I created a table in sql server
called user,
but when i tried to query the table
it only works like this approch (with parenthesis):
Select * from [user]
when i try:
select * from user
it dosent seems to work 'incorrect synax near the keyword 'user'
why i need to add those parenthesis i know i need to add Parenthesis if there is a space between like colum name "first name"
why it is not working?
You can write SELECT statement without square brackets for database tables, columns. When you use square brackets, then you explicitly says to SQL Server engine to select data from table user:
Select * from [user]
But when you write select * from user, then SQL engine thinks not about table user, but about reserved keyword user. The correct query to see database user name looks like this:
select user
Related
I'm connected to a database that contains a table named "document", this term is also an sql term at the same time so when I query it, it doesn't recognize it.
I'm used to just add some quotation marks to query it in dbeaver and it works well.
select * from "document"`
But when I want to write my query in PowerBi to import this table, it doesn't work with the quotation marks.
I also tried it in this format:
select * from public.document
Or I tried to don't write any sql query and just select it when I connect to the odbc database, but at the moment of update, the process starts and doesn't stop.
If the table really has double quotes in its name, one of these should work:
Using backtick
select * from `"document"`
Using double quote as escape:
select * from ""document""
Trying to exploit SQL injection for my assignment. Is it possible to execute delete or drop query after order by in select query without using the semicolon in Postgresql?
This is my sample query:
Select *
from table
order by {sql injection payload}
Without using the semicolon in the payload, can we delete data or drop a table?
https://stackoverflow.com/a/6800585
Do we have similar to this Postgrsql?
I tried
Select * from (delete from table_name returning *) a
But getting sql error as 'syntax error at or near from'
Check this document it says we can bypass forbidden character by CHR()
https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection
DELETE cannot be put inside a subquery. Nor can DELETE be part of a UNION.
So aside from running a second query (that is, separated by a semicolon), there's almost no way you can do what you describe.
You could invoke a stored procedure or function, if you knew of an existing function that performs a DELETE. Example:
Select *
from table
order by {sql injection payload}
After your payload modifies this query:
Select *
from table
order by SomeFunctionThatDeletes()
Another type which works because you can select from a procedure in PostgreSQL:
Select *
from table
order by id
UNION
Select *
from SomeProcedureThatDeletes()
You can't create the function or procedure with SQL injection, so that routine must exist already, and you would need to know its name and how to call it.
DELETE or DROP TABLE are not the only bad things that can happen from SQL injection. It could be a problem if the query returns data that the current user shouldn't have privilege to see. For example, records about a different user's purchases or medical history.
SQL injection can also be accidental instead of malicious. I would even say that most instances of SQL injection result in simple errors instead of data breaches. Those aren't really attacks, but they lead to an unsatisfactory experience for your users.
When I update a column using phpmyadmin in database with following query
UPDATE members
SET `refered` = (SELECT COUNT (*)
FROM `user_details`
WHERE `user_details.sponser`=`members.username`
)
It show a error message like this
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '*) FROM `user_details` WHERE `user_details.sponser`=`members.username`)' at line 1
What may be reason?
Error is in
COUNT (*)
-----^
Remove the space between COUNT and (*).
Try the below query
UPDATE members SET refered = (SELECT COUNT(*) FROM user_details
WHERE user_details.sponser=members.username)
Does the Select query returns any result. If so what is the result. Looks like all your query is inside '' single quotes that you are using it should be removed. Single quotes need to be removed for example .
UPDATE members
SET refered = (SELECT COUNT (*)
FROM user_details
WHERE user_details.sponser=members.username
)
-- there is not single quotes in the query above. please remove it from yours.
Part of your problem, or maybe the whole problem, is the WHERE clause. You've used backticks for the table name, which is correct (or, at least, it's optional in this case; it's needed if your database name or table name has a MySQL reserved name or is otherwise ambiguous). The problem, though, is that the dot separating the database from the table needs to be outside the backticks. So your WHERE clause should look like this instead:
WHERE `user_details`.`sponser`=`members`.`username`
I am not being able to perform select query on a subset of columns of a database in IBM DB2.
select * from user
This works. But
select username from user
doesn't work. Here's the screenshot.
username is a reserved word. The "proper" solution would probably be to have a column name that isn't a reserved word, such as user_name. If changing the column name isn't an option, you could use double-quotes (") to escape it:
SELECT "username" FROM user
I am linked to a Proficy Historian that allows periods in the column names. Because the data is stored in a non DBMS format I can not use openquery to get the data because there is no set schema to the tables. So I must use four part name syntax to get the data. This example works:
SELECT * FROM iHist...[SELECT * FROM ihTrend]
but this fails with Incorrect syntax near '.'.
SELECT * FROM iHist...[SELECT [SERVER.pid_astatus[07][0].F_CV.Value] FROM ihTrend]
where SERVER.pid_astatus[07][0].F_CV.Value is the name of the column
This fails as well with Incorrect syntax near the keyword 'from'.
SELECT * FROM
iHist...[SELECT [SERVER.pid_astatus[[07]][[0]].F_CV.Value] from ihTrend]`
Any ideas on how I can make SQL Server see this as a column?
EDIT:
Martins suggestion of the right brackets to escape the brackets work only on the outside of the sql call
SELECT [SERVER.pid_astatus[07]][0]].F_CV.Value] FROM iHist...[SELECT * FROM ihTrend]
However it does not work inside Incorrect syntax near the keyword 'from'.
SELECT * FROM iHist...[SELECT [SERVER.pid_astatus[07]][0]].F_CV.Value] FROM ihTrend]
EDIT
SELECT * FROM iHist...[SELECT [SERVER.pid_astatus[07]][0]].F_CV.Value]] FROM ihTrend]
I had to escape the column escape :)
You only need to escape these ]
[pid_astatus[07]][0]].F_CV.Value]
This works for me
CREATE TABLE #t(
[pid_astatus[07]][0]].F_CV.Value] int
)
SELECT [pid_astatus[07]][0]].F_CV.Value]
FROM #t
(Edited to reflect new knowledge, if you like this vote for Martin Smith's answer instead!)
Escape the ] by doubling them:
SELECT * FROM
iHist...[SELECT [SERVER.pid_astatus[07]][0]].F_CV.Value] from ihTrend]
Based on your comment, try:
SELECT [SERVER.pid_astatus[07]][0]].F_CV.Value] FROM iHist...ihTrend