I select data from an Oracle SQL database using XMLELEMENTs. These data get passed to an application that will convert it into JSON and then sends it to a REST API.
Currently, I have the same issue as here, and the solution should be to add <?xml-multiple?> as a tag.
How can I select it from the database?
SELECT XMLEMENT("Body",
XMLELEMENT("User",
XMLELEMENT("Name", UserName),
XMLELEMENT("Adress", Adress)))
FROM USERS;
Let's say I want to mark that there could be multiple users with xml-multiple.
How do I need to change my query?
How about using the XMLPI function. It allows you to add processing instructions to the XML.
SELECT XMLEMENT("Body",
XMLPI("xml-multiple"),
XMLELEMENT("User",
XMLELEMENT("Name", UserName),
XMLELEMENT("Adress", Adress)))
FROM USERS;
Related
So in the BigQuery console you can see the queries that have been run by your users. Data Studio supplies a parameter called #DS_USER_EMAIL that contains the email of the user that made the query.
We need that email for billing reasons: We need to bill/notify people based on their usage.
An example query of this, logged in BQ:
select #DS_USER_EMAIL as user_email from test_table;
So I can only see the variable, not the resolved value. Was hoping the logged query would be actual query run like so:
select 'test#test.com' as user_email from test_table;
Any way around this? If not, what are our options for getting the email?
From my understanding, #DS_USER_EMAIL can be used to create dynamic reports, so certain users get access to specific data (Ref)
If you are looking for a way to check total bytes processed based on the user e-mail you can try using the INFORMATION_SCHEMA tables and JOBS_BY_ORGANIZATION (Documentation Link)
An example:
SELECT
job_id,
creation_time,
user_email,
total_bytes_billed
FROM `region-us`.INFORMATION_SCHEMA.JOBS_BY_ORGANIZATION
WHERE state == "DONE"
I would like to convert the following postgres query to graphql for hasura. How can I do it?
Select CONCAT(cast( "vendorId" as text),split_part("customerUserName",'+', 2)) as id,"vendorId","customerUserName" from "VendorCustomertList"
You can create a Postgres VIEW and track that via Hasura. From there you have all the same capabilities as a table: changing GraphQL field names, relationships, permissions, etc.
http://localhost:9695/console/data/sql is where you can write custom SQL and have it be tracked as a migration.
I got an assignment to make SQL injection to a fake website that was built for that purpose.
I wanted to know how to inject SQL query into an URL.
for example, http://localhost:<>/vulnerabilities/webapi/users//nickname?username=my_id
i have this URL, and i want to inject UNION query to it, how do I do that?
Thanks.
Let's assume that your web query will be translated to
SELECT * FROM users WHERE username = 'my_id';
Now, the trick is to replace 'my_id' by the malicious code. I assume that the purpose of the UNION query is to return all the users instead of just one. The result should be:
SELECT * FROM users WHERE username = 'my_id' UNION SELECT * FROM users; -- ';
Maybe the original query has a field list instead of *. Then you will have to duplicate this list in the second query.
Now instead of my_id, you must enter
my_id' UNION SELECT * FROM users; --
Note that we terminate our entry with a -- introducing a comment. The query mechanism will terminate the query by appending a final single quote (and maybe a semicolon). Now they will be turned into a comment.
The next question is, how do we escape this correctly for the URL. Using the online tool Code Beautify, HTML Escape/Unescape, we get:
my_id%27%20UNION%20SELECT%20*%20FROM%20users%3B%20--
This gives the full URL:
http://localhost:<>/vulnerabilities/webapi/users//nickname?username=my_id%27%20UNION%20SELECT%20*%20FROM%20users%3B%20--
have a series of databases on the same server which i am wishing to query. I am using the same code to query the database and would like the results to appear in a single list.
I am using 'USE' to specify which database to query, followed by creating some temporary tables to group my data, before using a final SELECT statement to bring together all the data from the database.
I am then using UNION, followed by a second USE command for the next database and so on.
SQL Server is showing a syntax error on the word 'UNION' but does not give any assistance as to the source of the problem.
Is it possible that I am missing a character. At present I am not using ( or ) anywhere.
The USE statement just redirects your session to connect to a different database on the same instance, you don't actually need to switch from database to database in this matter (there are a few rare exceptions tho).
Use the 3 part notation to join your result sets. You can do this while being connected to any database.
SELECT
SomeColumn = T.SomeColumn
FROM
FirstDatabase.Schema.TableName AS T
UNION ALL
SELECT
SomeColumn = T.SomeColumn
FROM
SecondDatabase.Schema.YetAnotherTable AS T
The engine will automatically check for your login's users on each database and validate your permissions on the underlying tables or views.
UNION adds result sets together, you can't issue another operation (like USE) other than SELECT between UNION.
You should use the database names before the table name:
SELECT valueFromBase1
FROM `database1`.`table1`
WHERE ...
UNION
SELECT valueFromBase2
FROM `database2`.`table2`
WHERE ...
I use Spring + Hibernate.
In one part I have native sql like:
SELECT *
FROM (...) sel
WHERE %s
%s i receive from UI. It looks like "id = ?1 AND name = ?2..." + list of params.
It is generated by query builder;
And now i have a case when UI can send something like:
CLAUSE: id = 'id; TRUNCATE TABLE schema.foo;'
How to check that clause is not a query?
Where can i find some libraries?
I would take an other direction : rather than trying to detect if a query is malicious, make sure that the query cannot do anything malicous, with grants at database level :
if you have a public table, with users generating queries for this table, create a database user that can only SELECT on this sole table, and use a specific jdbc connection, that connect to the database using the former read-only user, to run these 'unsafe' queries.