I have a sqlquery which is: client.query("SELECT * FROM my_table WHERE my_varchar='userInput'").
userInput = req.body.userInput which reads from an inputbox in a jade file.
No matter what I try with different '' or "" around the variables I either get that it generates an error from every input or every input seems correct, although that input does not exist in the table.
Any help would be appreciated!
The normal answer is don't do that! Inserting raw user input is a great way to get hacked. Do you actually have an input value?
instead:
console.log("User Input is "+ userInput); // or add debug lib and debug("User Input....
client.query("SELECT * FROM my_table WHERE my_varchar = $1", [userInput]);
Also validate your query in psql from a command prompt
Related
I have been trying to update some columns of a database table using cx_Oracle in Python. I created a list named check_to_process which is a result of another sql query. I am creating log_msg in the program based on success or failure and want to update same in the table only for records in check_to_process list. When I update the table without using bind variable <MESSAGE = %s>, it works fine. But when I try to use bind variable to update the columns it gives me error :
cursor.executemany("UPDATE apps.SLCAP_CITI_PAYMENT_BATCH SET MESSAGE = %s, "
TypeError: an integer is required (got type str)
Below is the code, I am using:
import cx_Oracle
connection = cx_Oracle.connect(user=os.environ['ORA_DB_USR'], password=os.environ['ORA_DB_PWD'], dsn=os.environ['ORA_DSN'])
cursor = connection.cursor()
check_to_process = ['ACHRMUS-20-OCT-2021 00:12:57', 'ACHRMUS-12-OCT-2021 16:12:01']
placeholders = ','.join(":x%d" % i for i,_ in enumerate(check_to_process))
log_msg = 'Success'
cursor.executemany("UPDATE apps.SLCAP_CITI_PAYMENT_BATCH SET MESSAGE = %s, "
"PAYMENT_FILE_CREATED_FLAG='N' "
"WHERE PAYMENT_BATCH_NAME = :1",
[(i,) for i in check_to_process], log_msg, arraydmlrowcounts=True)
Many thanks for suggestions and insights!
Your code has an odd mix of string substitution (the %s) and bind variable placeholders (the :1). And odd code that creates bind variable placeholders that aren't used. Passing log_msg the way you do isn't going to work, since executemany() syntax doesn't support string substitution.
You probably want to use some kind of IN list, as shown in the cx_Oracle documentation Binding Multiple Values to a SQL WHERE IN Clause. Various solutions are shown there, depending on the number of values and frequency that the statement will be re-executed.
Use only bind variables. You should be able to use execute() instead of executemany(). Effectively you would do:
cursor.execute("""UPDATE apps.SLCAP_CITI_PAYMENT_BATCH
SET MESSAGE = :1
WHERE PAYMENT_BATCH_NAME IN (something goes here - see the doc)""",
bind_values)
The bottom line is: read the documentation and review examples like batch_errors.py. If you still have problems, refine your question, correct it, and add more detail.
I am creating a basic chat application in flutter. It involves a Text Field where the user can enter any text and click on the send button.
The application works fine for any string you enter in the text box except for the string containing quotes. I get a Database exception when trying to add that string to the sql database as the quotes are not escaped.
Doing replaceAll("'", "\'").replaceAll('"', "\'") on a string works as i'm using double quotes in sql queries, but all the double quotes are now single quotes.
Thanks for the help.
Does the database support bind parameters? If not, does the package you are using to talk to the database have a string escape function?
Those will work better than doing it manually, especially since there can be very unsafe stuff in the user input beyond quotes. If you are manually putting together a query string and sending it to the DB it will be open to SQL attacks.
For your immediate question, you are replacing with single quotes in both places. Assuming you can escape quotes by prefixing with a slash it should look like .replaceAll('"', '\\"').
Please look for a more secure way to sanitize user input.
The best and safest way to run queries SQL in Dart is to use the bind parameters.
For example, if you are using sqflite you'll need to pass parameters in a List in this way using the ? as wildcard in the query:
INSERT
int id2 = await txn.rawInsert(
'INSERT INTO Test(name, value, num) VALUES(?, ?, ?)',
['another name', 12345678, 3.1416]);
UPDATE
int count = await database.rawUpdate(
'UPDATE Test SET name = ?, value = ? WHERE name = ?',
['updated name', '9876', 'some name']);
DELETE
count = await database
.rawDelete('DELETE FROM Test WHERE name = ?', ['another name']);
I have a field named field, and I would like to see if it is null, but I get an error in the query, my code is this:
let
Condition= Excel.CurrentWorkbook(){[Name="test_table"]}[Content],
field= Condition{0}[fieldColumn],
query1="select * from students",
if field <> null then query1=query1 & " where id = '"& field &"',
exec= Oracle.Database("TESTING",[Query=query1])
in
exec
but I get an error in the condition, do you identify the mistake?
I got Expression.SyntaxError: Token Identifier expected.
You need to assign the if line to a variable. Each M line needs to start with an assignment:
let
Condition= Excel.CurrentWorkbook(){[Name="test_table"]}[Content],
field= Condition{0}[fieldColumn],
query1="select * from students",
query2 = if field <> null then query1 & " some stuff" else " some other stuff",
exec= Oracle.Database("TESTING",[Query=query2])
in
exec
In query2 you can build the select statement. I simplified it, because you also have conflicts with the double quotes.
I think you're looking for:
if Not IsNull(field) then ....
Some data types you may have to check using IsEmpty() or 'field is Not Nothing' too. Depending on the datatype and what you are using.
To troubleshoot, it's best to try to set a breakpoint and locate where the error is happening and watch the variable to prevent against that specific value.
To meet this requirement, I would build a fresh Query using the PQ UI to select the students table/view from Oracle, and then use the UI to Filter the [id] column on any value.
Then in the advanced editor I would edit the generated FilteredRows line using code from your Condition + field steps, e.g.
FilteredRows = Table.SelectRows(TESTING_students, each [id] = Excel.CurrentWorkbook(){[Name="test_table"]}{0}[fieldColumn])
This is a minor change from a generated script, rather than trying to write the whole thing from scratch.
I got help with this code since I am learning how to use params and I want it to be downcase before it start searching. I have already taken care of the downcase on the address when the user submits it.
Where do I put the downcase in the params ?
#ads_item_plus_today = #ads_item_plus_today.where(category_id: params[:category_id]) if params[:category_id]
#ads_item_plus_today = #ads_item_plus_today.where("address LIKE ?", "%#{params[:address]}%") if params[:address] && params[:address] != ''
You can either downcase it in-place:
if params[:address].present?
params[:address].downcase!
#ads_item_plus_today = #ads_item_plus_today.where("address LIKE ?", "%#{params[:address]}%")
end
...which will modify the value in params[:address] or you can make a copy that's downcased:
if params[:address].present?
address = params[:address].downcase
#ads_item_plus_today = #ads_item_plus_today.where("address LIKE ?", "%#{address}%")
end
...which doesn't change params[:address].
However, you don't necessarily have to do this at all, depending on your database. In many configurations LIKE comparisons in MySQL are case-insensitive (you can check with SHOW COLLATION, or set it on a per-query basis with COLLATE ). In PostgreSQL you can use ILIKE instead of LIKE to make it case-insensitive.
I have a big problem that I don't understand.
I have this query in Tsql :
SET #sSQL = 'SELECT *
INTO '+#sTableValeursDefaut+'
FROM OPENQUERY(LINKSVR_LOCAL , '' SET FMTONLY OFF
EXEC [AIGP].[dbo].[rp_WEB_ValeursDefaut_Get]
'''''+'sds'+''''',
'+ISNULL(CONVERT(VARCHAR, #fkIDProjet), 'NULL+')+',
'+'123'+''')'
EXEC(#sSQL)
This work perfectly. But when I change the '123' for CONVERT(VARCHAR, #fkIDCfgFormulaire) and the 'sds' to #sNoUsager the query don't work !
SET #sSQL = 'SELECT *
INTO '+#sTableValeursDefaut+'
FROM OPENQUERY(LINKSVR_LOCAL , '' SET FMTONLY OFF
EXEC [AIGP].[dbo].[rp_WEB_ValeursDefaut_Get]
'''''+#sNoUsager+''''',
'+ISNULL(CONVERT(VARCHAR, #fkIDProjet), 'NULL+')+',
'+CONVERT(VARCHAR, #fkIDCfgFormulaire)+''')'
EXEC(#sSQL)
What I am doing wrong ?
Without more information it's difficult to tell. Could be anything from the datatypes of the variables to the value of the variables you are passing...
We could do with some test data please.
It may also be that you have a '+' character in your literal I haven't tested it but 'NULL+' should probably read 'NULL'
Or it could be because in your CONVERT(VARCHAR, #fkIDProjet) you don't give a length to your varchar try something like this instead CONVERT(VARCHAR(5), #fkIDProjet)