I got this exception - "no viable alternative at input '?'", i feel it is because of "+" query statement.
private static final String CQL_BEAN = "cql:bean:cassandraCluster";
String updataQuery = "UPDATE user_preference SET preference = preference + ? WHERE user_id = ? AND tenant_id = ? IF EXISTS";
.to(CQL_BEAN + "/" + cassandraProperties.getKeyspaceName() + "?cql=" + this.updataQuery + "&prepareStatements=false")
Update: it could be because you are using prepareStatement=false - it looks like that in this case it won't substitute placeholders... Although I'm not expert in this integration.
....
What do you want to achieve with this syntax? Update only records that were inserted previously?
Usually LWTs are used only in very limited number of situations as they require coordination between nodes in the cluster, and seriously degrade performance. More details on LWTs you can find in documentation.
Related
I am new to Azure services. In my project
there is a function to search text words or multiple text words. For example, if I search "best phase", the search should return data that are related "best" and "phase" in my data.
Sample example code below. Note: searchParameters is used to sort and order my data by their date
string searchText = "best phase";
string[] temp = searchText.Contains(" ") ? searchText.Split(' ') : new string[] { searchText};
var documentSearch = _indexClient.Documents.Search("\"" + searchText + "\"^2, \"|" + searchText + "|\", +" + searchText + ", +" + string.Join(", +", temp) , searchParameters);
The current implementation consumes too much time at around 15-20 sec or more. So I need to do searches faster. Any idea how to make it faster :-)
You can use Azure Search as explained here.
You can also use Full-Text Search of SQL Azure as explained here.
To decide which one to use, please read the difference between them on this article.
Hope this helps.
In SQL injection, why should you use 0 or 1=1, isn't this automatically evaluated as 1 in boolean operation? I don't understand why we should write it that way. Can someone explain?
Thanks in advance
Because it makes the condition always true.
For example, if someone's SQL code is:
string query = "SELECT * FROM Users WHERE Password = '" + somePassword + "'";
(Username clause omitted for brevity.)
Then you can enter something like this as the password:
' OR 1 = 1;--
Which would make the resulting query:
SELECT * FROM Users WHERE Password = '' OR 1 = 1;--'
The semicolon ends the statement, and -- denotes a comment so everything thereafter is ignored. So it simplifies to:
SELECT * FROM Users WHERE Password = '' OR 1 = 1
This will match all records in the table. Always. Because 1 = 1 is always true. Depending on how the application handles this response, you may be logged in. Perhaps even as the first user in the table, which is likely to be the admin user.
For SQL-injectable code, it's basically a universal password. (Provided you guess a correct username, which isn't difficult.)
Edit: I just noticed the 0 part of your question as well. This would be used when you expect the injected value to be looking for a number rather than a string. For example, consider a similar SQL statement:
string query = "SELECT * FROM Users WHERE Id = " + someID;
The leading 0 in the injected value prevents a syntax error. So the resulting query would be:
SELECT * FROM Users WHERE Id = 0 OR 1 = 1
Same concept as above. This will match all records every time.
Here is a brief explanation for this:-
select title, text from news where id=$id
In the example above the variable $id contains user-supplied data, while the remainder is the SQL static part supplied by the programmer; making the SQL statement dynamic.
Because the way it was constructed, the user can supply crafted input trying to make the original SQL statement execute further actions of the user's choice. The example below illustrates the user-supplied data β10 or 1=1β, changing the logic of the SQL statement, modifying the WHERE clause adding a condition βor 1=1β.
select title, text from news where id=10 or 1=1
so the query will still get executed
For my website, i need to do a search mechanism, in which some of the entry field would be: Country, City, Between Dates (with or without year field), Keywords, etc etc.
My problem is, the user must decide what they wanna search for. For example, if they want to introduce just date, or date and city, or city and keyword.. etc. I dont really know how to do that, i mean, i know how to search for one thing at a time, but i'm not sure how can do this all-in-one.
a) Would i need like something like this: (if-else, if-else) and than write the code for each combination, or there is an easier way to do that?
b )Bytheway, my search mechanism is done the folowing way (i'v never done a search mechanism before, so i dont know if it is the best aproach, would apreciate some comments here also and suggestions):
class book{
String a
String b
...
Date z
String allAttributesTogether() {
a + b + c + ... + z
}
}
then in my controller, i do a double for statment and cross-match the introduced words for the search and the result of allAttributesTogether().
Thanks in advanced, VA
Check out the filter pane plugin.
When you say "search", comes to my mind search engines. But I think you are asking about querying the database, right?
If you are talking about search mechanisms, search engines are a great tool. You can take a look at Lucene, Compass, and ElasticSearch (ES) to name a few. Compass and ES are based on lucene, but are much higher in the abstraction level (easier to use).
I have been using ElasticSearch with great satisfaction.
If you are talking about querying the database, then you can just build a HQL query dynamically. The method bellow should be in a Controller, as it uses the params attribute. It is not tested ok?
List allAttributesTogether() {
def query = " select book from Book book "
def queryParams = [:]
def needsAnd = false
if(params.a || params.b || params.z ){
query += " where "
}
if(params.a){
query += " book.a = :a "
queryParams['a'] = params.a
needsAnd = true
}
if(params.b){
if(needsAnd) query += " and "
query += " book.b = :b "
queryParams['b'] = params.b
needsAnd = true
}
if(params.a){
if(needsAnd) query += " and "
query += " book.z = :z "
queryParams['z'] = params.z
}
return Book.executeQuery(query, queryParams)
}
There is also the alternative of using Criteria builder. You can also use "if" to add clauses to your Criteria clauses.
I am struggling to get a subsonic select query to work, I am writing a paging method and tried the following
Select ns = new Select(maincolumns.ToArray());
ns.PageSize = 10; ** Error Here **
ns.PageIndex = 1; ** And Error Here **
ns.Where("IsLive").IsEqualTo(true);
ns.And("Title").Like("%" + SearchTerm + "%");
ns.OrderAsc("RentalExVat");
return ns.ExecuteDataSet().Tables[0];
Now it doesn't recognise ns.PageSize Or ns.PageIndex, the rest of the query works fine?? I see I need to use the new 'Query' tool to be able to use these two, but I can't figure out the Query syntax??
any syntax help appreciated
SubSonic's query syntax is 'fluent', so in your code sample, the Where clause is not be applied to your query. This snippet may work better:
Select ns = new Select(maincolumns.ToArray());
ns = ns.Where("IsLive").IsEqualTo(true)
.And("Title").Like("%" + SearchTerm + "%")
.OrderAsc("RentalExVat")
.Paged(1, 10); // paging is set here
return ns.ExecuteDataSet().Tables[0];
Also, make sure your 'SearchTerm' has been SQL escaped (or use an alternate calling pattern) or you are vulnerable to SQL injection.
I asked the following question on the subsonic forum, but only seemed to get one response, so I thought I'd post up here as well to see if anyone could shed some more light on the problem...
I wish to create the following SQL statement through SubSonic using the Select tool (or Query tool) .. it uses a custom function called "SPLIT()":
SELECT * FROM VwPropertyList
WHERE VwPropertyList.idCreatedBy = 123
AND VwPropertyList.idCounty = 45
AND 29 IN (SELECT Item FROM SPLIT(DistrictGroupList, ','))
(the last part of this SQL uses the SPLIT function)
My subsonic equivalent looks like the following...
Dim mySelect As New SubSonic.Select
mySelect.From(VwPropertyList.Schema)
mySelect.Where(VwPropertyList.Columns.IdCreatedBy).IsEqualTo(123)
mySelect.And(VwPropertyList.Columns.IdCounty).IsEqualTo(45)
mySelect.And(29).In(New SubSonic.Select("Item").From("SPLIT("
&
VwPropertyList.Columns.DistrictGroupList
& ", ',')"))
This doesn't work though due to the last part .. how can I add "AND 29 IN (SELECT Item FROM SPLIT(DistrictGroupList, ','))" into my Subsonic.Select ?
The response I got from the subsonic forum suggested I do away with Subsonic.Select and replace with hard-coded InlineQuery() statements .. like:
Dim SQL as String = "Select " &
VwPropertyList.Columns.Item SQL = SQL
& " From " &
VwPropertyList.Schema.TableName SQL =
SQL & " Where " &
VwPropertyList.Columns.IdCreatedBy & "
= #CreatedBy " SQL = SQL & " And " & VwPropertyList.Columns.IdCounty & " =
#County " SQL = SQL & " And
#DistrictGroup IN (Select Item From
SPLIT(DistrictGroupList,',')"
Items =
SubSonic.InlineQuery().ExecuteTypedList(Of
MyItem)(SQL, 123,45,29)
I would prefer to use SubSonic.Select if possible though so that I can avail of the paging functionality etc.
Any ideas?
You could do John's suggestion or you could write the SQL using our InlineQuery - which allows you to write raw SQL and pass in params:
var qry=new InlineQuery("SELECT * FROM table WHERE column=#param",value)
You could try to use the original query object (pre 2.1) like so (untested, from memory):
Query q = new Query(VwPropertyList.Schema.TableName);
q.WHERE("29 IN (SELECT Item FROM SPLIT(DistrictGroupList, ','))");
// pass q.ExecuteReader() to the Load() method of your view.
I would suggest that you use the original Query object as you are looking to get paging. Inline Query does not have any methods that allow paging.
If you absolutely wanted to use Subsonic.Select you could mesh the two ideas and run an Inline Query to get the list of values and then use a Regular Subsonic.Select and pass the retrieved values to the select case but then you would be making two trips to the db.
On a side note I prefer reading Subsonic.Select statements written using the fluent interface that it is namely
SubSonic.Select.AllColumnsFrom()
.Where(VwPropertyList.Columns.IdCreatedBy).IsEqualTo(123)
.And(VwPropertyList.Columns.IdCounty).IsEqualTo(45)
.ExecuteAsCollection();
thanks for the responses.
I ended up doing InlineQuery and just re-wrote the paging code that's normally produced by Subsonic.Select ... not the best solution but it seems to work.
It would be good if I could have done something like this though:
Dim s As New SubSonic.Select
s.From(VwPropertyList.Schema)
sWhere(VwPropertyList.Columns.IdCreatedBy).IsEqualTo(123)
sAnd(VwPropertyList.Columns.IdCounty).IsEqualTo(45)
s.And(29).In(New
InlineQuery("(SELECT Item FROM
SPLIT(DistrictGroupList, ','))"))