I am exploring oracle 12c for storing json data in a json aware clob column named METADATA. My existing data in that column looks something like this:
{
"com.xyz.abc.key": {
"key_a": "value_a",
"key_b": ["value_b_1", "value_b_2", "value_c_2"]
}
}
The problem is that if I were to construct a query using JSON_VALUE
JSON_VALUE(METADATA ,'$.com.xyz.abc.key.key_a')
then I rightly get null as result as oracle will interpret a different json path. I tried escaping characters but that also doesn't work.
I went through oracle's whitepaper on this topic but it doesn't cover this case.
I need help in correctly constructing my SQL/JSON query in this case.
Edit
Solution : '$."com.xyz.abc.key".key_a' is the correct way for doing this.
Related
Updated question:
I am working with scenario where the source oracle schema do not have a field say "Date of Birth" saved in encrypted format but when using select statement I want output to be in encrypted format. I do not know the version of the oracle to find the appropriate function in the documentations.
I have worked with MySQL and I am familiar with "password()" function. I am looking for similar function for Oracle in SQL not PL/SQL as I cannot use that in the application I am using it should be one line query to fetch the results. I tried using DBMS_CRYPTO as per the documentation https://docs.oracle.com/cd/B19306_01/appdev.102/b14258/d_crypto.htm#i1004271 but I am getting error fetching data on my application could be possible that DB version may not be supporting DBMS_CRYPTO.
Any other suggestion on which function can be used to display non-encrypted field in encrypted format when using select on Oracle(thin) query?
I'm trying to access the columns stored inside this CLOB of JSON. However, because it is not version 12C of Oracle I cannot use dot notation to reference the column names like "table.column"
I am really struggling. I have tried to use dbms_lob.substr to extract it but i just end up getting the full CLOB.
My screenshot attached is displayed when running the following :
SELECT
*
FROM TRANSFORM_OB_BB_SIT_OWNER.BUCKETS
WHERE bucket_name ='LatestApplicationVersions'
However, I want to be able to access 'PersonalCountryOfNationality' where it is = 'United Kingdom' enter image description here
If you want to work with JSON with a version older than 12c, I recommend using the PLJSON package, here is a link:
https://github.com/pljson/pljson/tree/develop
You can find exemples here:
https://github.com/pljson/pljson/tree/develop/examples
Hellow I'm searching how to create query like this with knex
SELECT product.price/100 AS priceInDollars
and getting error 'price/100 not found'
related question divide the value of a column by another column
Knex seems to wrap the columns in quotes, so such operations cannot be supported using Knex query builder, as the database would interpret that as literals.
knex.column('title', 'author', 'year').select().from('books')
Outputs:
select `title`, `author`, `year` from `books`
However, knex also provides a way to fire raw SQL statements, so you would be able to execute this query.
knex.raw('SELECT product.price/100 AS priceInDollars').then(function(resp) { ... });
Further reading: Knex Raw Queries
This can be done using knex.raw query partially for the columns.
You have two possible solutions:
Raw SQL:
You have possibility to use knex.raw to use full raw SQL query as you would execute it against database (as other answers already indicated). However, if you are using tools like knex, usually this is something you want to avoid (especially when you are using query builder to build more complicated queries and relationships - I assume that this is why you are using knex in the first place).
You can use knex.raw partially for specific column instead.
Lets consider following query:
SELECT id, product.price/100 AS priceInDollars, created_at WHERE id='someUUID';
You can execute this with knex in a following format:
knex
.select([
'id',
knex.raw('products.price::numeric/100 as priceInDollars'),
'created_at'
])
.from('products')
.where({ id: 'someUUID' });
My assumption in the answer is that postgresql is used (hence numeric), but if you want to extract float after the division, you will need to do a casting (in dependency of what kind of types database support)
When querying a table with an CLOB field (CONTENT_VALUE) I get the same results for the following statements:
WHERE CONTENT_VALUE LIKE 'Name'
and
WHERE CONTENT_VALUE LIKE '%reallyweird Name'
Both queries return rows where the field's content is 'Name'. This behavior is quite odd to me. Is the LIKE operator meant to behave differently in CLOB and VARCHAR fields?
I'm running the queries on a Oracle Database 10g Enterprise Edition Release 10.2.0.4.0.
Well - this is a bug (Bug 10305573 on support.oracle.com). You can use regexp_like as a workaround.
The website i worked was recently attempted to be hacked by the following SQL injection script
boys' and 3=8 union
select 1,
concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30), char(9),0x252423),
3,4,5,6,7,8,9
from `information_schema`.`tables`
where table_schema=0x62646B3032 limit 44,1 -- And '8'='8
This injection returned the mysql table name. This was reported by the error reporting system on that website and we managed to fix that part however I am not able to understand what does the above injection mean?
Anyone can explain this?
Penuel
They're using a select from the Information Schema views in mysql server :
http://dev.mysql.com/doc/refman/5.0/en/information-schema.html
They use some clever hacks to rout out simple sql injection prevention techniques.
According to this the MySQL concat()
Returns the string that results from
concatenating the arguments. May have
one or more arguments. If all
arguments are nonbinary strings, the
result is a nonbinary string. If the
arguments include any binary strings,
the result is a binary string. A
numeric argument is converted to its
equivalent binary string form
So 0x232425 is converted to #$% which is simply added to the begining and end of the table_name field. Maybe just to make it easier for them to pull out the Table names later using Regex.
Later on the char(9) is equivalent to a tab as you can see here and is just there to format the output nicer.
The 3,4,5,6,7,8,9 is just there so that the columns match the boys table that they are performing the Union on.
This injection returned the mysql table name.
Do you mean that your website displayed the table name when you gave it this input, or that the query returns that when run from the mysql client? If it showed on your website, then the attacker has the ability to inject much more harmful queries. Check your data.