SELECT PNAME,POSITION FROM PLAYER
WHERE Pname = 'Andrew Laken';
So basically im using sql developer and im trying to get a user input box to display to enter then name of the basketball player, have done this sort of thing on MySQL and MS Access but for the life of me cant get it work in SQL Developer. Any idea how? also one thing I don't know how to do on any software that uses SQL is error handling. If data correct display successful, if not error etc. If anyone could add that into the solution for this problem that would be Very helpful :D
Bind variables are indicated by a colon as the first character, like this:
SELECT (...) -- your "SELECT" clause here
FROM (...)
WHERE Pname = :pname
Each interface (like SQL Developer) has its own method for passing in parameters. In SQL Developer in particular, if you enter this query in the Query Builder and try to execute it, a window will pop up asking you for the value you want to enter for :pname.
Error handling: There is no "developer" handling of errors in straight SQL in Oracle; if you want to handle specific (non-system) errors you will have to write your own procedures/functions/packages.
SELECT PNAME,POSITION FROM PLAYER WHERE Pname = &enter_name;
Related
I am currently working on a project of replacing our old access database queries, but on one of them I am not able to view the actual SQL View.
Does anyone know a way to force the view or to export it somehow?
Error causing problem:
The SQL statement could not be executed because it contains ambiguous outer joins.
Note that I can view the Design View without issue but when I right click on the tab and select SQL View is when I get the error.
I did attempt what #LeeMac mentioned below but same error occurs:
EDIT:
This question is not like Ambiguous Outer Joins?
The OP on that question can actually see and edit their SQL.
My issues is that I cannot see or edit the SQL as the SQL View wont open.
Try executing the following VBA code from the Immediate Window (accessible using Ctrl+G) in the VBA IDE (open the IDE using Alt+F11):
?CurrentDb.QueryDefs("YourQuery").SQL
Replace YourQuery with the name of your query.
This should print the SQL code which comprises your query - you can then analyse the SQL to determine the cause of the error.
It's odd this error would arise when merely viewing the SQL content of the query definition.
It makes me think that the query is perhaps referencing a crosstab subquery which is actually the cause of the error, but which needs to be evaluated in order for MS Access to determine the columns available when viewing the design of the query in question.
Try this:
hit ctrl-g, and from immediate window type in this:
saveastext acQuery,"Name of query","c:\test\mysql.txt"
Access ordinarily doesn't allow you to save invalid queries, so it's strange you somehow got into this situation in the first place.
If you can copy the query, you can easily get to the SQL by changing the query to a passthrough query, either through the GUI or through VBA:
Dim q As DAO.QueryDef
Set q = CurrentDb.QueryDefs!Query1
q.Connect = "ODBC;"
Debug.Print q.SQL
Passthrough queries are not validated, so you can freely read and write anything you want as SQL in it.
Note that this is irreversible when done through VBA. You can only change it back to a normal query once you made the SQL valid again. If you do it through the GUI, you can just not save it, though.
I had this problem and the issue was that i had a subquery that calculated fields but did not actually have a table in it. for example it would calculate first and last day of last month which is 2 calculated fields, then it was the first query in a series of queries that were built off it and the last one wouldnt resolve sql as original poster indicated also gave the ambiguous join message as well as query needs input table (which was that first subquery). i put a table with 1 record in it but didnt use the record and it worked.... so it just a needs a table in it.
I'm doing some webpentesting exercises and there is this one task saying that I need to make a new account with this name and this password by using SQL injection. On the web page there is a text input username and another text input 'password'. I can enter whatever characters I want inside the username text-input but inside the password text input I need to type a specific injection.
I know I need to inject insert query but the thing is I don't know the table name. In order to insert a new user I need to know the table name so I'm wondering how can I make the web showing me an error with tablename revealed.
The error showing should be like:
Unexpected end of command in statement [SELECT * FROM (tablename) WHERE...]
I tried to enter with just one character (maybe >1 chars are required) inside the password field to make the error show or even delete the parameter text input password. But it just won't show the SQL syntax error.
So the question is: How can I make use of the exploit to make the web page view the SQL syntax error with table name revealed?
And why doesn't injection work on username field but it does on password field?
The first thing is understand the difference between "application" errors (for example, "the user doesn't exist") and execution errors, in which the application fails itself, like the "Unexpected end of command" you mention. The first case is not usually a problem from the security point of view (unless the application is very badly programmed), the second one is what could allow hacking.
A well programmed web application should ideally only have application errors, but the more realistic approach is cope with unexpected execution errors in way that don't make it vulnerable. Also, application should process any user input in a way that don't cause an execution error.
It seems that they are teaching you the most flagrant case that allows SQL injection, apps than don't do any processing to user input (so it's very easy put text in an input field that cause an execution error), and that don't cope with execution errors (in this case, showing the internal execution message to the user).
A common mistake in web applications is constructing the SQL query with string concatenation, so the simplest way of make it fail is using the string delimiter (') in a field, causing the string value to end prematurely. In an sloppy web app it would cause an execution error that shows the full error message, usually including the table name.
From there you craft a SQL query in the input field that insert the user in the table, you could find examples online (note that you need at least basic knowledge on SQL and PHP (or ASP, Java, etc.), in order to do SQL injection, since you need to know how the database access works in order to make it fail).
Finally, SQL injection could work in any input field that is not properly processed, but it depends on how the application is programmed. I suppose that both fields would work but it will be easy do that with the password field because probably is the last one in the SQL query.
Can anybody tell me what does the error mean? Whenever I open the query builder it will prompt with an error indicating that SQL syntax errors were encountered.
https://msdn.microsoft.com/en-us/library/ms189012.aspx
I looked at the following page in MSDN but I don't understand what it means...
For instance, what do these bullet points from the MSDN article mean?
The SQL statement is incomplete or contains one or more syntax errors.
The SQL statement is valid but is not supported in the graphical panes (for example, a Union query).
The SQL statement is valid but contains syntax specific to the data connection you are using.
USER (which you've apparently decided is an appropriate table name) is a SQL Server reserved word.
The best solution is to rename your table, so you don't have to escape the table name every time you want to query it and to make it clear it's your user data (hey, there's a table name suggestion - userdata).
The other option is to escape the name by surrounding it with square brackets:
SELECT * FROM [users]
Note that it will get old fast having to do this with every query. Again, the best solution would be to rename the table to something that isn't a reserved word.
I am a beginner in SQL, and I was having some trouble with special characters like parentheses and asterisks in user generated data. So far, I have mostly been using a lot of ad hoc methods of getting rid of these characters and they work well enough. Based on what I have read, I think paramaterized queries might be a more systematic way of getting around some of the problems that I have.
I have following query:
insert into midstep (street)(select street from addresses limit 10)
The column street in the table addresses has a lot of parantheses, asterisks etc. The code above works as expected. What I want to do is something like this:
prepare midstreet (text) AS insert into midstep (street)(select $1 from addresses limit 10);
execute midstreet ( street from addresses);
However, when I enter in that code I get the following error message:
ERROR: syntax error at or near "from"
SQL state: 42601
Character: 29
I have tried a bunch of variations on this code and read through the documentation on Prepare and Execute but always get error messages. Any help is appreciated!
EDIT: I forgot to mention, I am using postgresql 9.3 on and my os is Ubuntu. Please ask if you need any more information to help!
You do not need a parameter in your case, as you get your values using a sub-query. As a matter of fact, you cannot know the needed values on server-side. Parameters like that are needed if and only if you have some values defined on application level and you want to pass them to the database.
Does anyone know of the impact on SQL Server of adopting 'two part' user Windows Loginnames in the form "fred.bloggs" instead of "bloggsf"?
I have scoured the Microsoft Knowledgebase and can nothing clear about one or the other: only that all examples shown by them are in the 'single word' format.
I have tried to use fred.bloggs ( that is fred dot bloggs ) in some SQL statements and get error messages, so they obviously cannot be used in a straight forward form.
You need to wrap a login like this in brackets, like: [your.login]
There is no impact on the SQL Server engine and performance.
A user name is a user name, whether there is a . in the middle or not.
The only issue is that of how the name is interpreted - ensure you use [] when specifying a user name, otherwise SQL will interpret the part before the . as a schema name.
So, for CREATE LOGIN, you should do:
CREATE LOGIN [xxxxx.yyyyy]