SQLSyntaxErrorException Using LTRIM to trim character 'x' in query - sql

I using TRIM function to trim some characters in query, I using hibernate following is my query.
from ABean s where s.cId in (select ca.id from CBean ca where LTRIM(ca.refNumber,'0') = LTRIM('$ref$','0') and ca.valid = 0)
$ref$ is replace with actual value in query.
I am seeing a different behaviour when I am running with DB2 and When I am running with Mockito test (Using In memory DB).
With DB2 this query is working fine but with Mockito in memory db I am getting java.sql.SQLSyntaxErrorException, Error is something like this.
Syntax error: Encountered "," at line 1, column {column_number_in_actual_query}.
I am not able to make it working with in memory db, Is there anything wrong I am doing?
Thanks.

in IBM DB2, in the SYSIMB schema, LTRIM takes a second argument of characters being trimmed like you have (see here). However, in the SYSFUN schema (and in most other SQL implementations) it only takes one argument and assumes you are trimming whitespace (see here).
Based on the error it looks like the interpreter wasn't expecting a comma, so it's probably trying to use the more standard version of the function and failing when it sees the second argument.
based on the documentation for function references you should be able to replace LTRIM with SYSIBM.LTRIM

Related

AS400 - Token "!" not valid

I'm running a SQL query using RUNSQL into a CL program. This query is a basic SELECT statement and uses the exclamation mark to concatenate strings.
For years until yesterday, it worked fine. Now, out of nowhere, I've got a SQL0104 message displaying Token '!' not valid every time I run the program.
If I run the query manually using STRSQL, it works.
Did this occur to someone ?
Best regards.
DB2's operator for string concatenation is actually the double pipe ||.
The documentation says:
Use the concatenation operator (||) to join two values of an expression into a single string. In some non-English, single-byte character sets, the || can display as !! (exclamation marks) or other special characters.
So your issue may be caused by a change in the character set of your client. Just use the standard operator, and your code will work regardless.

regexp_like that mirrors contains near

I'm trying to speed up a query that uses Contains Near with one that uses regexp_like. The initial Contains Near query takes about 45 minutes to run. Clob Column holds large "documents" and is domain indexed.
Initial query:
SELECT column1
FROM TEST
WHERE CONTAINS(column1,'{NEAR(quick,fox, lazy), 3, FALSE}')>0;
Proposed query:
SELECT column1
FROM TEST
WHERE REGEXP_LIKE(column1, '(\b(quick|fox|lazy)(?:\W+\w+){1,6}?\W(quick|fox|lazy)(?:\W+\w+){1,}?\W(quick|fox|lazy)\b)','i')
I got the original regexp syntax from here:
https://www.regular-expressions.info/near.html.
Problem:
I get the regexp code to work in html https://www.regextester.com, but when I put it in Oracle it doesn't find anything. What is wrong with my syntax? I can't figure it out. Does Oracle handle REGEXP differently?
Alex, you were exactly right. I don't see how to select your answer as correct though.
My problem was apparently that I was using regexp parameters that Oracle doesn't recognize. So, whereas it worked on https://www.regextester.com, it failed to work in Oracle because most of what I used isn't recognized as usable with regexp in Oracle. I really think Oracle should expand their regexp codes it recognized. This was really frustrating.

Adding a quote character in a Delphi String

I am writing a SQL program in Delphi 7 and came across a problem.
If you add an SQL command you have to use ' to indicate it is a Variable or String, but I want to build up my SQL statement because it is coming from different If statements and thus have to build it up. Therefore, I wanted to know if anyone knows a trick to add a ' into a string.
Don't make the same mistake like many before you and lookup parametrized queries or else you will be open for SQL injection attacks. If you need to include string constants in your query then use 2 single quotes ('') or the QuotedStr() function from the SysUtils unit.
Try two quotes to represent one i.e. ''

what is the difference between SUBSTRING and SUBSTR functions (SQL)?

before I used :
entityManagerFactory.createQuery("select p FROM Pays p where SUBSTRING(p.libeleClient, 0,1)
but when I use this query :
entityManagerFactory.createQuery("select p FROM Pays p where SUBSTR(p.libeleClient, 0,1)
I get an exception :(
who to remplace SUBSTRING by SUBSTR ?
SUBSTR is the function from Oracle
SUBSTRING is the function from MySql
depends on DB which u r using
EDIT:
try to edit your java code like below
String query = "select p FROM Pays p where SUBSTRING(p.libeleClient, 0,1)";
// from Connection Object (connection)
DatabaseMetaData meta = connection.getMetaData();
//If the DB is Oracle
if(meta.getDatabaseProductName()).contains("Oracle")) {
entityManagerFactory.createQuery(query.replace("SUBSTRING", "SUBSTR"));
}// If the DB not Oracle , any Other like MySql
else {
entityManagerFactory.createQuery(query);
}
substring is the sql operation defined in the sql standard ISE:IEC 9075:1992.
substr is an old syntax used by oracle. This wrong syntax is completely inconsistent with sql usage of real english words, never abbreviations.
Oracle still does not support the standard syntax.
Did anyone wrote a hack in oracle to support the standard syntax ?
You don't say what exception you get, but I 'm guessing it's a syntax error. The correct syntax for Oracle's SUBSTR() is ...
where SUBSTR(p.libeleClient, 0,1) = 'X'
...(or whatever). That is the first occurence of a single character must equal; some specified value. SUBSTR() is not a boolean function.
Whereas SUBSTRING() is not an oracle function at all. Either you've borrowed the syntax from some other database, or you're using a bespoke function without realising it.
"I tried your suggestion but it does not work"
Do you get an error? Or do you mean it doesn't return any records? Because I have given a perfectly valid usage, as defined in the documentation. But you haven't given any examples of your data, so it's almost impossible for me to provide a solution which will return rows from your database.

Can you explain this SQL injection?

The website i worked was recently attempted to be hacked by the following SQL injection script
boys' and 3=8 union
select 1,
concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30), char(9),0x252423),
3,4,5,6,7,8,9
from `information_schema`.`tables`
where table_schema=0x62646B3032 limit 44,1 -- And '8'='8
This injection returned the mysql table name. This was reported by the error reporting system on that website and we managed to fix that part however I am not able to understand what does the above injection mean?
Anyone can explain this?
Penuel
They're using a select from the Information Schema views in mysql server :
http://dev.mysql.com/doc/refman/5.0/en/information-schema.html
They use some clever hacks to rout out simple sql injection prevention techniques.
According to this the MySQL concat()
Returns the string that results from
concatenating the arguments. May have
one or more arguments. If all
arguments are nonbinary strings, the
result is a nonbinary string. If the
arguments include any binary strings,
the result is a binary string. A
numeric argument is converted to its
equivalent binary string form
So 0x232425 is converted to #$% which is simply added to the begining and end of the table_name field. Maybe just to make it easier for them to pull out the Table names later using Regex.
Later on the char(9) is equivalent to a tab as you can see here and is just there to format the output nicer.
The 3,4,5,6,7,8,9 is just there so that the columns match the boys table that they are performing the Union on.
This injection returned the mysql table name.
Do you mean that your website displayed the table name when you gave it this input, or that the query returns that when run from the mysql client? If it showed on your website, then the attacker has the ability to inject much more harmful queries. Check your data.