Say I have an InfluxDB query where the user supplies a measurement. In this case the user supplies the value "foo". Then I would construct the query:
SELECT * from "foo"
WHERE time > "2022-06-21T18:27:16.041Z"
What's the best way to prevent injection attacks here? I know InfluxDB supports bind parameters, but apparently that feature only works for the WHERE clause, so it wouldn't help me.
I was thinking of trying this:
const query = `
SELECT "value" FROM "${Influx.escape.measurement(key)}"
WHERE time > "2022-06-21T18:27:16.041Z"
`
...but based on my testing that function doesn't escape quotation marks, only spaces.
I'm using InfluxDB 1.x in Node.js via the influx npm package.
Before sending the value to the query try filtering chars like single and double quotes
Looking into docs, articles I can see that every subquery is in brackets, like:
select * from (select "value" from "measurement") <where_caluse>
So filtering for brackets beetwen "FROM" and "WHERE" should be enough.
Based on:
#1 https://www.influxdata.com/blog/tldr-influxdb-tech-tips-january-26-2017/
#2 https://docs.influxdata.com/influxdb/v1.7/query_language/data_exploration/#subqueries
Related
in snowflake it searches data with case sensitiveness while in sql server it used to search with case insensitiveness i changed database level collation with below command
ALTER DATABASE IF EXISTS powerdb SET COLLATION = 'en-ci'
but it did not help is there any other way to achive case insensitiveness
There's a number of ways really.
one of them is using ILIKE for your string comparison: https://docs.snowflake.net/manuals/sql-reference/functions/ilike.html
another one is setting up collation at column level:
https://docs.snowflake.net/manuals/sql-reference/collation.html
- but please note that not all of the string functions are supported on collated columns
also you can use COLLATION functions (also described in the link below) or set it on database level with account-level parameter of DEFAULT_DDL_COLLATION = 'en-ci'
everything depends on what you want to achieve really...
I am trying to run the following query in Snowflake:
SELECT * FROM chapters
WHERE
title NOT LIKE ANY ('Summary%', 'Appendix%')
but it errors out. I know Snowflake support LIKE ANY query syntax. But I am not sure why my query is not working.
It does seem like that syntax with NOT should work, and I'm not quite sure why it doesn't, but this works.
SELECT * FROM chapters
WHERE
NOT (title LIKE ANY ('Summary%', 'Appendix%'))
Extra parens are optional, but seems more clear to me when it's "worded" this way.
The query execution looks like this when we see the profile for the below query.
select cc_name from "SNOWFLAKE_SAMPLE_DATA"."TPCDS_SF100TCL"."CALL_CENTER"
where not(cc_name like any ('North%', 'Califor%'))
I am new to SQL stuff in blueprism, I am able to configure SQL object and execute simple queries, but I am facing trouble while trying to run multiline complex SQL queries.
when I was trying to execute the below query in blueprism, getting some error message, saying "Incorrect Syntax near Database2"
"select top 10 * from [Database1].[dbo].[Table1]
join [Database1].[dbo].[Table2] on [Database1].[dbo].[Table2].Fieldname1=[Database1].[dbo].[Table1].Fieldname2
join [Database2].[dbo].[Table1] on [Database2].[dbo].[Table1].Fieldname1=[Database1].[dbo].[Table2].Fieldname2"
Can somebody please help me, what was the wrong in the above query...
I found the answer myself, there should not be any additional white space characters in the query, entire query should be in continuous line. The beauty of blueprism is, it can execute any level of complex queries without any constraints, but need to modify the syntax accordingly. always we should mention the filename and table names in the following format - [databasename].[dbo].[tablename].[fieldname]
I am writing a shell script which involves BigQuery commands to query an existing table and save the results to a destination table.
However, since my script will be run periodically, I have a parameter for the date for which the query should run.
For example, my script looks like this:
DATE_FORMATTED=$(date +%Y%m%d)
bq query --destination_table=Desttables.abc_$DATE_FORMATTED "select hits_eventInfo_eventLabel from TABLE_DATE_RANGE([mydata.table_],TIMESTAMP($DATE_FORMATTED),TIMESTAMP($DATE_FORMATTED)) where customDimensions_index = 4"
I get the following error:
Error in query string: Error processing job 'pro-cn:bqjob_r5437894379_1': FROM clause with table wildcards matches no table
How else can I pass the variable $DATE_FORMATTED to the TABLE_DATE_RANGE function from BigQuery in order to help execute my query?
Use double quotes "" + single quote ''. For example, in your case:
TIMESTAMP("'$DATE_FORMATTED'")
OR
select "'$variable'" as dummy from your_table
You are probably missing the single quotes around the $DATE_FORMATTED value inside the TIMESTAMP functions. Without the quotes it's going to be defaulting to the EPOCH time.
Try with:
TIMESTAMP('$DATE_FORMATTED'),TIMESTAMP('$DATE_FORMATTED')
I'm using MS SQL 2008 and I have a status field that comes like this:
"REF CNF PCNF REL"
I need to get all the orders with status CNF without returning PCNF.
I could do it using spaces before and after WHERE STATUS LIKE '% CNF %', but if CNF is the first or last status it wouldn't work.
One solution that worked was:
WHERE
PATINDEX('CNF %',STATUS)=0 AND
PATINDEX('% CNF %',STATUS)=0 AND
PATINDEX('% CNF',STATUS)=0
But that is just horrible.
Thanks,
As said by Marc B., you should normalize your table to avoid storing more than one value in a single field.
If you don't have the credentials to do that, or if you want to keep your model as it is, you can try to add spaces before and after your string:
WHERE ' '+STATUS+' ' LIKE '% CNF %'
This way you don't have to worry about CNF being first or last item in your list.
I don't know if it's the most elegant/effective solution, but it works.
Why not simply
WHERE STATUS LIKE '% CNF%' OR STATUS LIKE 'CNF%'
?
The wildcard % matches any character(s), also none.
Using SQL 2008's own internal functions, the best I can think of is getting it down to just two conditions like:
where STATUS like 'CNF%' or STATUS like '%[^P]CNF%'
But if you were willing to install a .Net add-on, you could use regular expressions like so:
where 1 = dbo.RegExpLike(STATUS, '(CNF| CNF)')