I have got a Yii 1.0 project and I am trying to insert a form data using its model. Is there any configuration I need to do to escape quotes in my query?
It may help you. I also face this earlier this is due to breaking of query then i used param method to pass variables
Model::model()->update(array('status' => 1), 'username=:username', array(':username' => $model->username));
Related
I have a PG table with a field of type char(10)[].
I need to update a record in the table with values from a Mule flow.
So, i did something like this:
flowVars.test=['aaa', 'bbb',ccc'];
Then, I'm trying to submit an update statement like this:
update tab1 set fld1=#[flowVars.test]
it's failing with the error:
Cannot cast an instance of java.util.ArrayList to type Types.ARRAY
My understanding is that SQL array should be used in this scenario but I can't figure out how to get an instance of such an array in a flow and how to work with it in MEL.
Can someone please advise?
Thank you,
There are many sources that suggest to use the Connection#createArrayOf(). But I don't know how to use it in the Database connector.
However, for this purpose I will do this solution:
Convert the ArrayList to a String. It should be formed as: {value1, value2, ...}
Change the Database Query Type from Parameterized into Dynamic
Update the SQL Query become: update tab1 set fld1 = '#[flowVars.test]'. The additional single quote is required for this query type.
Finally, by using the following configuration I can update field of type character(10)[]:
<expression-transformer expression="#[flowVars.test = ['aaa', 'bbb', 'ccc'].toString().replace('[', '{').replace(']', '}')]" doc:name="Expression"/>
<db:update config-ref="Postgre_Database_Configuration" doc:name="Database">
<db:dynamic-query><![CDATA[update tab1 set fld1 = '#[flowVars.test]']]></db:dynamic-query>
</db:update>
Ok, I've found an answer in MuleSoft doc.
Starting from version 3.6 DB connector supports custom types and allows defining mapping between SQL arrays and structures and custom user classes.
It's documented here .
I am using the following code excerpt while loading data in Oracle DB using sql loader:
"tran_code POSITION(238:239)," +
"frm_acct POSITION(247:265) \"TO_NUMBER(:frm_acct)\" NULLIF :frm_acct='*******************'," +
"to_acct POSITION(269:287)," +
It is giving an error on NULL IF i guess the issue is clear that i want to insert null when the data contains only asterisk otherwise convert to number and insert.
thanx in advance.
You can try something like this -
"decode(:YOUR_COL,'***************',NULL,TO_NUMBER(:YOUR_COL))"
However, I suggest better option in this scenarios is the "external table".
Here's link for your reference :-
http://docs.oracle.com/cd/B19306_01/server.102/b14215/et_concepts.htm
I've a problem with escaping colons and dashes in SQL queries when I use dbFit with Fitnesse.
Such statement doesn't work:
!|Query|select to_char(my_birthday,'YYYY-MM-DD HH24:MI:SI') from family|
I need to replace colons and dashes with some other acceptable characters, ex.
!|Query|select to_char(my_birthday,'YYYY_MM_DD HH24_MI_SI') from family|
Do you know how to solve it properly without using the 2nd approach ?
Cheers,
foxrafi
I think this is what you need. From http://dbfit.github.io/dbfit/docs/reference.html
Avoiding parameter mapping
If you want to prevent DbFit from mapping parameters to bind variables
(eg to execute a stored procedure definition that contains the #
symbol in Sql Server), disable bind symbols option before running the
query.
|set option|bind symbols|false|
|execute| insert into users (name, username) values ('#hey','uuu')|
|query|select * from users| |name|username| |#hey|uuu|
Remember to re-enable the option after the query is executed. You can
use the same trick with the Execute command.
In addition to Mike's answer, you can also solve this by using bind parameters. This is useful if you have to use bind parameters at other places in the same query.
!|DatabaseEnvironment|ORACLE|
|Connect|${HOSTNAME}|${USERNAME}|${PASSWORD}|
!|Query|!-select current_timestamp ts from dual-!|
|ts?|
|>>my_birthday_ts|
|set parameter|my_birthday_ts| <<my_birthday_ts|
#Set bind parameter :MI to string ':MI'
|set parameter|MI|:MI|
# and do it in the same way with :SS.
|set parameter|SS|:SS|
!|Query|!-select to_char(:my_birthday_ts, 'YYYY-MM-DD HH24'|| :MI || :SS) bds from dual-!|
|bds?|
|>>birthday_string|
Note that you have to use !- -! around your query, otherwise FitNesse will expand the concatenation operator to table cells. The main drawback of this manner is that you cannot use ordinary FitNesse variables (${varname}) in the query.
!|DatabaseEnvironment|ORACLE|
|Connect|${HOSTNAME}|${USERNAME}|${PASSWORD}|
!|Query|!-select current_timestamp ts from dual-!|
|ts?|
|>>my_birthday_ts|
!|Query|!-select to_char(:my_birthday_ts, 'YYYY-MM-DD HH24:'||'MI:'||'SS) bds from dual-!|
|bds?|
|>>birthday_string|
is there any sql injection protection in typo framework?
Or I have to take care by myself of building a query?
I found prepare_SELECTqueryArray, but there is no example how it should look.
My TYPO3 version is 4.7. And this prepare_SELECTqueryArray I found on site with TYPO3 v.6.1.
Prepared Statements are available at least in TYPO3 4.5 as you can see here [1] and [2]
A Prepared query could look like this
$preparedQuery = $this->link->prepare_SELECTquery('fieldblob,fieldblub', $table, 'id=:id', '', '', '', array(':id' => 1));
$preparedQuery->execute();
$result = $preparedQuery->fetch();
or
$preparedQuery = $this->link->prepare_SELECTquery('fieldblob,fieldblub', $table, 'id=:id');
$preparedQuery->bindValues(array(':id' => 1));
$preparedQuery->execute();
$result = $preparedQuery->fetch();
[1] https://github.com/TYPO3/TYPO3.CMS/blob/TYPO3_4-5/t3lib/class.t3lib_db.php
[2] https://github.com/TYPO3/TYPO3.CMS/blob/TYPO3_4-5/t3lib/db/class.t3lib_db_preparedstatement.php
On many places values are quoted automatically. Within the prepare_* functions, all parameters are quoted by default.
If you use exec_* querys, you need to escape values in where part on your own. Use $GLOBALS['TYPO3_DB']->fullQuoteStr($value, $tablename) for that.
Be aware, that you can create SQL-Injections with TypoScript too. If you use CONTENT-Object you can insert GET/POST Data into the where-clause. Use intval or select.markers for creating SQL-Injection save querys.
I have been struggling with this, i have two models and showing data in Cgridview with one model, this model contains some id's whose values are in different table
So, i have added
'value'=> 'TblAreaoflaw::model()->FindByPk($data->typeoflaw)->areaoflaw'
which is giving this error
"Trying to get property of non-object"
Might be due to this reason that the some records doesn't exist in the TblAreaoflaw. Can't we check in this line through isset?
When i put static value, it work well, like
'value'=> 'TblAreaoflaw::model()->FindByPk(5)->areaoflaw',
Could anyone please help
thanks a lot
The error you get is because this expression TblAreaoflaw::model()->FindByPk($data->typeoflaw) is returning null. This means that you are effectively trying to get null->areaoflaw which won't work (this is what the error message "Trying to get property of non-object" clarifies).
My best guess is that $data->typeoflaw returns a non-existing primary key for the TblAreaoflaw model.
Make sure :
TblAreaoflaw is actually a model, I doubt its Areaoflaw
You have database specified primary key which is the id (5) you are passing
Try:
'value'=> '(TblAreaoflaw::model()->FindByPk($data->typeoflaw)->areaoflaw) ?
: "default or null value"'
Obviously substitute the null string to whatever you want. You may need to adjust the condition to use !empty() or similar, but see how it goes. (And if you do that or aren't using PHP 5.3, use the full ternary expression.)