folks!
I am fairly new to programming and I am trying to write an SQL statement that reference two separate tables - Organisation and User. I have been searching for answers, but I am unable to find any that works.
The intention of this statement is to update the status of the user only the following 2 conditions are satisfied;
User's email, password, and activation code matches the database
If the organisation the user is tied to is activated/approved
UPDATE User AS u
SET u.isActivated =
CASE
WHEN (
SELECT o.isApproved
FROM Organisation AS o
WHERE o.organisationId = (
SELECT u.organisationID
FROM User AS u
WHERE u.email = " + email +"))
= 'true' THEN 'true'
ELSE 'false'
WHERE u.email = " + email + "
AND u.password = " + password + "
AND u.activationCode = " + activationCode + ";
Use FROM in the UPDATE statement to connect the tables:
UPDATE User AS u
SET u.isActivated = (o.isApproved = TRUE) -- will be TRUE or FALSE
FROM
Organisation AS o
WHERE
u.organisationID = o.organisationId
AND u.email = " + email + "
AND u.password = " + password + "
AND u.activationCode = " + activationCode + ";
Offtopic, but really important: This piece of SQL smells like an opportunity for SQL injection, you're creating a string that will be executed as SQL. I really hope you got your security under control and use a secure method to put variables in your SQL
Related
I have a SQL query where I have to pass a string in my where, my string can have a simple quote in the name of the program and at the same time break the string and create an error in my request.
Yes I would just like to skip the code, but the actual logic has been done so that we are able to modify the code, so I can't just trust that.
Here is the query in my ASP.NET MVC 5 project:
IQueryable<ListeProgrammesCol> query = db.Database.SqlQuery<ListeProgrammesCol>(
"SELECT id AS offreID, nomProgramme AS nom, codeProgramme AS code, dateAjout, dateLastUpdate, gestionEnLigne " +
"FROM tbl_offreCol " +
"WHERE FK_etablissement = " + instId +" AND offreType = 3 AND archive = 0 AND codeProgramme = '" + code + "' AND nomProgramme = '" + progNom + "' " +
"ORDER BY nomProgramme").AsQueryable();
And here is the query if you want to text in SQL Server Management Studio:
SELECT
id AS offreID, nomProgramme AS nom, codeProgramme AS code,
dateAjout, dateLastUpdate, gestionEnLigne
FROM
tbl_offreCol
WHERE
FK_etablissement = 923000
AND offreType = 3
AND archive = 0
AND codeProgramme = '351.A0'
AND nomProgramme = 'RAC en Techniques d'éducation spécialisée'
ORDER BY
nomProgramme
This is the problem: d'éducation
//////UPDATE
I decided to use linq to make my request, so I no longer need to use quotes. Here is the query:
var query = (from oc in db.tbl_offreCol
where oc.FK_etablissement == instId
&& oc.offreType == 3
&& oc.archive == 0
&& oc.codeProgramme == code
&& oc.nomProgramme == progNom
select new ListeProgrammesCol
{
offreID = oc.id,
nom = oc.nomProgramme,
code = oc.codeProgramme,
dateAjout = oc.dateAjout,
dateLastUpdate = oc.dateLastUpdate,
gestionEnLigne = oc.gestionEnLigne
}).OrderBy(x => x.nom).AsQueryable();
I am trying to run the following query in IntelliJ:
#Query(value = "" +
"SELECT offer FROM OfferEntity offer " +
" JOIN offer.placeOwnership AS owner " +
" JOIN owner.place AS place " +
"WHERE " +
" place.id = :placeId AND " +
" offer.dayFrom = :offerDate AND " +
" offer.repeating = false")
as I am doing so, I get ask to provide the parameters placeId and offerDate. My problem is I have no idea about the latter.
I have no idea how I can run this query.
I also tried to run it manually inside the console like this:
SELECT offer FROM OfferEntity offer
JOIN offer.placeOwnership AS owner
JOIN owner.place AS place
WHERE
place.id = 1L AND
offer.dayFrom = java.time.LocalDate.parse("2018-10-08") AND
offer.repeating = false
but that gives my a syntax error.
I'm writing an inventory system in Unity 5.4 using SQLite and I can't figure out the syntax or find a good example anywhere. Ideas?
public void GetInventory(string _user, string _container) {
ExecuteSQL("SELECT User (Name), Modifier (ModName), Property (PropName) " +
"FROM User " +
"[INNER] JOIN Ownership " +
"[INNER] JOIN Container " +
"[INNER] JOIN Inventory " +
"[INNER] JOIN Item " +
"[INNER] JOIN Property " +
"[INNER] JOIN Modifier " +
"ON User (UserID) = Ownership (UserID) " +
"AND Ownership (ContainerID) = Container (ContainerID) " +
"AND Container (ContainerID) = Inventory (ContainerID) " +
"AND Inventory (ItemID) = Item (ItemID) " +
"AND Item (PropertyID) = Property (PropertyID) " +
"AND Item (ModifierID) = Modifier (ModifierID) " +
"WHERE User (Name) = '" + _user + "' AND Container (ContainerName) = '" + _container + "'", false);
}
I've tested the function with simpler commands and it works fine. And I've tested the function in a DB manager.
I'm not familiar with this flavor of the SQLite syntax and I can't find a good example anywhere. Can anyone point out where this is going wrong?
The error I'm getting is "No such function: User"
Your query syntax is off. This is how you should write this query:
SELECT t1.name,
t7.ModName,
t6.PropName
FROM User t1
INNER JOIN Ownership t2
ON t1.UserID = t2.UserID
INNER JOIN Container t3
t2.ContainerID = t3.ContainerID
INNER JOIN Inventory t4
ON t3.ContainerID = t4.ContainerID
INNER JOIN Item t5
ON t4.ItemID = t5.ItemID
INNER JOIN Property t6
ON t5.PropertyID = t6.PropertyID
INNER JOIN Modifier t7
ON t5.ModifierID = t7.ModifierID
WHERE t1.Name = '" + _user + "' AND
t3.ContainerName = '" + _container + "'"
I've never worked with SQLite in .NET, but that doesn't matter because your syntax doesn't follow anything I know. By the way, your immediate error was probably caused by this:
SELECT User (Name)
SQLite thinks you are trying to call a function named User. Other major problems included putting all the ON clauses together after the joins. The ON clause needs to appear after each join.
When my query executes within my VB application I am receiving the following error:
ORA-00942: table or view does not exist
All table names in my query are spelt correctly, and do in fact exist.
If I dump the query from my VB.net app and then run the query manually in Oracle SQL Plus it executes just fine.
In both cases I am logged in with the exact same credentials and have selected the same database. For my connection within visual basic I am using OleDb.
From within my visual basic application I also ran a query to dump all tables which the user has access to using
select table_name from all_tables
And the table names which I am querying show up.
Any idea what would be causing this?
SELECT
RSS.STEP_STATUS_DATE,
RSS.VALUE_RECORDED
FROM
ITR,
REPORT R,
INSTRUCTION I,
INSTRUCTION_STEP INS,
REPORT_STEP RS,
REPORT_STEP_STATUS RSS
WHERE
ITR.ITR_NO = '1' AND
I.INSTRUCTION_ID = '12345' AND
INS.STEP_NO = '2' AND
R.INSTRUCTION_ID = I.INSTRUCTION_ID AND
RS.REPORT_ID = R.REPORT_ID AND
RS.INSTRUCTION_STEP_ID = INS.INSTRUCTION_STEP_ID AND
RSS.REPORT_STEP_ID = RS.REPORT_STEP_ID AND
RSS.MEASUREMENT_NAME = 'ESN'
My visual basic code is as follows:
strQuery = "SELECT RSS.STEP_STATUS_DATE, " +
" RSS.VALUE_RECORDED " +
"FROM ITR, " +
" REPORT R, " +
" INSTRUCTION I, " +
" INSTRUCTION_STEP INS, " +
" REPORT_STEP RS, " +
" REPORT_STEP_STATUS RSS " +
"WHERE ITR.ITR_NO = '%01' AND " +
" I.INSTRUCTION_ID = '%02' AND " +
" INS.STEP_NO = '%03' AND " +
" R.INSTRUCTION_ID = I.INSTRUCTION_ID AND " +
" RS.REPORT_ID = R.REPORT_ID AND " +
" RS.INSTRUCTION_STEP_ID = INS.INSTRUCTION_STEP_ID AND " +
" RSS.REPORT_STEP_ID = RS.REPORT_STEP_ID AND " +
" RSS.MEASUREMENT_NAME = '%04'"
I'm looking at this portion (and others like it):
RSS.MEASUREMENT_NAME = '%04'
I expect you meant to do this:
RSS.MEASUREMENT_NAME LIKE '%04'
While I'm here, almost no one uses the "A,B" join syntax any more. It's extremely out-dated, and can lead to errors where join conditions are applied to the wrong tables, such that the query doesn't return any results... in other words, it might even be causing the problem you have right now.
Hi i have the following Query:
String hql = "UPDATE Raumreservierung as rr " +
"set VON = :begin " +
"where VON = :Von " +
"and Raum_ID IN (SELECT r.ID FROM Raum r " +
"inner join r.Panel as pl with pl.ID = " + clientId + "";
IQuery query = CurrentSession.CreateQuery(hql);
query.SetParameter("begin", DateTime.Now);
query.SetParameter("Von", v.Von);
int result = query.ExecuteUpdate();
The Query do an Update on "VON". That works fine, but the rest of the Query is not working. It seems that the rest of the query is not working. But did not get any Error.
With the rest of the Query i mean the following part of the query:
"and Raum_ID IN (SELECT r.ID FROM Raum r " +
"inner join r.Panel as pl with pl.ID = " + clientId + "";
Because it should happen only a Update on the column "VON" for example when "clientId" is "AT2"
But that part is not working. Because the update happens also on other clientId.
You forgot to close your parentheses.
(Also, you should use a parameter for clientId too)