I have a SQLITE3 database with two tables, main and activities. I am trying to insert a row into the main table just to check it works, using the sql command on terminal I am able to insert, but not through swift. The database is connected and allows me to read from the database using swift but not write to it.
let insertStatementString = "INSERT INTO main (DATE) VALUES (?);"
func insert() {
var insertStatement: OpaquePointer?
//1
if sqlite3_prepare_v2(mySQLDB,insertStatementString, -1, &insertStatement, nil) == SQLITE_OK {
let date: NSString = "14071999"
sqlite3_bind_text(insertStatement,1,date.utf8String, -1, nil)
if sqlite3_step(insertStatement) == SQLITE_DONE {
print("\nSuccessfully inserted row")
} else
{ print("\nCould not insert a row")
}
}
else
{ print("\nInsert statement not prepared")
}
sqlite3_finalize(insertStatement)
}
When the program reaches 'if sqlite3_step(insertStatement) == SQLITE_DONE' it then skips to 'Could not insert row'.
Can anyone see why this is going wrong?
If your insert failed, you should print the error message, sqlite3_errmsg, which will tell you precisely what went wrong.
FWIW, your code worked for me, so it’s probably something not included in your question, for example how you opened the database and/or how the table was defined. Possible problems include:
inserting into a read-only database (e.g., opened database in the bundle which is read-only, explicitly opened with sqlite3_open_v2 in read-only mode, etc.);
your bind statement failed (you really should check for success there, too);
having a unique key on this column and already having this value somewhere; or
having other required (NOT NULL) columns that were not supplied.
Regardless, logging the error message will remove any ambiguity.
E.g.
func insert() {
var insertStatement: OpaquePointer?
guard sqlite3_prepare_v2(mySQLDB, insertStatementString, -1, &insertStatement, nil) == SQLITE_OK else {
printError(with: "INSERT statement not prepared")
return
}
defer { sqlite3_finalize(insertStatement) }
let date = "14071999"
guard sqlite3_bind_text(insertStatement, 1, date.cString(using: .utf8), -1, SQLITE_TRANSIENT) == SQLITE_OK else {
printError(with: "Bind for INSERT failed")
return
}
guard sqlite3_step(insertStatement) == SQLITE_DONE else {
printError(with: "Could not insert a row")
return
}
print("Successfully inserted row")
}
func printError(with message: String) {
let errmsg = sqlite3_errmsg(mySQLDB).flatMap { String(cString: $0) } ?? "Unknown error"
print(message, errmsg)
}
Where
internal let SQLITE_TRANSIENT = unsafeBitCast(-1, to: sqlite3_destructor_type.self)
While I structured this with guard statements, even if you stay with your if pattern, make sure you only sqlite3_finalize if the prepare statement succeeded. There’s no point in finalizing if the prepare failed.
It’s also prudent to use SQLITE_TRANSIENT for bound parameters.
Related
Let’s say you have a basic API (GET/POST/PATCH/DELETE) backed by an SQL database.
The PATCH call should only update the fields in the JSON payload that the user sends, without touching any of the other fields.
Imagine the table (let's call it sample) has id, string_a and string_b columns, and the struct which corresponds to it looks like:
type Sample struct {
ID int `json:"id"`
StringA string `json:"stringA"`
StringB string `json:"stringB"`
}
Let's say the user passes in { "stringA": "patched value" } as payload. The json will be unmarshalled to something that looks like:
&Sample{
ID: 0,
StringA: "patched value",
StringB: "",
}
For a project using database/sql, you’d write the query to patch the row something like:
// `id` is from the URL params
query := `UPDATE sample SET string_a=$1, string_b=$2 WHERE id=$3`
row := db.QueryRow(query, sample.StringA, sample.StringB, id)
...
That query would update the string_a column as expected, but it’d also update the string_b column to "", which is undesired behavior in this case. In essence, I’ve just created a PUT instead of a PATCH.
My immediate thought was - OK, that’s fine, let’s use strings.Builder to build out the query and only add a SET statement for those that have a non-nil/empty value.
However, in that case, if a user wanted to make string_a empty, how would they accomplish that?
Eg. the user makes a PATCH call with { "stringA": "" } as payload. That would get unmarshalled to something like:
&Sample{
ID: 0,
StringA: "",
StringB: "",
}
The “query builder” I was theorizing about would look at that and say “ok, those are all nil/empty values, don’t add them to the query” and no columns would be updated, which again, is undesired behavior.
I’m not sure how to write my API and the SQL queries it runs in a way that satisfies both cases. Any thoughts?
I think reasonable solution for smaller queries is to build UPDATE query and list of bound parameters dynamically while processing payload with logic that recognizes what was updated and what was left empty.
From my own experience this is clear and readable (if repetitive you can always iterate over struct members that share same logic or employ reflection and look at struct tags hints, etc.). Every (my) attempt to write universal solution for this ended up as very convoluted overkill supporting all sorts of corner-cases and behavioral differences between endpoints.
func patchSample(s Sample) {
var query strings.Builder
params := make([]interface{}, 0, 2)
// TODO Check if patch makes sense (e.g. id is non-zero, at least one patched value provided, etc.
query.WriteString("UPDATE sample SET")
if s.StringA != "" {
query.WriteString(" stringA = ?")
params = append(params, s.StringA)
}
if s.StringB != "" {
query.WriteString(" stringB = ?")
params = append(params, s.StringB)
}
query.WriteString(" WHERE id = ?")
params = append(params, s.ID)
fmt.Println(query.String(), params)
//_, err := db.Exec(query.String(), params...)
}
func main() {
patchSample(Sample{1, "Foo", ""})
patchSample(Sample{2, "", "Bar"})
patchSample(Sample{3, "Foo", "Bar"})
}
EDIT: In case "" is valid value for patching then it needs to be distinguishable from the default empty value. One way how to solve that for string is to use pointer which will default to nil if value is not present in payload:
type Sample struct {
ID int `json:"id"`
StringA *string `json:"stringA"`
StringB *string `json:"stringB"`
}
and then modify condition(s) to check if field was sent like this:
if s.StringA != nil {
query.WriteString(" stringA = ?")
params = append(params, *s.StringA)
}
See full example in playground: https://go.dev/play/p/RI7OsNEYrk6
For what it's worth, I solved the issue by:
Converting the request payload to a generic map[string]interface{}.
Implementing a query builder that loops through the map's keys to create a query.
Part of the reason I went this route is it fit all my requirements, and I didn't particularly like having *strings or *ints laying around.
Here is what the query builder looks like:
func patchQueryBuilder(id string, patch map[string]interface{}) (string, []interface{}, error) {
var query strings.Builder
params := make([]interface{}, 0)
query.WriteString("UPDATE some_table SET")
for k, v := range patch {
switch k {
case "someString":
if someString, ok := v.(string); ok {
query.WriteString(fmt.Sprintf(" some_string=$%d,", len(params)+1))
params = append(params, someString)
} else {
return "", []interface{}{}, fmt.Errorf("could not process some_string")
}
case "someBool":
if someBool, ok := v.(bool); ok {
query.WriteString(fmt.Sprintf(" some_bool=$%d,", len(params)+1))
params = append(params, someBool)
} else {
return "", []interface{}{}, fmt.Errorf("could not process some_bool")
}
}
}
if len(params) > 0 {
// Remove trailing comma to avoid syntax errors
queryString := fmt.Sprintf("%s WHERE id=$%d RETURNING *", strings.TrimSuffix(query.String(), ","), len(params)+1)
params = append(params, id)
return queryString, params, nil
} else {
return "", []interface{}{}, nil
}
}
Note that I'm using PostgreSQL, so I needed to provide numbered parameters to the query, eg $1, which is what params is used for. It's also returned from the function so that it can be used as follows:
// Build the patch query based on the payload
query, params, err := patchQueryBuilder(id, patch)
if err != nil {
return nil, err
}
// Use the query/params and get output
row := tx.QueryRowContext(ctx, query, params...)
I am new to Go and am trying to check a password against a username in a postgresql database.
I can't get dollar substitution to occur and would rather not resort to concatenating strings.
I am currently using squirrel but also tried it without and didn't have much luck.
I have the following code:
package datalayer
import (
"database/sql"
"encoding/json"
"fmt"
"net/http"
sq "github.com/Masterminds/squirrel"
_ "github.com/jackc/pgx/v4/stdlib"
"golang.org/x/crypto/bcrypt"
"github.com/gin-gonic/gin"
)
var (
// for the database
db *sql.DB
)
func InitDB(sqlDriver string, dataSource string) error {
var err error
// Connect to the postgres db (sqlDriver is literal string "pgx")
db, err = sql.Open(sqlDriver, dataSource)
if err != nil {
panic(err)
}
return db.Ping()
}
// Create a struct that models the structure of a user, both in the request body, and in the DB
type Credentials struct {
Password string `json:"password", db:"password"`
Username string `json:"username", db:"username"`
}
func Signin(c *gin.Context) {
// Parse and decode the request body into a new `Credentials` instance
creds := &Credentials{}
err := json.NewDecoder(c.Request.Body).Decode(creds)
if err != nil {
// If there is something wrong with the request body, return a 400 status
c.Writer.WriteHeader(http.StatusBadRequest)
return
}
query := sq.
Select("password").
From("users").
Where("username = $1", creds.Username).
PlaceholderFormat(sq.Dollar)
// The line below doesn't substitute the $ sign, it shows this: SELECT password FROM users WHERE username = $1 [rgfdgfd] <nil>
fmt.Println(sq.
Select("password").
From("users").
Where("username = $1", creds.Username).
PlaceholderFormat(sq.Dollar).ToSql())
rows, sqlerr := query.RunWith(db).Query()
if sqlerr != nil {
panic(fmt.Sprintf("QueryRow failed: %v", sqlerr))
}
if err != nil {
// If there is an issue with the database, return a 500 error
c.Writer.WriteHeader(http.StatusInternalServerError)
return
}
// We create another instance of `Credentials` to store the credentials we get from the database
storedCreds := &Credentials{}
// Store the obtained password in `storedCreds`
err = rows.Scan(&storedCreds.Password)
if err != nil {
// If an entry with the username does not exist, send an "Unauthorized"(401) status
if err == sql.ErrNoRows {
c.Writer.WriteHeader(http.StatusUnauthorized)
return
}
// If the error is of any other type, send a 500 status
c.Writer.WriteHeader(http.StatusInternalServerError)
return
}
// Compare the stored hashed password, with the hashed version of the password that was received
if err = bcrypt.CompareHashAndPassword([]byte(storedCreds.Password), []byte(creds.Password)); err != nil {
// If the two passwords don't match, return a 401 status
c.Writer.WriteHeader(http.StatusUnauthorized)
}
fmt.Printf("We made it !")
// If we reach this point, that means the users password was correct, and that they are authorized
// The default 200 status is sent
}
I see the following when I check pgAdmin, which shows the dollar sign not being substituted:
The substitution of the placeholders is done by the postgres server, it SHOULD NOT be the job of the Go code, or squirrel, to do the substitution.
When you are executing a query that takes parameters, a rough outline of what the database driver has to do is something like the following:
Using the query string, with placeholders untouched, a parse request is sent to the postgres server to create a prepared statement.
Using the parameter values and the identifier of the newly-created statement, a bind request is sent to make the statement ready for execution by creating a portal. A portal (similar to, but not the same as, a cursor) represents a ready-to-execute or already-partially-executed statement, with any missing parameter values filled in.
Using the portal's identifier an execute request is sent to the server which then executes the portal's query.
Note that the above steps are just a rough outline, in reality there are more request-response cycles involved between the db client and server.
And as far as pgAdmin is concerned I believe what it is displaying to you is the prepared statement as created by the parse request, although I can't tell for sure as I am not familiar with it.
In theory, a helper library like squirrel, or a driver library like pgx, could implement the substitution of parameters themselves and then send a simple query to the server. In general, however, given the possibility of SQL injections, it is better to leave it to the authority of the postgres server, in my opinion.
The PlaceholderFormat's job is to simply translate the placeholder to the specified format. For example you could write your SQL using the MySQL format (?,?,...) and then invoke the PlaceholderFormat(sql.Dollar) method to translate that into the PostgreSQL format ($1,$2,...).
I'm facing a strange issue where in my insert query using sqlite_exec API says successful return value, but when I check in sqlite table I dont see that entry, Below is my code
Insert query : INSERT INTO table_name VALUES (0,1584633967816,1584634000,'dasdasda','1584634000','28641','dasdas','dsadas','dsadsa','/rewrwe','rwerewr','rewrewr','0',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)
sqlite_exec code block:
sqliteError = sqlite3_exec(pSqlHandle, oSqlQuery.str().c_str(), NULL, NULL, NULL);
if (sqliteError == SQLITE_OK)
{
LOG(DbgLogger, LOG_LEVEL_DEBUG, "Query %s successful\n",
oSqlQuery.str().c_str());
if (pSqlHandle) {
sqliteError = sqlite3_close(pSqlHandle);
if (sqliteError != SQLITE_OK) {
sqlRet = SQL_API_FAILURE;
}
else {
pSqlHandle = NULL;
}
}
sqlRet = SQL_API_SUCCESS;
if (m_useLockFile) {
//write done, release write lock
sqlRet = releaseWriteLock();
/* reset write lock file name */
bWriteLckAvailable = false;
}
break;
}
I can see print "LOG(DbgLogger, LOG_LEVEL_DEBUG, "Query %s successful\n",)"
But when I do a select from command line on the I dont see any entry as such
eg: select * from table_name where column_name=1584633967816;
Anyone faced similar issue ?
I changed this login script to PDO. Now it passes the username but get's stuck fetchAll line. I need help please. thanks
<?php
session_start();
include_once"includes/config.php";
if (isset($_POST['admin_login'])) {
$admin_user = trim($_POST['admin_user']);
$admin_pw = trim($_POST['admin_pw']);
if ($admin_user == NULL OR $admin_pw == NULL) {
$final_report.="Please complete all the fields below..";
} else {
$check_user_data = $db->prepare("SELECT * FROM `admin`
WHERE `admin_user`='$admin_user'");
$check_user_data->execute();
if ($check_user_data->fetchColumn() == 0) {
$final_report.="This admin username does not exist..";
} else {
$get_user_data = $check_user_data->fetchAll($check_user_data);
if ($get_user_data['admin_pw'] == $admin_pw) {
$start_idsess = $_SESSION['admin_user'] = "".$get_user_data['admin_user']."";
$start_passsess = $_SESSION['admin_pw'] = "".$get_user_data['admin_pw']."";
$final_report.="You are about to be logged in, please wait a few moments...";
header('Location: admin.php');
}
}
}
}
?>
Not checking return value prepare() or execute() for false. You need to check for SQL errors and handle them, stopping the code instead of continuing on blithely.
Not using query parameters in the prepared statement, still interpolating $_POST content into the query unsafely. You're missing the benefit of switching to PDO, and leaving yourself vulnerable to SQL injection attack.
You're storing passwords in plaintext, which is unsafe. See You're Probably Storing Passwords Incorrectly.
Do you really need to SELECT * if you only use the admin_pw column? Hint: no.
PDOStatement::fetchAll() returns an array of arrays, not just one array for a row. Read the examples in the documentation for fetchAll().
How do you preset fields so that (unless a specific value is entered from the form itself) they STAY null? For another project, I will later have to pull information from this table depending on what options people choose, so if I could do a cfif against nulls I think it'd be a lot easier than the blanks that are currently generated if I don't insert any new values.
Does anyone know where/how to do this? I'm using Microsoft's SQL Server Management Studio to edit what the individual columns, and all I can find are the command codes using INSERT, SELECT, etc., rather than having a list that I edit. Or is that the only way to make my default setting be "null"?
Thanks for the help
If a field is set to be a nullable field (that is, it allows NULL), when adding a row, it will be NULL unless otherwise specified.
You don't need to do anything special for this.
If your INSERT and UPDATE statements simply omit the field, it will not be updated, though you can specifically specify NULL for such a field if wanted.
You could use a helper function to handle parameter setup. This is a simplified version of a function I use...
private static object ProcessParameter(object input)
{
if (input == null)
return input;
switch (input.GetType().ToString().ToLower())
{
case "system.string":
if (input == null || input.ToString() == "") { return DBNull.Value; }
return input;
case "system.int32":
case "system.double":
if (input.ToString() == "0" && IsNullable(input)) { return DBNull.Value; }
return input;
case "system.datetime":
if (System.Convert.ToDateTime(input) == DateTime.MinValue || System.Convert.ToDateTime(input) == default(DateTime)) { return DBNull.Value; }
return input;
default:
return input;
}
}