Im looking for a sql command that select all objects and grants permissions, something like below, but to select and grant at the same time, and not to spin out another sql to be executed
select 'grant alter any table on ' + name + ' to USER1' + CHAR(10) + 'go' from sysobjects where type = 'U' or type = 'V' or type = 'P'
UPDATE
Here is the syntax I have to create a proc - I don't have experience on it HELP
I have to have a proc that selects all tables and grants permissions to users
create or replace procedure
grant_permissions #table varchar (30) = "sys%"
as
select 'grant alter any table on ' + name + ' to user1' + CHAR(10) + 'go' from sysobjects where type = 'U' or type = 'V' or type = 'P'
go
select 'grant alter any table on ' + name + ' to user2' + CHAR(10) + 'go' from sysobjects where type = 'U' or type = 'V' or type = 'P'
go
Related
Do you have any ideas how value which was writeback from SF to database could be returned from data base again to Spotfire input field.
(No just any value, what is mechanism stay behind it?)
If I need to make changes in this record ?
We writeback to DB with IronPython scripting assigning document properties.
Piece of code....
sqlIns = "INSERT INTO SCHEMA.TABLE_NAME (FIELD, WELL, WELLBORE, WELLTYPE) \n\
VALUES \n\
('" + Document.Properties["IFIELD"] + "', \n\
'" + Document.Properties["IWell"] + "', \n\
'" + Document.Properties["IWellBore"] + "', \n\
'" + Document.Properties["IWellType"] + "')"
print sqlIns
dbsettings = DatabaseDataSourceSettings( "System.Data.OracleClient","Data Source=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server)(PORT=****))(CONNECT_DATA=(SERVICE_NAME=****)));User Id=;Password=",sqlIns)
ds = DatabaseDataSource(dbsettings)
newDataTable = Document.Data.Tables.Add("temp",ds)
Document.Data.Tables.Remove(newDataTable)
The problem is that before updating into the database the record, this record needs somehow modify. I insert the data through input or drop-down field in the text area, then press the Submit button to insert it into the database. It recorded there and appeared in the table which I add on the same page in SF.
My thoughts that it should be workflow like: highlight record you want to change (it happened in a table connected to SF)
-> once you choose the record, it appears in the input screen (input screen - text area where you enter all these values for the first time or another input screen only for data modification)
-> make required changes
-> re-write/update data to DB (with replacement initial record.)
The python script just sends an sql command. That command can be changed to do an update instead of an insert.
Post an example of code that you are using for the insert and people can assist on how to change to an update statement.
You'll need to have a primary key or other identifier for the update statement.
If you "wrote back to a database" to read the data into a input Field or table you'd have to query the database (a normal query to pull data into spotfire)
During a Value-Change inside a browse, my string value suddenly changes, specifically the string(9) will change to string(0).
sample:
in my combo-box, i used a list-item-pair with following code:
cb-name:LIST-ITEM-PAIRS = ?.
cb-name:DELIMITER = '?'.
FOR EACH employee WHERE employee.date-resigned = ? NO-LOCK BY employee.employee-no.
cb-name:ADD-LAST(TRIM(STRING(employee.employee-no, '99999999') + " - " + employee.last-name + ", " + employee.first-name + " " + SUBSTRING(employee.middle-name,1,1)) + ".",employee.employee-no).
END.
cb-name:SCREEN-VALUE = cb-name:ENTRY(1).
in the value-changed of browse:
ASSIGN cb-name:SCREEN-VALUE =
STRING(TRIM(STRING(employee.employee-no, '99999999') + " - " + employee.last-name + ", " + employee.first-name + " " + SUBSTRING(employee.middle-name,1,1)) + "." ,
STRING(employee.employee-no, '99999999')).
if the employee no has a string value of 9, progress will change it to 0.. producing an error message that has an invalid value..
ex: from 819001 /*correct*/ to 810001 /*incorrect*/
if there is no string(9), it will display like:818002
if i message the STRING(employee.employee-no, '99999999')), it will display the correct string value
Version doesn't matter in this case, apparently. I just simulated it in 10.2B08 using a temp-table with the named tables. The problem is when you're assigning the screen-value to the combo you're trying to convert the whole string (employee-no + names + separators) into format 99999999.
Since your combo is list-item-pairs
('Whatever I want it to display','the real value',
'and so on display' , 'and so forth value')
your solution is to assign the screen value just to the real value, disregard the label. In other words, as simple as changing your value-changed code to
ASSIGN cb-name:SCREEN-VALUE = STRING(employee.employee-no, '99999999') .
It worked for me. Let me know if you are still having trouble with it.
I'm trying to solve an issue I have when I'm trying to use OLE DB for reading Excel files.
I found that the problem is because there is a hash mark (#) in the sheet name.
Unfortunately, I can't rename the sheet.
So after some tries, I've succeeded to read a full sheet by adding quotation marks ('):
Before
Select * from [" + sheetName + "$];
After (working)
Select * from ['" + sheetName + "$'];
But then I got stuck when trying to read a range from the sheet with the OLE DB feature:
Select * from [" + sheetName + "$" + fromCell + ":" + toCell + "];
When I try to send this command, it's seems like the # is replaced by . and then it cannot find the sheet.
I've tried many combination and escape codes and didn't find any solution. How can I access this file?
Your final output should look like this
'MySheet$A1:B2'
So your select should be
var SheetName = "MySheet";
var fromCell = "A1";
var toCell = "B2";
var sql = "Select * from ['" + SheetName + "$" + fromCell + ":" + toCell + "']";
Console.WriteLine(sql);
// Output
// Select * from ['MySheet$A1:B2']
Also consider parametrising your sql for better readability and also preventing sql code injection. You can find a guide for how to do it at OleDbCommand.Parameters.
I have a stored procedure that is generating a string that it will call EXECUTE() on. The string contains an UPDATE statement. However, the columns and values that it is executing are not known beforehand. These are coming into the stored procedure through an XML string. I then use XML queries to get the data out and into a temporary table.
This is not sanitizing the data.
DECLARE #TBL_FLD TABLE (
TBL VARCHAR(MAX),
COL VARCHAR(MAX),
VAL VARCHAR(MAX)
);
-- Fill #TBL_FLD via xml parsing (omitted for brevity)
DECLARE TBL_CURSOR CURSOR FOR
SELECT distinct (TBL) FROM #TBL_FLD;
OPEN TBL_CURSOR;
WHILE 1 = 1
BEGIN
FETCH NEXT FROM TBL_CURSOR INTO #TABLE_NAME
IF ( ##FETCH_STATUS <> 0 )
BREAK
SET #SETTING_STR = '';
SELECT #SETTING_STR = STUFF( ( SELECT ', ' + COL + ' = ''' + VAL + '''' FROM #TBL_FLD WHERE TBL = #TABLE_NAME FOR XML PATH('') ), 1, 2, '');
SET #SQL_QUERY += 'UPDATE ' + #TABLE_NAME + ' SET ' + #SETTING_STR + ' WHERE KEY = ' + CONVERT(VARCHAR(MAX), #KEY_VAL) + '; ';
END
CLOSE TBL_CURSOR
DEALLOCATE TBL_CURSOR
EXECUTE (#SQL_QUERY);
I trust the COL field of #TBL_FLD, but the VAL will have come from a user. Which leaves a massive security hole since I am just concatenating the data together. There has to be a better way.
Since there are an unknown number of columns, I can't easily create parameters for the statement so that the data is cleaned up. If worst comes to worst, I can do it, (see the answer to Dynamically Create Update SQL In Stored Procedure) but it will be uglier than I would like.
Is there a function, or method, to sanitize the data, before I blindly add it to the statement? Or is there a better way to do what I'm trying to do?
I think that just doubling single quotes with a REPLACE on VAL would fix any issues since an attacker would not be able to exit the "string scope" to execute arbitrary code :
SELECT #SETTING_STR = STUFF( ( SELECT ', ' + COL + ' = ''' + REPLACE(VAL, '''', '''''') + '''' FROM #TBL_FLD WHERE TBL = #TABLE_NAME FOR XML PATH('') ), 1, 2, '');
I don't remember a built-in T-SQL function that does the same thing
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Parameterizing a SQL IN clause?
Hi All,
I am writing a SQL command for my project. I have to pass one string parameter to cursor.
But at that parameter I have to concatenate many strings, like this:
DECLARE #strParam VARCHAR(MAX)
SET #strParam = 'string1' + ',' + 'string2' + ',' ... etc
Then I want to use like this:
SELECT * FROM tblResult WHERE Field1 IN (#strParam)
instead of the following statement:
SELECT * FROM tblResult WHERE Field1 IN ('string1' + ',' + 'string2' + ',' ... etc)
So I need to get the format as like we set above.
How can I do that?
Best Regards,
Reds
This will split the csv into a table.
CREATE FUNCTION GetIDs(
#ids_csv nvarchar(255))
RETURNS #table_ids TABLE
(
ID INT,
PRIMARY KEY(ID)
) AS
BEGIN
DECLARE #app_id varchar(10)
DECLARE #pos int
SET #ids_csv = LTRIM(RTRIM(#ids_csv))+ ','
SET #pos = CHARINDEX(',', #ids_csv, 1)
IF REPLACE(#ids_csv, ',', '') <> ''
BEGIN
WHILE #pos > 0
BEGIN
SET #app_id = LTRIM(RTRIM(LEFT(#ids_csv, #pos - 1)))
INSERT INTO #table_ids(ID) VALUES(#app_id)
SET #ids_csv = RIGHT(#ids_csv, LEN(#ids_csv) - #pos)
SET #pos = CHARINDEX(',', #ids_csv, 1)
END
END
RETURN
END
Then, you can do this:
SELECT * FROM tblResult WHERE Field1 IN (SELECT * FROM GetIDs(#strParam))