Defensive Database Programming - Red Gate Software

More documents

Recommendations

Info

Chapter 2: Code Vulnerabilities due to SQL Server MisconceptionsConsider, for example, the query shown in Listing 2-1. At first glance, it seemsstraightforward enough: we check that a provided expression is a valid date and, if so,CAST it to a specific date format; in many client-side languages this approach wouldalways work.-- this is example syntax only. The code will not run-- as the EmailMesssages table does not existSELECT Subject ,BodyFROM dbo.EmailMessagesWHERE ISDATE(VarcharColumn) = 1AND CAST(VarcharColumn AS DATETIME) = '20090707';Listing 2-1: A potentially unsafe query.This query might work for some data, but it can blow up at any time, and the reason issimple: the conditions in the WHERE clause can evaluate in any order, and the order canchange from one execution of the query to the next. If the CAST is evaluated before theISDATE validity check, and if the string is not a valid date, than the query will fail.I would like to demonstrate how brittle this sort of code can be, and how little it maytake to break such code. I will provide a script in which a query originally succeeds, butfails after I have added an index. Usually, such problems occur intermittently, but thisexample has been devised in such a way that it behaves consistently on differentservers, running different versions of SQL Server (though, even having done this,there is no guarantee that it will run in your environment exactly like it does in mine).Listing 2-2 shows how to create a helper table, Numbers, with over a millioninteger numbers.Helper tablesHelper tables such as Numbers are probably familiar to most SQL programmersand have a variety of uses. If you don't already have one, it's worth creating the onein Listing 2-2, and keeping it around for future use.58
Chapter 2: Code Vulnerabilities due to SQL Server MisconceptionsIt also creates a Messages table and populates it with test data (if you already have atable with this name, from running examples in Chapter 1, you will need to drop it). Tomake sure that the example consistently executes in the same way on different servers, Ihad to populate the table with a large number of wide rows; this is why we need to insertone million rows, and that every row has a CHAR(200) column. As a result, the code maytake some time to complete. Note also that only one row out of one million has a validdate in the MessageDateAsVarcharColumn column.-- helper tableCREATE TABLE dbo.Numbers(n INT NOT NULLPRIMARY KEY) ;GODECLARE @i INT ;SET @i = 1 ;INSERT INTO dbo.Numbers( n )SELECT 1 ;WHILE @i < 1000000BEGIN;INSERT INTO dbo.Numbers( n )SELECT n + @iFROM dbo.Numbers ;SET @i = @i * 2 ;END ;GOCREATE TABLE dbo.Messages(MessageID INT NOT NULLPRIMARY KEY ,-- in real life the following two columns-- would have foreign key constraints;59
Page 5 and 6:
Chapter 2: Code Vulnerabilities due
Page 7 and 8: Enforcing Data Integrity in the App
Page 9 and 10: About the AuthorAlex Kuznetsov has
Page 11 and 12: IntroductionResilient T-SQL code is
Page 13 and 14: IntroductionCh. 02: Code Vulnerabil
Page 15 and 16: IntroductionSpecific examples demon
Page 17: IntroductionWhat this book does not
Page 21 and 22: Chapter 1: Basic Defensive Database
Page 57: Chapter 2: Code Vulnerabilitiesdue
Page 61 and 62: Chapter 2: Code Vulnerabilities due
Page 75: Chapter 2: Code Vulnerabilities due
Page 78 and 79: Chapter 3: Surviving Changes to Dat
Page 104 and 105: 104
Page 106: Chapter 4: When Upgrading Breaks Co
Page 109 and 110:
Chapter 4: When Upgrading Breaks Co
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 130 and 131:
Page 132 and 133:
Chapter 5: Reusing T-SQL CodeThe Da
Page 134 and 135:
Chapter 5: Reusing T-SQL CodeIt is
Page 136 and 137:
Chapter 5: Reusing T-SQL CodeAverag
Page 138 and 139:
Chapter 5: Reusing T-SQL CodeBEGINS
Page 140 and 141:
Chapter 5: Reusing T-SQL CodeWe als
Page 142 and 143:
Chapter 5: Reusing T-SQL CodeLet's
Page 144 and 145:
Chapter 5: Reusing T-SQL CodeStateC
Page 146 and 147:
Chapter 5: Reusing T-SQL CodeStateC
Page 148 and 149:
Chapter 5: Reusing T-SQL CodeBEGIN
Page 150 and 151:
Chapter 5: Reusing T-SQL CodeSELECT
Page 152 and 153:
Chapter 5: Reusing T-SQL CodeReusin
Page 154 and 155:
Chapter 5: Reusing T-SQL CodeIt is
Page 156 and 157:
Chapter 5: Reusing T-SQL CodeINSERT
Page 158 and 159:
Chapter 5: Reusing T-SQL CodeListin
Page 160 and 161:
Chapter 5: Reusing T-SQL CodeUnique
Page 162 and 163:
162
Page 164 and 165:
Chapter 6: Common Problems with Dat
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Chapter 7: Advanced Use ofConstrain
Page 211 and 212:
Chapter 7: Advanced Use of Constrai
Page 213 and 214:
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
Page 221 and 222:
Page 223 and 224:
Page 225 and 226:
Page 227 and 228:
Page 229 and 230:
Page 231 and 232:
Page 233 and 234:
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
Page 241 and 242:
Page 243 and 244:
Page 245 and 246:
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
Chapter 8: Defensive ErrorHandlingT
Page 257 and 258:
Chapter 8: Defensive Error Handling
Page 259 and 260:
Page 261 and 262:
Page 263 and 264:
Page 265 and 266:
Page 267 and 268:
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
show all

Defensive Database Programming - Red Gate Software

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?