I have an authorization table. There's a Username, Login and Password I want. Also I have P1_item, I want to assign this variable Username, when I write a log in log everything works and when the APP_USER. does not work
CREATE TABLE test
(
name varcahar2(10),
login varcahar2(10),
pass NUMBER(10)
);
INSERT INTO test
VALUES ('Andrii', 'log', 111);
select name from test where login = '&APP_USER.'
select name from test where login = 'log'
Don't use &APP_USER. as this is a substitution string - instead, bind the variable directly using :APP_USER, e.g.
select name from test where login = :APP_USER
There is no value "APP_USER" in the login column...
you can use V function (more details), but it is not recommended in SQL:
select name from test where login = V('APP_USER');
or you can bind the variable:
select name from test where login = :APP_USER;
Related
Suppose you have the following SQL Query to create a table called notes and store data in it :
CREATE TABLE notes (
id INTEGER PRIMARY KEY,
username TEXT,
token TEXT,
text TEXT
);
INSERT INTO notes (username, token, text) VALUES ('alice', 'token-a', 'Reminder: buy milk');
INSERT INTO notes (username, token, text) VALUES ('alice', 'token-a', 'I like Bob');
INSERT INTO notes (username, token, text) VALUES ('bob', 'token-b', 'TODO: write tests');
Now to attempt SQL injection to get all alice's notes without knowing her token where the query to get the data is given as :
'''SELECT text
FROM notes
WHERE token = '%s'
''' % token
What should be the text send in the variable token so as to perform SQL injection and get all alice's notes.
Try Something like this-
';SELECT text
FROM notes
WHERE username = 'alice
SQL Injection can be implemented by concatenating the SQL statement with the input parameters. For example, the following statement is vulnerable to SQL Injection:
String statement = "SELECT ID FROM USERS WHERE USERNAME = '" + inputUsername + "' AND PASSWORD = '" + hashedPassword + "'";
An attacker would enter a username like this:
' OR 1=1 Limit 1; --
Thus, the executed statement will be:
SELECT ID FROM USERS WHERE USERNAME = '' OR 1=1 Limit 1; --' AND PASSWORD = 'Blob'
Hence, the password part is commented, and the database engine would return any arbitrary result which will be acceptable by the application.
I found this nice explanation on the free preview of "Introduction to Cybersecurity for Software Developers" course.
https://www.udemy.com/course/cybersecurity-for-developers-1/
It also explains how to prevent SQL Injection.
I have a transaction table in which there is a column trans_mode which stores transaction mode for the transactions. Transaction mode contains one of the following values.
trans_mode
web
app
APP
APP
wEb
and there are are many more possibilities as trans_mode is varchar column.
I want to write a simple select statement like
select count(trans_mode) from tab where trans_mode='web';
or
select count(trans_mode) from tab where trans_mode='Web';
Now, I do not want to use any condition like upper(trans_mode)='WEB' or lower(trans_mode)='web' or any regular expression, and output required is the count of web transactions ignoring the case.
I think we can achieve the same using "column format" when defining trans_mode column or by using some other method. However not sure. Please suggest.
You can't do that with a "column format", but you can change your current sessions' NLS behaviour:
ALTER SESSION SET nls_comp = Linguistic;
ALTER SESSION SET nls_sort = binary_CI;
select *
from tab
where trans_mode = 'app';
results in:
TRANS_MODE
----------
app
APP
APP
Online example: https://dbfiddle.uk/?rdbms=oracle_11.2&fiddle=a0196bf8031e5c612b9a9f6a2de870e4
If you need the comparison to honor language specific comparison rules (e.g. ß and SS should be treated the same in German), you can do that as well:
insert into tab values ('große');
insert into tab values ('GROSSE');
ALTER SESSION SET nls_comp = Linguistic;
ALTER SESSION SET nls_sort = XGerman_CI;
select *
from tab
where trans_mode = 'große'
returns:
TRANS_MODE
----------
große
GROSSE
Starting with Oracle 12.2 you can also use the collate option:
select *
from tab
where trans_mode = 'app' collate binary_ci
Use COLLATE:
select count(trans_mode) from tab where trans_mode='Web' COLLATE SQL_Latin1_General_CP1_CI_AS
Will return web and wEb
In Oracle 12.2 you can use collate binary_ci at column level.
CREATE TABLE transactions (
id NUMBER,
trans_mode VARCHAR2(4 CHAR) COLLATE BINARY_CI,
CONSTRAINT t1_pk PRIMARY KEY (id)
);
insert into transactions values(1,'web');
insert into transactions values(2,'app');
insert into transactions values(1,'Web');
insert into transactions values(1,'weB');
commit;
select count(0) from transactions where trans_mode = 'web' ;
Reference link:
https://oracle-base.com/articles/12c/column-level-collation-and-case-insensitive-database-12cr2#column-level
I want to set a variable in Sql Server that is selecting date from a view the query I am using is
declare #var varchar(20)
set #var = (SELECT Current_Period_SID FROM dbo.VW_Current_Period_SID_USNT)
just wondering is there a way to set variable in a view something like
CREATE VIEW mp_test AS
declare #var varchar(20)
set #var = (SELECT Current_Period_SID FROM dbo.VW_Current_Period_SID_USNT)
GO
Doing this gives Error
No. You can't do that in a view. I'm not even sure what the point of the above view would be since it doesn't return any value. Even if you could, you wouldn't want to. A variable like this can only store one varchar(20) value. Without an "order by" and top statement you would either get an error or a non-deterministic value unless your table happens to only have a single record.
You can easily fake a variable in your view using CTE. You can test-run it in your version of SQL Server.
CREATE VIEW vwImportant_Users AS
WITH params AS (
SELECT
varType='%Admin%',
varMinStatus=1)
SELECT status, name
FROM sys.sysusers, params
WHERE status > varMinStatus OR name LIKE varType
SELECT * FROM vwImportant_Users
yielding output:
status name
12 dbo
0 db_accessadmin
0 db_securityadmin
0 db_ddladmin
also via JOIN
WITH params AS ( SELECT varType='%Admin%', varMinStatus=1)
SELECT status, name
FROM sys.sysusers INNER JOIN params ON 1=1
WHERE status > varMinStatus OR name LIKE varType
also via CROSS APPLY
WITH params AS ( SELECT varType='%Admin%', varMinStatus=1)
SELECT status, name
FROM sys.sysusers CROSS APPLY params
WHERE status > varMinStatus OR name LIKE varType
I'm developing an application using Ruby on Rails and NuoDB and I'm trying to CALL procedures from the database. I'm testing it using the Rails console but I'm only getting a "TRUE" response when I call it using the following command.
ActiveRecord::Base.connection.execute("CALL SHOW_FEEDBACKS_PRC( 'form_name' )")
My stored procedure is this:
CREATE PROCEDURE database_name.show_feedbacks_prc (IN P_IN_form string)
returns tmp_feedbacks (txt1 string, rating integer, comment string, created_at timestamp, updated_at timestamp)
language sql
security invoker
as
insert into tmp_feedbacks
select txt1, rating, comment, created_at, updated_at
from database_name.feedbacks
where form = p_in_form;
END_PROCEDURE
It's a simple query that returns only a list of "feedbacks" which are under a specific "form".
The procedure works when I use NuoDB's console and it returns a table that displays the requested data but when I call it using Rail's console it would only return a "true" response when I execute the SQL command.
Is it possible to get a response as an array of requested data and how do I do this?
I'm trying to execute procedures inside the database instead of making loops inside the rails controllers.
So I totally forgot about this but I solved this issue a while back and here's a sample of what I did:
SAMPLE_PROCEDURE:
CREATE PROCEDURE sample_procedure ( IN input_1 INTEGER )
RETURNS return_msg ( col_1 STRING , col_2 INTEGER ) AS
VAR value_string STRING;
VAR value_integer INTEGER;
value_string = input_1;
value_integer = input_1+10;
INSERT INTO return_msg VALUES ( value_string , value_integer);
RETURN;
END_PROCEDURE
And here is how I call it:
ActiveRecord::Base.connection.execute("call sample_procedure(1)")
Rails would return the following:
[{"col_1"=>"1", "col_2"=>11}]
I hope this helps.
I have the following SQL:
INSERT INTO Invite VALUES (NULL,?,(SELECT id FROM User WHERE name = ?),?);
However this doesnt seem to work.
Can anyone tell me what i am doing wrong?
Update
The following php code gives me erro code 1136:
$sql = 'INSERT INTO Invite SELECT NULL, ?, id, ? FROM User WHERE username = ?';
$variables = array($team_id,$_SESSION['User']['id'],$username);
$result = $this->db->prepTemplate($sql, 'iis', $variables);
INSERT INTO Invite
SELECT NULL, ?, id, ?
FROM User
WHERE name = ?