MDX CA 2100 Security Issue - security

I have written MDX query and assigned it to Adomd Connection object. When i Run Code Analysis, it gives me CA2100 Review SQL queries for security vulnerabilities error we can't directly supply query to connection objects. It Says either we should embed it in Stored Procedure or use Parametrized query. But in my case, there are no parameters for this query. So kindly help, how can I remove this CA 2100 Security error. PFB the code. Thanks in advance.
conn.Open();
// Adomd Connection Object
var adomdCommand = new AdomdCommand()
{
Connection = conn,
CommandType = CommandType.Text,
CommandText = mdxQuery
};
//Execute command to return cell set..
CellSet csResult = adomdCommand.ExecuteCellSet();
conn.Close();

You can create stored procedure in SQL Server that performs execution of AS query. Assuming sp's are pre-compiled, that's secure. You should do the following:
Add your AS server as linked server to SQL Database server (via Server Objects in SSMS)
Create stored procedure. The general scheme is (sp body):
declare #tsqlquery varchar(1000)
declare #mdxquery varchar(2000)
set #tsqlquery = 'SELECT
"[DimA].[A].[A name].[MEMBER_CAPTION]" as dimensionName,
convert(float, "[Measures].[X]") AS measureValue
FROM OPENQUERY(<**YOUR LINKED SERVER**>,'
set #mdxquery = '''**YOUR MDX QUERY**' + '''' + ')'
EXEC(#tsqlquery + #mdxquery)
You can also create parametized store procedure that modifies MDX query text based on parameters. As long as you are using Stored Procedures, you are safe. For example, our report server queries only use SP's, not direct AS queries.
PS. If your AS server has role security defined, you should enable ImpersonateCurrentUser for the database, then your role will work.

Related

How to execute Snowflake Stored Procedure from Python?

I have created stored procedure in snowflake which is executed fine in snowflake UI and also from server by using snowsql. Now I want to execute procedure from python program, I tried to execute from python, here are the steps that I have followed:
establish the connection to snowflake ( successfully able to connect.)
cs = ctx.cursor()
Used appropriate role,warehouse,database and schema.
tried to execute procedure like this:
cs.execute("call test_proc('value1', 'value2')")
x = cs.fetchall()
print(x)
But getting an erorr:
snowflake.connector.errors.ProgrammingError: 002140 (42601): SQL
compilation error: Unknown function test_proc
Can you please help me to resolve this problem.
Thanks,
When connecting to Snowflake using Python connector you could define DATABASE/SCHEMA
conn = snowflake.connector.connect(
user=USER,
password=PASSWORD,
account=ACCOUNT,
warehouse=WAREHOUSE,
database=DATABASE,
schema=SCHEMA
);
Once you have it set up, you could call your stored procedure without using fully-qualified name:
cs.execute("call test_proc('value1', 'value2')");
Alternative way is:
Using the Database, Schema, and Warehouse
Specify the database and schema in which you want to create tables. Also specify the warehouse that will provide resources for executing DML statements and queries.
For example, to use the database testdb, schema testschema and warehouse tiny_warehouse (created earlier):
conn.cursor().execute("USE WAREHOUSE tiny_warehouse_mg")
conn.cursor().execute("USE DATABASE testdb_mg")
conn.cursor().execute("USE SCHEMA testdb_mg.testschema_mg")
Actually, I have to have command like this
cs.execute("call yourdbname.schemaname.test_proc('value1', 'value2')")
and It is working as expected.
Thanks

Selecting a schema to connect to when connecting over an ODBC connection in Excel's Power Query

So I have a fairly simple query (proof of concept) where I'm able to dynamically pull in data from a database depending on my Excel sheet inputs. For example:
let
Source = Odbc.Query("dsn=Dev 2", "select * #(lf)from job_id JI#(lf)where JI.job_ID = " & Text.From(GetNamedRange("SQLJobInstanceID")) & "#(lf)")
in
Source
Hurray, it works! However, when I was setting up the connection, I needed to log in. Part of the login includes the schema that I wanted to connect to. Username[Schema] is how it's done. Now that I've connected, I'd like to select a different schema to connect to - but I'm not sure how I can either modify the schema, or log out and log back in.
(Also curious if the connection is storing my credentials, which would be problematic, or if other people would need to log in with their credentials)
I believe I can also edit which ODBC connection I'm using by editing the "dsn=Dev 2" portion of the code (Again, will probably turn it into a named range drop down menu.... the challenge becomes dynamically figuring out what ODBC options each user has and pulling those through...)
Thank you

VBA to properly access multi user database

I have an Excel Add-In project that I'm working on which has multiple users accessing a database on the server. Currently all the code works and everything processes correctly as long as only one user is accessing the database at a time. I'm using DAO to access the database and passing an SQL string it to retrieve records using the following lines of code
Set db = OpenDatabase(g400DBPath, , True)
Set rs = db.OpenRecordset(sSQL, dbOpenSnapshot)
This creates an issue where if more than one person attempts to access the database at the same time, only the first person is able to access it. I tried changing the recordset line of code to the following
Set rs = db.OpenRecordset(sSQL, dbOpenSnapshot, , dbOptimistic)
but that gives me the following error: Run-time error '3001: Invalid Argument
How would I go about setting the access to the record set so that multiple users can run the report? The users are not updating any information in the database at all, everything is read only.
Your problem is: a snapshot-type recordset is always read-only. Specifying any edit lock options will throw a run-time error, since snapshot-type recordsets don't do locking.
I can't reproduce the behavior, but you can try the following:
Set db = OpenDatabase(g400DBPath, False, False) 'Read-only can lead to exclusive locks since more specific locks are stored in the DB
Set rs = db.OpenRecordset(sSQL, dbOpenSnapshot, dbReadOnly)
Alternatively, you could try using ADO and disconnected recordsets. DAO doesn't offer that functionality as far as I know.

U-SQL Query data source

I would like to write query to remote Azure SQL database.
I followed the tutorial via Query Data Source - Method 1
I was successful to run the query from tutorial:
#results1 =
SELECT *
FROM EXTERNAL MyAzureSQLDBDataSource EXECUTE #"SELECT ##SERVERNAME AS serverName, GETDATE() AS dayTime, DB_NAME() AS databaseName";
But...
I would like to update this query to following form:
DECLARE #queryA string = #"SELECT ##SERVERNAME AS serverName, GETDATE() AS dayTime, DB_NAME() AS databaseName";
#results2 =
SELECT *
FROM EXTERNAL MyAzureSQLDBDataSource EXECUTE #queryA;
I got an error
E_CSC_USER_SYNTAXERROR: syntax error. Expected one of: string-literal
Any idea why I cannot use query stored in string value?
In real query I need to dynamically create query based on parameters in where statement.
Thank you in advance
According to this article https://msdn.microsoft.com/en-us/library/azure/mt621291.aspx you can provide only a literal, not a variable:
EXECUTE csharp_string_literal
The string literal contains a query
expression in the language supported by the remote data source. E.g.,
if the data source is an Azure SQL Database, then the query string
would be T-SQL.

Coldfusion and SQL Server database security

I have an account on a coldfusion/SQL Server shared server hosting service and have been targeted by what I believe to be a SQL injection attack. I have a absolute path to a javascript file in nearly every field of every table. It seems the script hides majority of the text and features on every page it is on. I'm lucky enough to be able to restore the database to a reasonable point, but I need to prevent this from happening again. Is there anything else I can do besides <cfqueryparam></cfqueryparam> ?
The recommended solution is to review ALL your code and make sure that you don't build your sql statements via string concatenation. Instead, use parametrized queries and sanitize user input. That's recommended for any kind of database you use.
Take a look at this post.
EDIT - Providing C# Example as requested:
string sql = "insert into table_a (cola,colb,colc) values (#value_a,#value_v,#value_c)";
using(SqlConnection conn = new SqlConnection("ConnectionString"))
{
conn.Open();
SqlCommand command = new SqlCommand(sql,conn);
command.CommandType = Commandtype.Text;
command.Parameters.AddWithValue("#value_a",txtFieldAFromForm.Text);
command.Parameters.AddWithValue("#value_b",txtFieldBFromForm.Text);
command.Parameters.AddWithValue("#value_c",txtFieldCFromForm.Text);
command.ExecuteNonQuery();
}
Checkout <cfqueryparams> tag: http://www.adobe.com/livedocs/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=part_cfm.htm
This is how to clean up user-submitted input for SQL queries.

Resources