Homework SourseSQL injection tipswarnings TSQL injection warnings or tips f
SQL injection tips/warnings: =T-SQL injection warnings or tips found on the Microsoft Web site or elsewhere online that are specific to Microsoft SQL Server, or =PL/SQL injection warnings or tips found on the Oracle Web site or elsewhere online that are specific to Oracle Database, or =SQL injection warnings or tips found on the MySQL Web site or elsewhere online that are specific to MySQL, or =SQL injection warnings or tips related to other database management systems (PostgreSQL, IBM DB2, etc).
Solution
One of the Transact-Sql warning as per Microsoft is \"Null value is eliminated by an aggregate or other SET operation\"
And one more is \"case when (coalesce(a.status,ae.status) = \'A\') and (IsNull(ae.excuse, \'U\') = \'U\') and (IsNull(ae.code, \'DRC\') = \'DRC\') then
sum(DATEDIFF(minute,pm.startTime,pm.endTime)-coalesce(pm.lunchTime,0)-coalesce(a.presentMinutes,0)) else 0 end as DRCMinutes\"
TIPS 1-Make sure that SUM,AVG,MAX, MIN, STDEV, STDEVP, VAR, VARP never sees a NULL value, one way or another. You have catered for this for the two of three terms, but not the datediff expression. Apparently at least one of pm.startTime and pm.endTime permits NULL. And write the command.And \"SET ANSI_WARNINGS off \"which will disable the warning.
TIPS 2-When truncation occurs in any conversion to or from binary or varbinary data, no warning or error is issued, regardless of SET options.
TIPS-3-ANSI_WARNINGS is not honored when passing parameters in a stored procedure, user-defined function, or when declaring and setting variables in a batch statement. For example, if a variable is defined as char(3), and then set to a value larger than three characters, the data is truncated to the defined size and the INSERT or UPDATE statement succeeds.
PL-SQL TIPS-1: When you compose a SQL statement programmatically, the code usually needs, or at least benefits from the use of, variables for intermediate results. be sure to declare these as constant, assigning the values in the declarations.
TIPS-2-Data mining of the database to clients only via a PL/SQL API.
TIPS-3-When a SQL statement represented by a PL/SQL text expression is executed using one of PL/SQL\'s APIs for dynamic SQL, then the expression must be safe SQL statement text. Safe SQL statement text is a concatenation of static text and safe dynamic text.
TIPS-4-There is never a good reason to use DBMS_Utility.Exec_DDL_Statement() in new code.
TIPS-5-Use compile-time-fixed SQL statement text unless you cannot.
TIPS-6-Understand how to define the term SQL injection as the execution of a SQL statement with an unintended SQL syntax template.
