MATCH (n:#{name})-[r]->(m:#{name}) RETURN n.name as sn,r.name as rn,m.name as tn
It seems like #{} is not working here, I use ${} instead and it worked
print error sql
MATCH (n:$1)-[r]->(m:$2) RETURN n.name as sn,r.name as rn,m.name as tn
parameter is right, so how to use #{} in cypher?
neo4j jdbc version 4.0.5
mybatis version 3.5.9
Related
I need make a query for a postgresdb without identify accents (á, í,ö, etc).
I'm already use Knex.js as query builder, and postgresql have a unaccent extension that works fine in sql querys directly to db, but in my code i use knex and unaccent function throws error in querys.
Can anyone help me, ¿is possible make querys with knex.js that use unaccent function of postgresql?
My solution is to process the string before submitting the query using the following code:
const normalize = (str) => str.normalize('NFD').replace(/[\u0300-\u036f]/g, '');
console.log(normalize('Ấ Á Ắ Ạ Ê')) -> 'A A A A A'.
Or if you use postgresql version 13 or later it already supports that functionality.
select normalize('hồ, phố, ầ', NFC) → 'ho, pho, a' -- NFC (the default), NFD, NFKC, or NFKD.
Document: https://www.postgresql.org/docs/13/functions-string.html
I have recently installed SphinxSearch 3.1.1 on Ubuntu 18 and am currently creating a snippet of code using PHP 7.2. I am having trouble making bindParam work.
Here is my code:
$mytest = "hello";
$query = $conn->prepare("SELECT *, weight() FROM test WHERE MATCH('\"#title :mytest \"/1')");
$query->bindParam(':mytest', $mytest, PDO::PARAM_STR);
$query->execute();
When I try to execute it, result is empty.
However, when I try to directly put $mytest inside the statement, I get the expected result
$query = $conn->prepare("SELECT *, weight() FROM test WHERE MATCH('\"#title". $mytest ."\"/1')");
Does this mean, sphinx does not support bindParam within the MATCH() function? Or am I missing something else here.
Note from http://php.net/manual/en/pdo.prepare.php
Parameter markers can represent a complete data literal only. Neither part of literal, nor keyword, nor identifier, nor whatever arbitrary query part can be bound using parameters.
ie you trying to bind inside a string literal. In the practical sense PHP (or the mysql server) wll add the ' around the value to make the statement.
... In effect would end up with sphinxql query of:
SELECT *, weight() FROM test WHERE MATCH('"#title 'hellow' "/1')
which is clearly wrong!
Instead bind the whole string literal.
$query = $conn->prepare("SELECT *, weight() FROM test WHERE MATCH(:mytest)");
$query->bindParam(':mytest', '"#title '.$mytest.'"/1', PDO::PARAM_STR);
Although that looks like an invalid Sphinx 'extended syntax' query, The #field qualifer, should be outside the quorum,
$query->bindParam(':mytest', '#title "'.$mytest.'"/1', PDO::PARAM_STR);
I'm using squeel gem in my project, and I have code something like this :
def self.search(query)
return self.scoped if query.blank?
self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%#{query}%"])}
end
My questions is this code vulnerable to SQL injection? And how do I fix it? I tried to do sanitize(query) but it just adds extra set of quotes and the SQL statement doesn't get generated appropriately
UPDATED:
Squeel will automatically escape strings, so your query is fine and won't open you up to injection. See question about sql injection - Squeel - Github
OLD (INCORRECT) ANSWER:
This is the active record version
Someone correct me if i'm wrong, but since you are passing in #{query} as a STRING and not an argument, then you are opening yourself up to injection. See the docs for passing in arguments
Using arguments will escape the 'query' STRING
Your query using arguments:
self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%"+?+"%"], query)}
I recently updated my Hibernate Search to 5.0.0.Alpha4, which uses Lucene 4.8.1.
I still use the same codes to create my search query as before (I used Lucene 3.3 before updating, it was a really old version:)). But I noticed a problem, that the new version just ignores my operator and uses the default operator all the time, however the codes worked fine in the older version:
For Example: Now I set "AND" as default Operator. I just typed "java or php" in the search field. And I made a breakpoint at the line of queryParser.parse(searchString). It tells me that my searchString is now "java or php", which is correct. But the created searchQuery after queryParser.parse() is:
+(title:java) +(title:php)
Which means that Lucene deals my searchString as "AND" LOGIC!
I don't know if it is a bug of newer Lucene or just i did something wrong.
Here are the codes:
StandardAnalyzer analyzer = new StandardAnalyzer(
Version.LUCENE_47);
MultiFieldQueryParser queryParser = new MultiFieldQueryParser(
Version.LUCENE_47,
mySearchFields,
analyzer);
queryParser.setAllowLeadingWildcard(true);
queryParser.setDefaultOperator(myDefaultOperator);
queryParser.setAutoGeneratePhraseQueries(true);
Query searchQuery = queryParser.parse(searchString);
FullTextQuery jpaQuery = getFullTextEntityManager()
.createFullTextQuery(searchQuery, entities);
jpaQuery.setMaxResults(ORACLE_MAXIMUM_ELEMENTS_IN_EXPRESSION);
Boolean Operators must be in CAPS. That is: java OR php is correct, java or php is not.
To explain exactly what is going on, without or being in caps, it's treated as another term. With AND being the default operator, this makes it:
java AND or AND php
or, something like
+(title:java) +(title:or) +(title:php)
However, or is a standard stop word, and so it will be eliminated during analysis of the query, and you are left with simply:
+(title:java) +(title:php)
I'm working on a PHP MSSQL project that is using the sqlsrv driver.
What's the best way to stop SQL injection attacks? I need something like mysql_real_escape_string() but for sqlsrv driver.
If you use it like this, quoting is automatic:
$sql = "exec usp_cis_upd
#key = ?,
#value = ?";
$params = array(
$key,
trim($_POST["value"]));
$stmt = sqlsrv_query($dbh, $sql, $params);
The best way is not to write your SQL so that you need to use an analogue of mysql_real_escape_string(), which you would do by using placeholders for the values and then passing the variables (that would otherwise have been handled by mysql_real_escape_string()) when you execute the statement or open the cursor or whatever.
Failing that, look at the output of mysql_real_escape_string(); it might be appropriate for MS SQL Server too. It depends on how it does the escaping (and what escaping it does).