Why do variables need single quotes in `execute` SQL query? - sql

Given name = "Ben", this does not work:
DB.execute("SELECT id FROM departments WHERE name = #{name}")
but this does (added single quotes):
DB.execute("SELECT id FROM departments WHERE name = '#{name}'")
Why? Why doesn't Ruby call the variable in the first example? It's already a string. I don't see why that should make any difference. Isn't that equivalent to passing "'Ben'"? Wouldn't this be equivalent to passing "Ben"?

It's not a Ruby problem, but an SQL syntax issue.
WHERE name = tom
and
WHERE name = 'tom'
are two different things.
In the first case, it is treated as a schema object name (presumably a column name here), in the second case it is a String literal.
You run into the same issue whenever you use one programming language to create a program for another programming language (here Ruby -> SQL) by direct String manipulation.
The correct way is to use bind variables.
WHERE name = ?
That also deals with the problem of name containing special characters.
name = "Little Bobby Tables, see http://xkcd.com/327/"

Related

How to dynamically format BigQuery `dataset.schema.table name` with backticks

I need to work through how to take stored procedure functions from
region-us.INFORMATION_SCHEMA.ROUTINES
and modify the backticks that default to coming through around the project and place them around the dataset.schema.table()
The reason is more for uniform results across our system than a technical error need.
currently when I run this query
SELECT
replace(ddl, 'CREATE PROC', 'CREATE OR REPLACE PROC'),
FROM region-us.INFORMATION_SCHEMA.ROUTINES
where lower(routine_type) = 'procedure'
It will return the below:
`project-data-sandbox`.schema.MySP()
`project-data-sandbox`.schema.YourSP(MySP)
`project-data-sandbox`.inv.partnumber(orderid)
`project-data-sandbox`.inv_part.part_number(part_id)
I have tried the below query
SELECT
REGEXP_REPLACE(ddl, r"project-data-sandbox`.", "project-data-sandbox.") AS replaced_word
, REGEXP_REPLACE(ddl, r'`([a-zA-Z]+(-[a-zA-Z]+)+)`\.[a-zA-Z]+\.[a-zA-Z]+\(\)','Apples') tester
FROM region-us.INFORMATION_SCHEMA.ROUTINES
where lower(routine_type) = 'procedure'
I get part of what I want. However, the problem is our stored procedures can be named any sort of names and they could require objects to be passed to them.
I added the tester column to see if I could replace the project string with another word (or regex) but it isn't even replacing it with apples yet.
which I would want turned into this:
`project-data-sandbox.schema.MySP`()
`project-data-sandbox.schema.YourSP`(MySP)
`project-data-sandbox.inv.partnumber`(orderid)
`project-data-sandbox.inv_part.part_number`(part_id)
I'm working through Regexp_replace but I'm having difficulty figuring out how to get the backtick between the parenthesis and the last letter.
Thanks for any help!

Understanding OpenERP Domain Filter?

I would like to ask you if you could please explain the anatomy of the Openerp domain filters. I have to use it my project.
Please explain the description of the following domain filter.
['|',('order_id.user_id','=',user.id),('order_id.user_id','=',False)]
I want to know the exact meaning of (order_id.user_id','=',user.id), what is order_id, user_id, and user.id. Are they referencing any table. If yes then how am I supposed to know which one...
Basically I want to know decipher the notation from bottom up so that can use it as per my requirement.
This one is pretty simple.
Consider the following fields (only XML i've given here, python you got to manage)
<field name="a"/>
<field name="b"/>
<field name="c"/>
Single Condition
Consider some simple conditions in programming
if a = 5 # where a is the variable and 5 is the value
In Open ERP domain filter it would be written this way
[('a','=',5)] # where a should be a field in the model and 5 will be the value
So the syntax we derive is
('field_name', 'operator', value)
Now let's try to apply another field in place of static value 5
[('a','=',b)] # where a and b should be the fields in the model
In the above you've to note that first variable a is enclosed with single quotes whereas the value b is not. The variable to be compared will be always first and will be enclosed with single quotes and the value will be just the field name. But if you want to compare variable a with the value 'b' you've to do the below
[('a','=','b')] # where only a is the field name and b is the value (field b's value will not be taken for comparison in this case)
Condition AND
In Programming
if a = 5 and b = 10
In Open ERP domain filter
[('a','=',5),('b','=',10)]
Note that if you don't specify any condition at the beginning and condition will be applied. If you want to replace static values you can simply remove the 5 and give the field name (strictly without quotes)
[('a','=',c),('b','=',c)]
Condition OR
In Programming
if a = 5 or b = 10
In Open ERP domain filter
['|',('a','=',5),('b','=',10)]
Note that the , indicates that it's and condition. If you want to replace fields you can simply remove the 5 and give the field name (strictly without quotes)
Multiple Conditions
In Programming
if a = 5 or (b != 10 and c = 12)
In Open ERP domain filter
['|',('a','=',5),('&',('b','!=',10),('c','=',12))]
Also this post from Arya will be greatly helpful to you. Cheers!!
The '|' is an OR that gets applied to the next comparison. The (..., '=', False) gets converted into an IS NULL so the SQL for this would be
WHERE order_id.user_id = x OR order_id.user_id is NULL
The default is AND which is why you don't see ('&', ('field1', '=' ,1), ('field2' ,'=', 2) everywhere.
Note that another useful one is ('field1', '!=', False) which gets converted to WHERE field1 IS NOT NULL
There isn't a lot of great documentation for this and they get quite tricky with multiple operators as you have to work through the tuples in reverse consuming the operators. I find I use complex ones infrequently enough that I just turn on query logging in Postgres and use trial and error observing the generated queries until I get it right.

How to add text plus the text written from a Parameter type C in ABAP?

I am working in an ABAP program and I have a question.
For example in C# when we have a String variable: string name; , and we want this to be filled with some data from a textbox but also add some ohter text.
For example:
string name = "Hello: " + textBox1.text;,
And I want to ask you how can I do this in ABAP ??? How to add text plus the text written from a Parameter type C?
CONCATENATE and the concatenate operator && will do it as answered by Jagger and vwegert. To do it with string expressions, you use the below where name is the screen field or whatever that has the name in it (it doesn't need to be a field-symbol):
greeting = |Hello: { <name> }|.
String expressions are extremely useful as they can be used to build up complex values without declaring extra variables - e.g. they can passed as directly as function module or method parameters without first assigning to a local variable.
You can either use the CONCATENATE keyword or -- in newer releases -- string expressions. Be sure to check the online documentation and sample programs available using the transaction ABAPDOCU, it will save you a ton of seemingly basic questions.
The equivalent operator is &&.
So in your case it would be:
name = 'Hello: ' && textBox1->text.

What does this JDBC snippet achieves?

String q = "SELECT attr FROM students foo =? AND bar = ?";
PreparedStatement s= connection.prepareStatement(q);
s.setString(1,"a");
s.setString(2."b");
ResultSet rs = s.executeQuery();
if(rs.next())
{
System.out.println("aba");
}
else
{
System.out.println("zab");
}
I'm not entirely sure, but my interpretation is that it performs query to find "attr" from "students" where foo is something and bar is something. In case of successful results from query it prints out aba, otherwise it will print out zab.
Correct me if i'm wrong.What s.setStrings(1,"a") are for? What exactly question mark stands for?
You are mostly right. If there is at least one row in the students table, with field foo='a' and bar='b', this prints out aba, if no such line exists, it prints out zab
The question marks and the0 .setString(1,"a") statements are closely related. The ? denotes a parameter (placeholder, if that is more convenient to grasp) to the query, and the s.set<datatype>() methods 'fill these in'. The first parameter specifies the parameter to fill in, the second specifies the value.
Recommended reading: Using PreparedStatements
The question mark in the query represents the values to be added later on. They act as placeholders.
So you prepare the query once and then just set the values using, e.g.,
s.setString(1,"a");
This sets the first value (aka the first question mark) to a string value of a. There are respective functions for other types like, for example, setInt() or setLong().

Protecting against SQL injection in python

I have some code in Python that sets a char(80) value in an sqlite DB.
The string is obtained directly from the user through a text input field and sent back to the server with a POST method in a JSON structure.
On the server side I currently pass the string to a method calling the SQL UPDATE operation.
It works, but I'm aware it is not safe at all.
I expect that the client side is unsafe anyway, so any protection is to be put on the server side. What can I do to secure the UPDATE operation agains SQL injection ?
A function that would "quote" the text so that it can't confuse the SQL parser is what I'm looking for. I expect such function exist but couldn't find it.
Edit:
Here is my current code setting the char field name label:
def setLabel( self, userId, refId, label ):
self._db.cursor().execute( """
UPDATE items SET label = ? WHERE userId IS ? AND refId IS ?""", ( label, userId, refId) )
self._db.commit()
From the documentation:
con.execute("insert into person(firstname) values (?)", ("Joe",))
This escapes "Joe", so what you want is
con.execute("insert into person(firstname) values (?)", (firstname_from_client,))
The DB-API's .execute() supports parameter substitution which will take care of escaping for you, its mentioned near the top of the docs; http://docs.python.org/library/sqlite3.html above Never do this -- insecure.
Noooo... USE BIND VARIABLES! That's what they're there for. See this
Another name for the technique is parameterized sql (I think "bind variables" may be the name used with Oracle specifically).