Search code examples
sql-serversql-function

How can you create a table (or other object) that always returns the value passed to its WHERE-clause, like a mirror

There is a legacy application that uses a table to translate job names to filenames. This legacy application queries it as follows:

SELECT filename FROM aJobTable WHERE jobname = 'myJobName'

But in reality those jobnames always match the filenames (e.g. 'myJobName.job' is the jobname but also the filename) That makes this table appear unnecessary. But unfortunately, we cannot change the code of this program, and the program just needs to select it from a table.

That's actually a bit annoying. Because we do need to keep this database in sync. If a jobname is not in the table, then it cannot be used. So, as our only way out, right now we have some vbscripts to synchronize this table, adding records for each possible filename. As a result, the table just 2 columns with identical values. -- We want to get rid of this.

So, we have been dreaming about some hack that queries the data with the jobname, but just always returns the jobname again, like a copy/mirror query. Then we don't actually have to populate a table at all.

"Exploits"

The following can be configured in this legacy application. My hunch is that these may open the door for some tricks/hacks.

  • use of either MS Access or SQL Server (we prefer sql server)
  • The name of the table (e.g. aJobTable)
  • The name of the filename column (e.g. filename)
  • The name of the jobname column (e.g. jobname)

Here is what I came up with:

If I create a table-valued function mirror(a) then I get pretty close to what I want. Then I could use it like

SELECT filename FROM mirror('MyJobName.job')

But that's just not good enough, it would be if I could force it to be like

SELECT filename FROM mirror WHERE param1 = 'MyJobName.job'

Unfortunately, I don't think it's possible to call functions like that.

So, I was wondering if perhaps somebody else knows how to get it working.

So my question is: "How can you create a table (or other object) that always returns the value passed to its WHERE-clause, like a mirror."

Solution

  • It's kinda hard to answer not knowing the code that the application use, but if we assume it only takes strings and concatenate them without any tests whatsoever, I would assume code like this: (translated to c#)

    var sql = "SELECT "+ field +" FROM "+ table +" WHERE "+ conditionColumn +" = '"+ searchValue +"'";

    As this is an open door for SQL injection, and given the fact that SQL Server allows you two ways of creating an alias - value as alias and alias = value, you can take advantage of that and try to generate an SQL statement like this:

    SELECT field /* FROM table WHERE conditionColumn */ = 'searchValue'

    So field should be "field /* ",
    and conditionColumn should be "conditionColumn */"

    table name doesn't matter, you could leave an empty string for it.