Chris Fulstow » sql server

Installing ASP.NET Membership, Roles and Profiles support in SQL Server

Chris Fulstow — Wed, 03 Feb 2010 23:32:19 +0000

Here are few quick tips if you’re using the ASP.NET Application Services with SQL Server, like Membership, Roles, Profiles, Personalization or Web Events. These built-in “building-block” services have SQL provider implementations in .NET that let you use a SQL Server 2000 or 2005 database as their data store. These are the framework classes that implement the SQL Server providers:

SqlMembershipProvider – managing user credentials and authentication
SqlRoleProvider – handling role-based authorisation
SqlProfileProvider – storing and retrieving information about individual users
SqlPersonalizationProvider – saving state of web parts
SqlWebEventProvider – capturing and logging web event data

ASP.NET SQL Server Registration Tool

Adding support for these providers to your database is easy, just run the ASP.NET SQL Server Registration tool from the command-line (aspnet_regsql.exe) to launch the ASP.NET SQL Server Setup Wizard. This will guide you through the process with a simple GUI:

cd C:\Windows\Microsoft.NET\Framework\v2.0.50727 aspnet_regsql.exe

By default, the wizard installs all five services : Membership, Roles, Profiles, Personalization and Web Events. However, if you need support for only some, say just Membership and Roles, then aspnet_regsql can be run from the command-line with specific options, for example:

 aspnet_regsql -S MySqlServer -E -A mr -d MyAspDatabase

This installs the Membership and Roles services (-A mr) on server MySqlServer in database MyAspDatabase using current Windows credentials for authentication. To see a full list of command-line options and switches, run the registration tool with the help flag:

 aspnet_regsql.exe /?

There’s also an option to generate just SQL scripts without executing them, and another to remove services from the database that aren’t used or needed anymore. (You can also manage SQL cache dependencies and session state using this tool.)

For more info about ASP.NET SQL providers:

SQL Server 2008 will have IntelliSense

Chris Fulstow — Fri, 30 Nov 2007 02:59:36 +0000

With so many exciting new features in Visual Studio 2008 to explore, I haven’t had much time to look at the preview releases of SQL Server 2008 (aka Katmai). The last I heard, there wouldn’t be that many new goodies for developers, mainly features for DBAs and BI analysts with a few performance optimisations thrown in.

The last upgrade, SQL Server 2000 to 2005, was a huge leap forward for developers and added significant advances like CLR integration, SQL Server Management Objects (SMO), Integration Services (SSIS) and a native XML data type; as well as T-SQL enhancements like Common Table Expressions (CTEs), structured error handling with try/catch, pivot, apply, top(n) and row_number.

I was surprised to see how much new stuff is packed into the latest SQL Server 2008 CTP release, even, finally, IntelliSense for Management Studio, which was much anticipated but conspicuously absent from SQL 2005:

Also notice the new collapsible code regions, just like you get in Visual Studio. Editing T-SQL has never been such fun! Although, you have to feel a bit sorry for RedGate, whose SQL Prompt plug-in has been filling the auto-completion gap for the last few years.

Finding orphaned stored procedures and user-defined functions in SQL Server

Chris Fulstow — Thu, 22 Nov 2007 02:49:14 +0000

I’m currently working on a group of ASP.NET 2.0 websites deployed across about thirty countries. The local flagship site runs on an upgraded version of the original code, and I’m now in the process of bringing all the other sites onto the new improved version.

Over time, new features have been introduced to the site, and old ones removed. Consequently the SQL Server database now contains many redundant tables that aren’t used. So, before cascading out the current schema to the other countries, it’s time for a clean up.

I managed to identify about 60 tables that aren’t used by the application and can safely can be dropped or archived. However, I’m now left with hundreds of stored procedures (SPs) and user-defined functions (UDFs) that were associated with these tables, which can also be removed.

The problem was how to find these orphaned objects. My first approach was a small .NET console application which uses SQL Server Management Objects (SMO). It loops through all SPs and UDFs and finds any that have no dependencies.


public List FindOrphans()
{
   Server server = new Server(".");
   Database db = server.Databases["MyDatabase"];
   List orphans = new List();

   // get list of SPs
   UrnCollection urns = new UrnCollection();
   foreach (StoredProcedure sp in db.StoredProcedures)
   {
      // exclude these objects
      if (sp.IsSystemObject) continue;
      if (sp.Name.StartsWith("aspnet_")) continue;
      urns.Add(sp.Urn);
   }

   // get dependencies
   DependencyWalker dw = new DependencyWalker(server);
   DependencyTree tree = dw.DiscoverDependencies(urns, true);

   // find all objects without any dependencies
   DependencyTreeNode node = tree.FirstChild;
   do {
      if (!node.HasChildNodes)
      {
         string name = new Urn(node.Urn).GetAttribute("Name");
         orphans.Add(name);
      }
      node = node.NextSibling;
   } while (node != null);

   return orphans;
}

This works fine, and helped satisfy my current obsession with SMO. But it’s a bit awkward, and not easily portable or modifiable, to have this pure database operation wrapped up in an executable. So I looked into doing the same thing with just a TSQL query.

-- Find all SPs and UDFs have no dependencies
select
    object_name(obj.[object_id]) as [orphaned_object_name],
    obj.type_desc as [object_type],
    'DROP ' +
    case obj.type_desc
        when 'SQL_STORED_PROCEDURE' then 'PROCEDURE'
        else 'FUNCTION'
    end
    + ' [' + object_name(obj.[object_id]) + ']'
from
    sys.objects obj
    left join (select distinct [object_id] from sys.sql_dependencies) dep
        on obj.object_id = dep.object_id
where
    type_desc in
        ('SQL_STORED_PROCEDURE','SQL_SCALAR_FUNCTION','SQL_TABLE_VALUED_FUNCTION')
    and object_name(obj.[object_id]) not like 'aspnet_%'
    and dep.object_id is null
order by
    obj.type_desc, object_name(obj.[object_id])

The query works by checking for dependencies in the catalog view sys.sql_dependencies. This, I think, is a neater solution. I also included an auto-generated column that writes the SQL drop the SP or UDF, which I copied and executed.

Now, if only I could find a quick way to check for dependencies between my application’s data access layer and the database…

Convert table to CSV string in SQL Server

Chris Fulstow — Wed, 22 Aug 2007 03:20:45 +0000

There doesn’t seem to be a native function in SQL Server to collapse a table of row values into a comma-separated string, for example:

Animal
Llama
Manatee
Pygmy Marmoset
Okapi

Result CSV: “Llama, Manatee, Pygmy Marmoset, Okapi”

In mySQL there’s a built-in aggregate function called group_concat, but no equivalent in SQL Server unless you build your own .NET function, like in this TechNet article Invoking CLR User-Defined Aggregate Functions. That’s quite a chunk of coding and is restricted to SQL Server 2005 or later, so here’s a handy SQL snippet that does a similar job without the fuss.

select Name from Animal

declare @csv varchar(max)
select @csv = coalesce(@csv + ‘, ‘, ”) + Name from Animal
select @csv

If you use the code regularly then consider creating a scalar user-defined function (UDF) that returns the CSV string as varchar.

.NET Coding Guidelines – SQL Injection

Chris Fulstow — Fri, 03 Aug 2007 00:05:13 +0000

In the first of my guidelines for deadbeat developers, I asked why you’re too lazy to comment your code. This time, I’d like to investigate why you build software that’s catastrophically insecure.

Part 2 – Protect against SQL injection in .NET

This code will look familiar because it’s the sort of sloppy mistake you make all the time.

string productId = Request.QueryString["ProductId"];
string sql = "delete Products where Id=" + productId;
SqlCommand cmd = new SqlCommand(sql);
cmd.ExecuteNonQuery();

Your feeble imagination doesn’t stretch far enough to consider what happens when a mischievous user sets productId to, say, “1 OR 1=1″. You merrily build the query, complete with unverified user input, and execute it against the database.

delete Products where Id=1 OR 1=1

Oh dear, where did all your products go?

A vigilant SQL Server DBA can thwart your stupidity at the database by restricting your access. By assigning your login to the db_denydatareader and db_denydatawriter roles, you can thankfully be prevented from running any SELECT, DELETE, INSERT or UPDATE queries whatsoever.

Since you can’t be trusted, the DBA should give you permissions to execute only the stored-procedures and UDFs you need. This is the principle of least privilege.

Parameterised stored-procedures are usually safe from SQL injection because they validate the type and size of the inputs. These inputs are evaluated as values only, and not executed as part of the SQL statement. But there is one exception. When you build SQL dynamically inside the stored-procedure.

sp_executesql ’select * from Products where Id in ‘ + @List

This line is from a real stored-procedure I saw last week, @List is a varchar parameter containing something like “(1,2,3)”. And, of course, the values for @List came from unverified user input. If you absolutely have to use dynamic SQL then at least clean the inputs and remove or escape anything that could be potentially dangerous.

Read more about SQL injection: