Jeff Moden (1/27/2010)
Alvin Ramard (1/27/2010)
Oh, before I forget Jason, we passed on to our local chapter membership the link to your blog about user group participation. That should be required reading for all SQL professionals and enthusiasts!!!I'm probably still asleep and missed the link... what is it? It sounds quite interesting.
Link wasn't shared
Here it is:
Nice Jason. And thought-provoking.
Thanks and I think that sums it up for one intent of the article (thought provoking).
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
January 28, 2010 at 6:20 am
ok, so SQL injection question - I understand that using sp_executesql with parameters will nullify the impact of SQL Injection commands, as the string is not directly executed. Gail has a great post on that which I have bookmarked.
If I have an sp with parameters, and take the input from a user and send directly to that sp, does that do the same thing? Or is it specific to sp_executesql that deals with the parameters in a different way.
Seems to me if I do...
CREATE PROCEDURE someSP @inputParam varchar(255)
AS
SELECT * FROM someTable WHERE col1=@inputParam
GO
EXEC someSP @inputParam -- assume @inputParam comes from user
... that I'm still just directly concatenating the user input into my SQL.
T/F?
---------------------------------------------------------
How best to post your question[/url]
How to post performance problems[/url]
Tally Table:What it is and how it replaces a loop[/url]
"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
January 28, 2010 at 6:30 am
jcrawf02 (1/28/2010)
ok, so SQL injection question - I understand that using sp_executesql with parameters will nullify the impact of SQL Injection commands, as the string is not directly executed. Gail has a great post on that which I have bookmarked.If I have an sp with parameters, and take the input from a user and send directly to that sp, does that do the same thing? Or is it specific to sp_executesql that deals with the parameters in a different way.
Seems to me if I do...
CREATE PROCEDURE someSP @inputParam varchar(255)AS
SELECT * FROM someTable WHERE col1=@inputParam
GO
EXEC someSP @inputParam -- assume @inputParam comes from user
... that I'm still just directly concatenating the user input into my SQL.
T/F?
What, are you trying to hijack the Thread for technical stuff?
Yes, it's the same. It has to do with how the query is parsed. This procedure you show will be parsed as "col1=@inputparam." So even if you the input is "col1;drop StudentTables," little bobby isn't going to give you a bad day, but instead will have a weird last name.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
January 28, 2010 at 6:31 am
Yes, but you're not executing the user input. The user will not be able to append a something like ';DROP DATABASE myDB in the input, that will always be treated like a string.
Different subject if you 're doing something like:
CREATE PROCEDURE sp_doStuff @param1 as varchar(8000)
AS
BEGIN
DECLARE @sql nvarchar(8000)
SET @sql = 'SELECT * FROM ' + @param1
EXEC(@sql)
END
-- Gianluca Sartori
January 28, 2010 at 6:32 am
F 😀
Paul White
SQLPerformance.com
SQLkiwi blog
@SQL_Kiwi
Viewing 15 posts - 10,876 through 10,890 (of 66,712 total)
You must be logged in to reply to this topic. Login to reply