I try to start work with Pgadmin4, and when i use query like this:
select *
from users
I get normal results like this:
enter image description here
and when i use query like this:
select *
from users
where login='admin'
i get nothing:
enter image description here
i've tried to use 'like' and no changes
i've tried to use 'admin' w\o quotes and no changes
what's my problem here?
Related
I am going to run a very simple query using python script. To make sure my script is working I am going to create a very simple .sql file with a simple query which does not depend on any other table.
something like: select currentDate
or something similar
You don't need a from clause in BigQuery. So something like this:
select 1 as x
or:
select current_date as curdate
I would suggest that you give the column a name so you can verify that you can access the column in your code.
I got an assignment to make SQL injection to a fake website that was built for that purpose.
I wanted to know how to inject SQL query into an URL.
for example, http://localhost:<>/vulnerabilities/webapi/users//nickname?username=my_id
i have this URL, and i want to inject UNION query to it, how do I do that?
Thanks.
Let's assume that your web query will be translated to
SELECT * FROM users WHERE username = 'my_id';
Now, the trick is to replace 'my_id' by the malicious code. I assume that the purpose of the UNION query is to return all the users instead of just one. The result should be:
SELECT * FROM users WHERE username = 'my_id' UNION SELECT * FROM users; -- ';
Maybe the original query has a field list instead of *. Then you will have to duplicate this list in the second query.
Now instead of my_id, you must enter
my_id' UNION SELECT * FROM users; --
Note that we terminate our entry with a -- introducing a comment. The query mechanism will terminate the query by appending a final single quote (and maybe a semicolon). Now they will be turned into a comment.
The next question is, how do we escape this correctly for the URL. Using the online tool Code Beautify, HTML Escape/Unescape, we get:
my_id%27%20UNION%20SELECT%20*%20FROM%20users%3B%20--
This gives the full URL:
http://localhost:<>/vulnerabilities/webapi/users//nickname?username=my_id%27%20UNION%20SELECT%20*%20FROM%20users%3B%20--
I tried several "Like" syntax on one request, (I'm using VB.NET and a MS-ACCESS 2010 database), and none of them could get any other result than throwing an exception.Why? I'm not having any idea about that.
I did this workaround : Instead of
SELECT dbFieldDisplayName FROM dbTableName WHERE dbFieldSearchName Like 'A*'
(I also tried with 'A%' instead of 'A*')
I Used:
SELECT dbFieldDisplayName
FROM dbTableName
WHERE dbFieldSearchName >='A' AND dbFieldSearchName <'AZZZ'
Does anybody know why my Like statement always triggers exception? Any better workaround ?
Thanks in advance.
If you need the rows with col values startin with A you should use like with %
SELECT dbFieldDisplayName FROM dbTableName WHERE dbFieldSearchName Like 'A%'
(in SQL * ...mean all columns ..not all char)
Finally, what a strange behaviour of my MS-ACCESS...
I uninstalled all my office components (including MS-ACCESS), and installed it all again, and now the 'Like' statement works fine, with a % as a wildcard.
The request:
SELECT dbFieldDisplayName FROM dbTableName WHERE dbFieldSearchName Like 'A%'
works now fine, as it was supposed to be working.
i have a user table with one attribute as habits that has valus like shopping,sports etc. Now when i log in to my application i get the username from the FORM tag and this is used in javascript for further use. I need a query that displays all the user table contents where habits=shopping but it shouldnt display the details of the currently logged in user. The query i used for this is,
select * from user where habits='shopping' except select * from user where username='niranjan';
But this line is generating an error stating that the EXCEPT identifier is not a valid input at this point.
pls correct my error or provide an alternative code for my issue.
select * from user where habits='shopping' and username!='niranjan';
No need for except here. Just add a condition to your where caluse:
And username <> 'niranjan'
The problem may be that user is a reserved word for SQL Server. I would suggest that you rename the table to users to get around this problem.
In the meantime, you can use square braces for the query:
select * from [user] where habits = 'shopping'
except
select * from [user] where username = 'niranjan';
However, it is bad form to use reserved words for table and column names.
I am trying to search through a table and if the description contains a keyword , to have the "MIMSfield" row update.
See screenshot:
Some direction would be awesome, not overly familiar with Access. Assuming this can be done with a VB module.
For example: If the description contains "Airlines" make the MIMSfield = A113
You dont need to use VBA.
In Access go to Tab Create, button Query Design, close the window with tables that appears, swich to SQL View and write SQL command like below (use your variables) and press Run(!)
UPDATE TableName SET MIMSfield = 'WhatEver' WHERE description LIKE '*KeyWord*';
You can make the query with outer parameters like this:
UPDATE TableName SET MIMSfield = [WhatEver] WHERE description LIKE '*' + [KeyWord] + '*';
You will be prompted to provide the parameters while running the query.
First of all you have to make a table of codes for MIMSField with keywords i.e. A113 for Airlines, A104 for car etc. than use VBA module.