A guy I know at college is claiming he can change his grades by gaining access to the database through an SQL inject, and can also gain access to all admin account privileges and records. The portal is accessed through outlook account and he did a pentest to prove it is vulnerable, ive attached the results. I am new to coding so not sure whether to believe it, is it really possible? from what I believed, the only systems vulnerable to this would be the worst ones, configured by somebody who has never used the database software before, which is extremely unlikely for this college. Are the pentest results real and should be concerned? Is it worth reporting to warn the college?

In some cases, one want to feed or populate some PostgreSQL database tables using data fetched from the web, e.g. through a RESTful API (serving JSON features). I've recently discovered foreign data wrappers and I'm not yet 100% used to them, but they seem to be a very interesting option to replace some custom Python scripts that retrieve data from the web, process it and use a Python data wrapper (i.e. psycopg2 , or others) to populate some of my PostgreSQL database tables with that data. After some research, I've successfully used the ogr_fdw (see also here ) for fetching data from an OGC API features endpoint as well as the http extension for retrieving JSON data from a standard public API. Both those APIs are public, so they don't need any type of authentication. I'm now naturally wondering if it's possible to build a view or populate a PostgreSQL table using a foreign data wrapper which retrieves data from a *private* RESTful API, i.e. which has an authentication procedure? If yes, what kind of extension should I use and how? I couldn't find a tutorial or any detailed information at the moment. The authentications I want to succeed with are the web based ones, i.e.: HTTP Basic Auth , API keys or OAuth2 .

I am calling a web service from a SQLCLR TVF in SQL Server 2008 R2. On the IIS server this service has open permissions. When tested using GET or POST requests on a browser the web service works as expected. However, when the function calls the service, it returns: > The request failed with HTTP status 401: Unauthorized. In the typical anecdotal way, when I run the TVF on my machine to access the service on my machine, it works. (proof that code is correct) This error occurs when using a SQL Server on the network accessing another ISS server on the network. Both servers are in the same domain. How to determine the missing permissions that prevent this TVF from working?

Database version: Oracle 11gR2 We want to use DYNAMIC_REGISTRATION_LISTENER parameter with off option. Our listener.ora file like this: LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost.localdomain)(PORT = 1521)) (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) ) ) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (ORACLE_HOME = /u01/app/oracle/product/11.2.0/dbhome_1) (SID_NAME = oracle) ) ) ADR_BASE_LISTENER = /u01/app/oracle DYNAMIC_REGISTRATION_LISTENER = OFF But when we use this parameter, our web service request cannot connect to the database. SQL> SELECT dbms_xdb.gethttpport FROM dual; GETHTTPPORT ----------- 3010 **Without this parameter:** Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost.localdomain)(PORT=1521))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production Start Date 07-FEB-2021 03:21:59 Uptime 0 days 0 hr. 2 min. 51 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Listener Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora Listener Log File /u01/app/oracle/diag/tnslsnr/localhost/listener/alert/log.xml Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=3010))(Presentation=HTTP)(Session=RAW)) **With this parameter:** Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost.localdomain)(PORT=1521))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Linux: Version 11.2.0.4.0 - Production Start Date 07-FEB-2021 03:21:59 Uptime 0 days 0 hr. 2 min. 51 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Listener Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora Listener Log File /u01/app/oracle/diag/tnslsnr/localhost/listener/alert/log.xml Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521))) We need to use this parameter. Web services also need to be connected. How is that possible? I could not find any clear solution. Best regards,

I am using PostgreSQL in my Web API project. I have created Web APIs using .net core. Now I have a situation, where I want to process the inserted or updated data and store the processed data in some other table. I was thinking to create a trigger for the table that will invoke the REST API created in .net core along with the data and in .net core, I can easily process the data and will insert it into the table I want. The API will be **OneWay web service - i.e. fire and forget.** But I was wondering, whether it is a good idea to invoke web service from the database? If it is, then how could I invoke a OneWay Web service from Postgres trigger? Another approach I found was to use LISTEN/NOTIFY. For this approach, https://shashangka.com/2020/05/17/listen-postgresql-in-asp-net-core/ article seems fine. I was wondering, which of the approach will be better for my use case and why?

> Don't naturalize surrogate keys. As soon as you display the value of a surrogate key to your end users, or worse yet allow them to work with the value (perhaps to search), you have effectively given the key business meaning. This in effect naturalizes the key and thereby negates some of the advantages of surrogate keys. > > http://www.agiledata.org/essays/keys.html > Don’t “naturalize” surrogate keys. As soon as you display the value of a surrogate key to your end users, or worse yet allow users to work with the value (perhaps via search), you have effectively given the key business meaning. The exposed key in our database could then be considered a natural key in someone else’s. > > https://begriffs.com/posts/2018-01-01-sql-keys-in-depth.html And yet, every web framework/ORM I am familiar with (e.g. Ruby on Rails) exposes the surrogate key in the URL which is natural key that users share, send, save, bookmark, etc. In light this of this recommendation, what are the best practices for handling web URLs?

I need to retrieve a data set daily from a hosted Web service. I can retrieve the XML "column names" in an SSIS package. But I need to retrieve all the data in the data set in csv format or bring directly into SQL Server. (Rows and columns, header data and dataset). Is this feasible on SSIS? Or is there a better approach? Any input or advice is greatly appreciated.

I have done some light research into this topic and I would like to know what are all the pro's and con's or enabling/registering this particular .dll within SQL Server? Back information - we are integrating with a third party application (not my decision, unfortunately) which requires this .dll for some of it others .dlls. What I need the CLR Function for is to be able to write SQL Queries in SSMS and have that data sent to the third party application's API which then would in turn do the correct data load/changes (inserts and deletes to/from this application has to be done via its API). *EDIT - maybe I shouldve included this detail* When trying to register my c# class I obviously got the error "system.web not registered blah blah blah" which has then in turn prompted my research on this topic. *end edit* So, my conundrum is that to be able to register my C# class/.dll, I have to register all the dependent .dll's, however based on my research I know that this particular one can be quite problematic. So seeing in how I am not terribly familiar with the pitfalls outside of my google research, I was wondering if one of you fine people could help me understand how to make the best decision in regards to this. Also, what else can I add to this post so that being able to give insight is easier? I wasnt too sure the C# code was relevant? I understand this might be a bit broad, but I was hoping that its specific enough to not get flagged? To be more specific to whats occurring here (per Solomon's request) 1. The 3rd party app uses an "API" (used loosely because I am told it is not a great API) to send data back and forth. You'll notice it calls an Importer function which only takes a data table or an excel file which it converts. I have no other option as the the company told me that inserts and deletes via normal XML is terribly slow and has unexpected behavior. 2. The .DLL that references System.Web is referenced within my C# class, which is required to be able to send it data in the first place. 3. In regards to: *Why would you not be able to use the methods I mentioned? They already exist in SQL Server's CLR host. This is for a web service, right* I am not sure I know enough about API's in general to answer this. I very would could and just lack the knowledge and experience to do so. It also might be due to the fact I have limitations on how I can interact with this particular API and I am not sure how those limitations apply to these methods. (I will investigate further and see if I can answer this question myself). Though the more I think about it, I could create a "middle man" class which SQL Server can call, which then would call another class, which would have all the correct references and that might get me past my current situation. I still, however, I am interested in the specific feedback so that I can learn from this. here is my c# class: using Perfion.Api; -- this .DLL references System.Web. using Perfion.Api.Import; using System; using System.Data; using System.Data.SqlClient; using System.IO; using System.Linq; using System.Text; using System.Text.RegularExpressions; using System.Threading.Tasks; namespace PerfInsert { public static class PerfionInsert { public static bool CreateCommand(string tblString, string featureName, string connectionString, string perfionConnectionString, string logFile) { StringBuilder logInfo = new StringBuilder(); try { var wList = new Regex(@"[^0-9a-z\.\[\]_]#", RegexOptions.IgnoreCase); if (wList.IsMatch(tblString)) { logInfo.AppendLine($"{DateTime.UtcNow} - Regex Validation Failed for Table Name!"); return false; } using (SqlConnection connection = new SqlConnection(connectionString)) { var qryString = "SELECT * FROM " + tblString; using (SqlCommand command = new SqlCommand(qryString, connection)) { connection.Open(); using (var dataReader = command.ExecuteReader()) using (var dataTable = new DataTable()) { dataTable.Load(dataReader); PerfionApi api = new PerfionApi(perfionConnectionString); Importer importer = new Importer(api.Connection); importer.Status += (sender, e) => { logInfo.AppendLine($"{DateTime.UtcNow} - {e.Title}"); }; importer.LoadData(dataTable); importer.ImportToDatabase(featureName); } } } return true; } catch (Exception ex) { logInfo.AppendLine($"{DateTime.UtcNow} - {ex.ToString()}"); } finally { File.AppendAllText(logFile, logInfo.ToString()); } return false; } } }

We have a web page on internet that calls a web service located on our intranet. The web service talks to Database A to get some data. Database A has a DBLink to Database B. This link is used to select data from Database B, but it is not used by the service anyway. However, my boss requested that I remove DBLink and use an alternative because DBLink might be vulnerable. What do you think of that? And what should I do to avoid that vulnerability?

I have a Web forms asp.net site running with a database on a VM (VM1). I also have a MVC 5 Web app that has its own membership database on another VM (VM2). I want to retrieve customer information from VM1 to create a login on VM2. My thoughts were I could create a backup database(or mirror) for VM1 to run member queries on that to retrieve information. Is this plausible? What methods would you recommend? One method that I think I am able to obtain, would be creating a webservice on VM1, but it just seems the VM2 would be constantly using this webservice and I really want to obtain the best performance possible. Any help is much appreciated.

I am new at SQL Server web Service and not too knowledgeable in setting up a secure web environment... From what I've read until now regarding SQL Web Service, I would need to: 1. create a stored procedure, 2. create an endpoint 3. create a web service 4. call the stored procedure from the web... Sounds easy enough although for Steps 3 and 4, I don't have a clue how to do for now... but my question is in the architecture before I start testing. From my understanding, the SQL web service resides on the SQL Server? If this is the case, it means that the DMZ would have direct access to our internal network? that's a nono as far as I know... In an architecture where I would want an SQL Server within a closed off network, and an application/business tier within a DMZ and web servers in another DMZ... How would I be able to get some information that is needed from the SQL Server in the closed off network while keeping it secure? hence the reason why I started investigating the possibility of using the SQL Server Web Service... In my mind, each web server in DMZ1 will have their DB in the DMZ which will contain minimal non sensitive info to run the website, but retrieving general accumulated information (such as points, sales or historic info, etc.) **that can be generated from different web sites and different sources** cannot be transferred to the Website DBs due to their size and need the data to be in real-time. I was thinking of having a DMZ2 which contains the SQL Server Web Service (as an SQL Web Service Layer) which would retrieve data from the SQL server within our network. Is it possible? Is it a good idea? If not, How would you go about it? Thank you for your help.

I'm making my final year project. Which is a website. Things I can't do: 1. Store the browsing history of users between their login and logout session on the site. Or 2. Store the search keywords. But I dont know how to do it. Is there any query or functions that I can use??? I'm using xampp server. I'm really stuck in this phase and don't know how to do it. One of my friend told me it's IMPOSSIBLE. Does anyone have a possible solution rather than just IMPOSSIBLE. Please help.

I have used SQL Server trusted connections for years. It works well when the client app is a domain user. Imagine this three server config: - dbserver - webserver - domain controller I now have a situation of a web app that can no longer run on as a domain user (long story). This is a problem because this app stores its db connection string in the registry. If I use SQL auth, the SQL password is in clear. Is it possible to ? IOW: Is it possible to add webserver\localuser to SQL server as a trusted user, or can SQL server only trust domain users?

I have written some CLR table-valued functions that invoke a web service and I would like to audit their use. Does anyone know of any way this can be achieved in the CLR code itself? I would be nice to keep the auditing code together with the CLR code rather than having to write an explicit INSERT statement every time they are used.

EXEC @hResult = sp_OAMethod @objectID, 'send', null, @requestBody IF @hResult 0 BEGIN EXEC sp_OAGetErrorInfo @objectID, @source OUT, @desc OUT SELECT hResult = convert(varbinary(4), @hResult), source = @source, description = @desc, FailPoint = 'Send failed', MedthodName = @methodName goto destroy When I Call a web service Through Sp IN SQl Server In Above Mention I'm getting error as Shown In The Pics

I need to return partial result (as simple select) from a Stored procedure before it is finished. Is it possible to do that? If yes, how to do that? If not, any workaround? EDIT: I have several parts of the procedure. In the first part I calculate several string. I use them later in the procedure to make addtional operations. The problem is that string is needed by the caller as soon as possible. So I need to calculate that string and pass it back (somehow, from a select for example) and then continue to work. The caller gets its valuable string much more quickly. **Caller** is a Web Service.