If id is present in flowVars, i will fetch user from database by id. If not present, I will fetch all users. I tried to use this expression but no success:
select * from user #[flowVars.userId != null ? 'where id = ' + flowVars.userId : '']
error is :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''where id = 1'' at line 1 (com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException).
I think it creates single quote in query.
Insert into info Values (#[payload.Cname], #[payload.orderid], #[payload.customerid], #[payload.allergies])
you can write like this a dynamic query
Related
Attempting to perform operations with a random integer in SQL.
The following code works perfectly as intended when run as pure SQL, but triggers a syntax error when attempting to save it into a stored procedure.
SET #sample_count = (SELECT count(*)
FROM cinder_sample);
SELECT #sample_count;
SET #random_ID = (SELECT FLOOR(RAND()*#sample_count));
SELECT #random_ID;
Any ideas as to what could be going wrong?
The exact error triggered is:
"The following query has failed: "CREATE DEFINER=root#localhost PROCEDURE play_random_sp() NOT DETERMINISTIC CONTAINS SQL SQL SECURITY DEFINER DELIMITER // SET #sample_count = (SELECT count() FROM cinder_sample)// SELECT #sample_count// SET #random_ID = (SELECT FLOOR(RAND()#sample_count))// SELECT #random_ID"
MySQL said: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '// SET #sample_count = (SELECT count(*) FROM cinder_sample)// SELECT' at line 1"
Im going through the beginner hackerone ctfs and Im trying to crack the Micro-CMS v2. There is a login page that is vulnerable to an SQL injection. The query goes like this:
'SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')
In the username field I input ' UNION SELECT '123' AS password WHERE '1'='1 but then it returns this error
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE '1'='1'' at line 1")
I tried commenting it out with --' or usingg WHERE 1=1' instead but nothing seamed to work
Maybe try to put UNION' or 1=1; -- in the username field.
So the query would become like this:
SELECT password FROM admins WHERE username='UNION' or 1=1; --
The result of this query would output all values in the password field.
I have 3 tables ticket_addresses,tickets,['2014nosec add']. I want to update this ticket_addresses table but unfortunately i have run this query and it updated the entire table where the column ta_address_2 with '.'.
my doubt is my query is wrong because the from table ['2014nosec add'] is different from the update table and it does not have ta-address-2 column on it should give me an error because the from table is not the in the list.
is there any way to rollback the update query as i have not used it as transaction . I am using sql server managament studio.
update
ticket_addresses set ta_address_2 = '.'
FROM ['2014nosec add'] inner join tickets ------> I think this is wrong here.. it should be ticket_addresses table(right)
on ['2014nosec add'].[PCN] = tickets.t_reference
where ta_address_2 = ''
and ta_address_1 <> ' ' and t_camera_ticket = '-1'
and
convert (datetime,t_date_time_issued,101) between convert(datetime,'2014/04/15',101) and convert (datetime,'2014/06/06',101)
By default SQL Server using "Autocommit" mode for transaction management. So you can't rollback this query because it already commited.
I have linked SQL Server 2005 to an Oracle Server, and am using OpenQuery() to pass data from Oracle to SQL Server.
So, for instance, the following query works fine:
SELECT *
FROM OPENQUERY(ORACLE_LINK, 'SELECT FIELD1
FROM ORACLE.TABLE1');
Everything works, unless I ask for a field which is a date/time in the Oracle database. For instance, say that TABLE1 has ten fields, one of which is a timestamp. If I ask for all nine fields except for the timestamp, it works. If I ask:
SELECT *
FROM OPENQUERY(ORACLE_LINK, 'SELECT *
FROM ORACLE.TABLE1');
I get the following error:
OLE DB provider "MSDAORA" for linked server "ORACLE_LINK" returned message "Oracle error occurred, but error message could not be retrieved from Oracle.".
OLE DB provider "MSDAORA" for linked server "ORACLE_LINK" returned message "Data type is not supported.".
I also get the same error if I ask for only the timestamp field.
What is the best way of handling this error? Thanks.
I do it with this function (partial code):
select #StringOut = '{ts ''''' + convert(varchar(20), #DateIn, 20) + ''''' }';
RETURN #StringOut
and this goes into the query:
and procedure_date_dt = ' + dbo.TimestampString(#date) + '
and event_type = ''''Time Notation''''
and it works when I run it.
I want to execute the following statement through from a linked server (openquery):
UPDATE SAP_PLANT
SET (OWNER, OWNER_COUNTRY) = (SELECT import.AFNAME, import.COUNTRY
FROM SAP_IMPORT_CUSTOMERS import, SAP_PLANT plant
WHERE plant.SAP_FL = import.SAP_NO
AND import.role ='OWNER')
I've tried to form it into the following syntax, without success :(
update openquery(‘my_linked_server, ‘select column_1, column_2 from table_schema.table_name where pk = pk_value’)
set column_1 = ‘my_value1′, column_2 = ‘my_value2′
I hope for you this is no problem?
I guess this is not really a query you want to open, rather an SQL statement you want to execute. So instead of openquery, you shoud use execute. See example G here: http://msdn.microsoft.com/en-us/library/ms188332.aspx
So your script shoul look like
execute ('your sql command here') at my_linked_server
Are you getting syntax error? Your server parameter in the update openquery is missing a trailing quote. Change ```my_linked_servertomy_linked_server'`.