I am trying to check more than one conditions to redirect the flow on an exclusive gateway using kiefunctions JavaScript in jbpm. I am using the below syntax but I think I might be using the wrong syntax
return Kiefunctions.isTrue(customer.isValid) && customer.status == “retired” || customer.status == “employed”;
Can someone suggest me the correct syntax please
Probably KieFunctions is not written correctly (case-sensitive)
Try this and share the result:
return KieFunctions.isTrue(customer.isValid) && (KieFunctions.equalsTo(customer.status, "retired") || KieFunctions.equalsTo(customer.status, "employed"));
Related
I have a PostgreSQL RPC that aims to select filtered rows of a view.
This RPC requires some parameters (name_article, catg_article, color_article, etc).
Most of these parameters are int[]/bigint[] because I want the user to be able to request "all blue articles or all red articles, etc" but I want the user to be able to post empty parameters as well, and that the request considers he doesn't care about which color or category so it will return all possibilities.
The problem is that from what I saw after many topics on Internet, the ANY () or IN () can't be empty, which I'd like to allow it otherwise my filters system would have to manage all possibilities and I really don't want to cry.
This is what I've readen on Internet to try ( param is null or in()/any() ) but it doesn't work, not returning any article (the first where is fine, also don't pay attention to the cast thing, it's just that catg_and_type is json so I have to say id_catgarticle from this json is a bigint so it works fine) :
SELECT *
FROM dev.get_all_articles
WHERE get_all_articles.lib_article ILIKE '%' || $1 || '%'
AND ($2 is null or CAST(get_all_articles.catg_et_type->>'id_catgarticle' AS BIGINT) = any ($2));
Do you have any idea how I could allow empty arrays that will be processed with IN/ANY commands ?
Thanks a lot.
Problem solved, as mentionned into my answer to #LaurenceIsla's answer to the topic.
When having to send an array parameter into a PostgREST API endpoint, the syntax is like this : /rpc/endpoint?param={1,2,3}. So in order to make the request understand an empty param in URL (endpoint?param={}), I had to say, in the WHERE clause this : OR $2 = '{}'. That's all. Kind of tricky syntax when you don't know it.
In my Golang (1.15) application I use sqlx package to work with the PostgreSQL database (PostgreSQL 12.5).
When I try to execute SQL statement with arguments PostgreSQL database it raises an error:
ERROR: could not determine data type of parameter $1 (SQLSTATE 42P18):
PgError null
According to the official documentation, this error means that an INDETERMINATE DATATYPE was passed.
The organizationId has value. It's not null/nil or empty. Also, its data type is a simple built-in data type *string.
Code snippet with Query method:
rows, err := cr.db.Query(`
select
channels.channel_id::text,
channels.channel_name::text
from
channels
left join organizations on
channels.organization_id = organizations.organization_id
where
organizations.tree_organization_id like concat( '%', '\', $1, '%' );`, *organizationId)
if err != nil {
fmt.Println(err)
}
I also tried to use NamedQuery but it also raise error:
ERROR: syntax error at or near ":" (SQLSTATE 42601): PgError null
Code snippet with NamedQuery method:
args := map[string]interface{}{"organization_id": *organizationId}
rows, err := cr.db.NamedQuery(`
select
channels.channel_id::text,
channels.channel_name::text
from
channels
left join organizations on
channels.organization_id = organizations.organization_id
where
organizations.tree_organization_id like concat( '%', '\', :organization_id, '%' );`, args)
if err != nil {
fmt.Println(err)
}
In all likelihood, the arguments is not passed correctly to my request. Can someone explain how to fix this strange behavior?
P.S. I must say right away that I do not want to form an sql query through concatenation, or through the fmt.Sprintf method. It's not safe.
Well, I found the solution of this problem.
I found the discussion in github repository of the sqlx package.
In the first option, we can make concatenation of our search string outside of the query. This should still be safe from injection attacks.
The second choice to try this: concat( '%', '\', $1::text, '%' ). As Bjarni Ragnarsson said in the comment, PostgreSQL cannot deduce the type of $1.
i'm facing issue in xpath-I need do a check two attribute values, if the condition satisfies need to do hard code my own value. Below is my xml.
I need to check the condition like inside subroot- if ItemType=Table1 and ItemCondition=Chair1 then i have to give a hard coded value 'Proceed'( this hard coded value i will map to target side of datamapper).
<Root>
<SubRoot>
<ItemType>Table1</ItemType>
<ItemCondition>Chair1</ItemCondition>
<ItemValue>
.......
</ItemValue>
</SubRoot>
<SubRoot>
<ItemType>Table2</ItemType>
<ItemCondition>chair2</ItemCondition>
<ItemValue>
.......
</ItemValue>
</SubRoot>
....Will have multiple subroot
</Root>
I have tried to define rules as below, but it is throwing error
Type: String
Context:/Root
Xpath: substring("Proceed", 1 div boolean(/SubRoot[ItemType="Table1" and ItemCondition="Chair1"]))
But it is throwing error like
net.sf.saxon.trans.XPathException: Arithmetic operator is not defined for arguments of types (xs:integer, xs:boolean)
Is there any other shortcut way to perform this.Could you please help me, i have given lot more effort. Not able to resolve it. Thanks in advance.
I am not sure where you are applying this but the XPath expression you are looking for is:
fn:contains(/Root/SubRoot[2]/ItemCondition, "chair") and fn:contains(/Root/SubRoot[2]/ItemType, "Table")
So here is an example returning "Proceed" or "Stop" as appropriate:
if (fn:contains(/Root/SubRoot[1]/ItemCondition, "Chair") and fn:contains(/Root/SubRoot[2]/ItemType, "Table")) then 'Proceed' else 'Stop'
To implement the above condition , i was initially tired to do in xpath, gave me lot of error. I have implemented by simple if else condition in script part of data mapper
if ( (input.ItemType == 'Table') and (input.ItemCondition == 'chair')) {
output.Item = 'Proceed'}
else {
output.Item = 'Stop '};
Make sure about your precedence. Example, Here in the xml structure( or converted POJO) ItemType has to be checked first then followed with ItemCondition.
&& not seems to be working for me, change to 'and' operator
If you were first time trying to implement the logic. It may help you.
I have this site with the following parameters:
http://www.example.com.com/pagination.php?page=4&order=comment_time&sc=desc
I use the values of each of the parameters as a value in a SQL query.
I am trying to test my application and ultimately hack my own application for learning purposes.
I'm trying to inject this statement:
http://www.example.com.com/pagination.php?page=4&order=comment_time&sc=desc' or 1=1 --
But It fails, and MySQL says this:
Warning: mysql_fetch_assoc() expects parameter 1 to be resource,
boolean given in /home/dir/public_html/pagination.php on line 132
Is my application completely free from SQL injection, or is it still possible?
EDIT: Is it possible for me to find a valid sql injection statement to input into one of the parameters of the URL?
The application secured from sql injection never produces invalid queries.
So obviously you still have some issues.
Well-written application for any input produces valid and expected output.
That's completely vulnerable, and the fact that you can cause a syntax error proves it.
There is no function to escape column names or order by directions. Those functions do not exist because it is bad style to expose the DB logic directly in the URL, because it makes the URLs dependent on changes to your database logic.
I'd suggest something like an array mapping the "order" parameter values to column names:
$order_cols = array(
'time' => 'comment_time',
'popular' => 'comment_score',
... and so on ...
);
if (!isset($order_cols[$_GET['order'])) {
$_GET['order'] = 'time';
}
$order = $order_cols[$_GET['order']];
Restrict "sc" manually:
if ($_GET['sc'] == 'asc' || $_GET['sc'] == 'desc') {
$order .= ' ' . $_GET['sc'];
} else {
$order .= ' desc';
}
Then you're guaranteed safe to append that to the query, and the URL is not tied to the DB implementation.
I'm not 100% certain, but I'd say it still seems vulnerable to me -- the fact that it's accepting the single-quote (') as a delimiter and then generating an error off the subsequent injected code says to me that it's passing things it shouldn't on to MySQL.
Any data that could possibly be taken from somewhere other than your application itself should go through mysql_real_escape_string() first. This way the whole ' or 1=1 part gets passed as a value to MySQL... unless you're passing "sc" straight through for the sort order, such as
$sql = "SELECT * FROM foo WHERE page='{$_REQUEST['page']}' ORDER BY data {$_REQUEST['sc']}";
... which you also shouldn't be doing. Try something along these lines:
$page = mysql_real_escape_string($_REQUEST['page']);
if ($_REQUEST['sc'] == "desc")
$sortorder = "DESC";
else
$sortorder = "ASC";
$sql = "SELECT * FROM foo WHERE page='{$page}' ORDER BY data {$sortorder}";
I still couldn't say it's TOTALLY injection-proof, but it's definitely more robust.
I am assuming that your generated query does something like
select <some number of fields>
from <some table>
where sc=desc
order by comment_time
Now, if I were to attack the order by statement instead of the WHERE, I might be able to get some results... Imagine I added the following
comment_time; select top 5 * from sysobjects
the query being returned to your front end would be the top 5 rows from sysobjects, rather than the query you try to generated (depending a lot on the front end)...
It really depends on how PHP validates those arguments. If MySQL is giving you a warning, it means that a hacker already passes through your first line of defence, which is your PHP script.
Use if(!preg_match('/^regex_pattern$/', $your_input)) to filter all your inputs before passing them to MySQL.
I am using Lucene with Alfresco. Here is my query:
( TYPE:"{com.company.customised.content.model}test" && (#\{com.company.customised.content.model\}testNo:111 && (#\{com.company.customised.content.model\}skill:or))
I have to search documents which are having property skill of value "or". The above query is not giving any results (I am getting failed to parse query).
If I use the query up until testNo (ignoring skill), I am getting proper results:
( TYPE:"{com.company.customised.content.model}test" && (#\{com.company.customised.content.model\}testNo:111))
Can you please help me?
Thanks
Unfortunately, "or" is a reserved keyword in Lucene. Therefore, Lucene fails to properly interpret your query, because Lucene thinks you are referring to the OR boolean operator. You may want to try wrapping the or in double quotes:
( TYPE:"{com.company.customised.content.model}test" && (#\{com.company.customised.content.model\}testNo:111 && (#\{com.company.customised.content.model\}skill:"or"))
I am not familiar with Alfresco, so you may not be able to do this.
Yes , or is reserved keyword in lucene but if you are trying to query by property which is of type number then you can give your value directly else if of type d:text or string so that you have to gave your value in double quote " " .
( TYPE:"{com.company.customised.content.model}test" && (#{com.company.customised.content.model}testNo:111 && (#{com.company.customised.content.model}skill:"or"))