sp_replwritetovarbin Heap Overflow Code Exploit Code In The Wild, Works By Using Our Good Friend SQL Injection
For those living under a rock there is a new SQL exploit in the wild.
Dennis did an excellent write up of it already so I’ll refer you do <. for his entry and save myself the time of writing what has already been written.
Unlike in SQL 2005, when developing SSIS packages in SQL Server 2008 BIDS you must have the SSIS service installed on your workstation. This is a change from SQL Server 2005 where you did not have to have the actual SSIS service installed on your workstation.
It doesn’t appear that you actually need to have the service running. I have stopped the SSIS service on my workstation and I am still able to run my SQL 2008 SSIS packages, however I would recommend setting it to manual rather then disabled just in case BIDS needs it running for some reason.
If you try and edit an existing package without the SSIS service installed an error message will be displayed saying that the service needs to be installed.
Its the holidays again, and that means its time for a code freeze. Code freeze’s are handy for a few reasons.
- People like to take vacations this time of year for some reasons. With a code freeze in place everyone can spend the holidays with family rather than with the servers.
- With everyone taking time off, if new code has a problem finding the people who actually wrote the code may be an issue.
- It boosts staff moral to not have to worry about pushing new features into production on a skeleton staff.
- It keeps the families of the staff happy to have them home around this time of year.
While it doesn’t help make the company and money to freeze code, it simply makes everyone happy, and isn’t that what this time of year is really all about.
One of the most popular ways to get data multiple pieces of data in a single parameter from one stored procedure to another, or from a client application to the database is to use XML. This can be done in SQL Server 2000 by using the NTEXT (or TEXT) datatype, and in SQL 2005 using the XML datatype. (In SQL Server 2008 you can use Table variable input parameters.)
Chris Shaw posted a new SQL Quiz where he asks: “What are the largest challenges that you have faced in your career and how did you overcome those?”
I found this question rather tough to answer (as I have when I’ve been asked similar questions during interviews), but here goes.
1: Dealing with some of the developers that I’ve had to work with in the past.
Most of the people that I’ve worked with in the past have been great. But there are a few out there (who will rename nameless since the IT field is a pretty small group) that were just a major pain. Never open to anyone’s ideas but their own. No project is important unless it is their project. Unfortunately at the time this was the CEO’s favorite employee since he was the one that had gotten the company that far. It didn’t matter that a new group of people had been brought in to help get the company to the next level.
As far as dealing with the problem, we eventually went to our boss and basically told her that someone needed to bring him back down to earth. There were other good ideas that deserved consideration and as the infrastructure team we should be listened to at least once in a while since we might know what we are doing.
2: Same company, a year later having to work with (and for) people that didn’t understand half the stuff coming out of my mouth.
After butting my head against statements like “a Table and a worksheet mean the same thing” I took the easy way out. I just had to, I gave notice and left. It took me several months of biting my tongue and explaining myself over and over before I had finely had enough. I ended up moving on to another company which ended up laying me off after 6-8 weeks because they ran out of money. But all in all it was a good choice.
(I’ll put up a third answer, but only because I’m cheating and stealing Brent’s second answer.)
3: Learning when to tell people “No”.
I love telling people yes. Sure I can add that functionally. Stay late and get that done; no problem. Eventually people start taking advantage of you and planning on you being able to be taken advantage of. My wife (Kris) helped a lot on helping me fix this one (I still have a hard time telling her no, but that’s something else to work on) and I thank her for that.
Here is the sample code and slide decks which I’ll be using at the .NET User Group tomorrow night.
See you tomorrow.
We’ll I’ve finely broken down and started using Twitter.
I decided to go all out.
I’ve got TweetDeck for my PCs, and TinyTwitter for my BlackBerry. I tried TwitterBerry but didn’t like it very much. TinyTwitter has much more functionally. I also signed up for BrightKite to track my location.
I would have to say, that one of the coolest new features of SQL Server 2008 is the ability to pass a table as a single parameter to a stored procedure.
While we have been able to do this in the past, by using XML to pass more than one value in, then break it apart. But this is just such a simpler, easier, more elegant solution.
SQL Server 2005 introduced us to Instant File Initialization. This allows SQL Server to create files of any size without sitting there for minutes or hours (depending on the size of the files).
While this is great when creating your database, or extending your database files there is a cost to doing so. Before each data page is written the SQL Server will write all zeros to the page. It also has the potential of a security issue as any data fragments which are in the space which the file took up are going to be included in the backup and could then be read if the backup was lost.