I'm working on a query editor in which user enters a SQL query and in code behind I pass this query to a SqlCommand and execute it and display result to the user.
But there is one problem: how can I access all the databases in SQL Server which the user created? How can I set initial catalog= to access all databases in SQL Server, so that user enters any query, then it will be execute against all those databases.
For example:
use db_compiler
select * from std
use student
select * from student
So I'm going to say this - what you are requesting to do is a fundamentally BAD idea. SQL Injection is a concern among many, many other things.
However, if you want a list of the databases to set initial catalog, check out the answer to this question:
SQL Server query to find all current database names
you don't require to set initial catalog in order to be able to access to other databases.
Ability to access other database is determine by the permission of the login. If the login is able has the permission to access to other database, you can you use the 3 part naming convention to access it.
Example, even if the initial catalgo is DB1, it will be to access the TABLE3 in DB2
SELECT *
FROM [DB2].[SCHEMA].[TABLE3]
For example instead of
use db_compiler
select * from std
you can
select *
from db_compiler.dbo.std
Related
What's the difference between connecting to a server as opposed to connecting to a database?
The context of the question is that I'm in charge of developing a proof of concept where a user can select one of our servers, a database within that server, a table within that database, and a column within that table. I am using Visual C# and ASP.NET. I believe I can get the servers from the connection strings in the web.config, but I'm not quite sure how.
If it helps at all (I do like examples), you can assume SQL servers.
(Answer to original question)
There is a hierarchy:
Server: A piece of physical (or virtual) hardware that runs an OS and applications. You will address it via IP address or DNS name, in can host multiple Database Servers
Database Server (aka Instance): A piece of software that runs that can host multiple Databases. when you use a connection string it is in the format "ServerName\InstanceName"
Database: A data structure that can host multiple Data Tables
Data Table: A data structure that can host multiple Columns and Rows
Column: The smallest division of information seperation, holds information about a specific topic
Row: Holds a single set of columns.
(Answer to updated question)
It is different per SQL provider, but using Microsleft SQL server you just connect to the server (don't provide a default instance in the connection string) and do the following:
select * from sys.databases
Once you have your database, connect to that database and do the following to get the tables
select * from sys.tables where type = 'U'
to get the columns you do
select * from sys.Columns
however to get the name of the table the column is in you need to match Object_id to Object_id on sys.tables
select t.name as TableName, c.Name as ColumnName
from sys.tables t
inner join sys.columns c on t.object_id = c.object_id
where t.Type = 'U'
You can achieve your goal. Initially, you would connect to database master on the server and query the databases on that server.
SELECT * FROM sys.databases
Then, you would initiate a new connection to the selected database and query that database's information schema, to get a list of tables.
SELECT * FROM INFORMATION_SCHEMA.TABLES
Repeat for selecting a column.
SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'foo'
If by server you mean database server, you would connect to the server to gain access to the database hosted on that server.
I want to check if a database is working as a "Publisher" to other databases.
To do this I was planing on checking if the database "distribution" exists on that instance.
after reading this I thought I could just do
new Sqlcommand("SELECT name FROM master.dbo.sysdatabases WHERE name = #name")
and solve my problem...but I dont have that table in my database...:s
is there another way to solve my problem?
If you want to know if a database is a publisher then looking for a distributor is the wrong check. A database can have a remote distributor, in which case you'll get a false negative. Or the distributor may exist but the database may not be a publisher, in which case you get a false positive. Not to mention that the distribution DB may have any name, so looking for a database named distribution is also wrong.
The proper way to do it is to sue the built in replication helper procedures:
exec sp_helppublication will return information about all publications in a database. IF the database is not a publisher, it won't return anything (yoru cue to action).
exec sp_helpdistributor will return information about the distributor of a publisher
exec sp_helpdistributiondb will return information about a distribution database
In addition, the simple facts whether the DB is a publisher, subscriber or distributor can be discovered in sys.databases:
is_published Database is a publication database in a
transactional or snapshot replication topology.
is_merge_published Database is a publication database in a merge replication topology.
is_subscribed Database is a subscription database in a
replication topology.
is_distributor Database is the distribution
database for a replication topology.
Assuming you have sufficient permissions to view database metadata you can use
SELECT CASE
WHEN DB_ID('distribution') IS NULL THEN 0
ELSE 1
END AS distributionExists
select *
from sys.databases
where name = #name
Very close. It looks like that is SQL Server 2000 catalog view. What you are looking for is querying sys.databases.
I am using SQL Server Express 2005.
I have a single database myDB
I have created a Login L-1 with user U-1 on databas myDB.
To connect to database myDB I found 3 ways:
-1(a)-after creating L-1 Login with default database = myDB , I have to create a user U-1 , and when I connected to SQL server , then it connected.
I used this query:
create login L-1 with password='passL1' , default_database = myDB
use myDB
create user U-1 for login L-1
Means, creating a user inside a login , gives the user connect permission implicitly. Am I right ?
-1(b)-I didn't create any user U-1, but executed this :
use myDB
sp_grantdbaccess L-1
this also made me connect , the reason being that, sql added a user named L-1 implicitly in the myDB database. Am I right?
-1(c)-this time also, I didn't create any user U-1,but I executed this:
sp_changedbowner L-1
this also made me connect , the reason being that, sql added a user named L-1 implicitly in the myDB database. Am I right?
Now, I want to give the user U-1 created in 1(a) the following permissions:
Create Logins L-2,L-3
Create Users U2,U3 which can also connect to database myDB.
How do I do this?
Yes - calling sp_grantdbaccess or sp_changedbowner will just implicitly do what you would normally do with CREATE USER - no difference.
Calling CREATE USER explicitly is just clearer, more obvious what you're doing etc.
Also: don't use sp_grantdbaccess anymore - because:
This feature will be removed in a
future version of Microsoft SQL
Server. Avoid using this feature in
new development work, and plan to
modify applications that currently use
this feature. Use CREATE USER instead.
Source: Technet on sp_Grantdbaccess
And don't use sp_changedbowner either - same reason:
This feature will be removed in a
future version of Microsoft SQL
Server. Avoid using this feature in
new development work, and plan to
modify applications that currently use
this feature. Use ALTER AUTHORIZATION
instead.
Source: Technet on sp_changedbower
How would I programmatically go about limiting the access of a database in SQL Server 2000 to the database owner for that database? Example... if I right-click "Properties" on the "Northwind" database in Enterprise Manager, the Owner is listed as sa. How would I limit access for this database to just the sa login?
You could set the database to RESTRICTED_USER availability.
ALTER DATABASE MyDatabase SET RESTRICTED_USER
-- OR --
ALTER DATABASE MyDatabase SET RESTRICTED_USER WITH ROLLBACK IMMEDIATE
http://msdn.microsoft.com/en-us/library/ms190249.aspx
http://msdn.microsoft.com/en-us/library/aa275464(SQL.80).aspx
Some thoughts:
You can neither deny not restrict the sa login at all, anywhere in a SQL Server Instance
Do not use "sa" day to day
It makes more sense to limit to the members of the db_owner database role, per database (SET RESTRICTED_USER above)
The database owner id is fairly random: sa only owns this because sa created it, or ownership was changed to sa
Other than that, what is the reasoning behind your request?
Is it possible to enforce read only permissions using the System.Data.SqlClient code accessing a Sql Server database?
I want to allow trusted users to write their own SELECT statements, in a web site.
NO Im not trolling here! Obvious solutions are to create a readonly user in the database, and use those credentials in the connection string, and surely only an idiot accepts a SQL statement in a webpage. This is a user deployment issue, I don't trust someone else to set that up correctly and don't want to write code to check that the readonly connection string is readonly.
One solution would be to parse the SQL and verify that it is a readonly command, or to do something similar. What I want to do is to do something like;
SqlConnection conn = new SqlConnection(myConnectionString, Flags.Readonly)
update
Given a connection string with SA priviledges, "create user blah with password=xxx" "use my-db" "create login blah" "grant select on mytable to blah". Then make a new connection string.
Create a new login in SQL Server and only give that login the permissions you want on the tables. Then in the connection string have the application use that login. You mention this as an obvious solution in your post but I don't see why you wouldn't want to do it this way.
You could use a transaction and always rollback? (but make sure the executed sql doesn't commit)
No, there is no built-in facility for ensuring that end-user actions don't have side effects. While it may be simple in your scenario, a general-purpose implementation of this would be incredibly complex, if not impossible. What if the select statement uses a UDF that has side effects?
create another database, possibly restore the nightly backup, so it a day old. only allow the users to access this database. Then users can't slow down production with their awful queries or really hurt anything if your security fails and an change is made.