I have a simple sql query in orientdb function like this:
select *
from TestExecutionPlanReport
where executionPlan IN :executionPlans
It accepts "executionPlans" as parameter where an array value should be passed.
When I tried just one value like "#59:71", it works and return the wanted output. BUT when I tried to pass in an array value like "[#59:71,#59:214]", is not working. It returns an empty response. It works when I query "select * from SomeClass where field IN [#59:71,#59:214]" (Not in OrientDb function)
I had the same issue when trying to run an SQL query from Scala code. I solved it by passing a set as the parameter instead of a list or an array.
If I got your question right, you are trying to execute the query you've mentioned in a OrientDB server side function (probably written in JavaScript) which takes executionPlan as a parameter.
I also noticed this happening if you use parameterized queries. A parameterized query is something like the following;
var query = "select * from TestExecutionPlanReport where executionPlan IN ?";
return db.query(query, executionPlans);
However, when I used string concatenation to build the query, it works. I'm referring to the following
var query = "select * from TestExecutionPlanReport where executionPlan IN " + executionPlans
If you are using string concatenation I think the issue is with how you pass the parameter. Rather than passing "[#59:71,#59:214]", try passing [#59:71,#59:214] to your function and see if it works.
Usually when you use string concatenation to build queries, you can use the print() function to print the concatenated query on the OrientDB console. However, concatenation based queries could be exploited to do SQL injections, hence discouraged.
I cannot explain why this doesn't work for parameterized queries. I'll do more research on this. Perhaps it's a bug. I'm using OrientDB 2.0.3.
Hope this helps.
Related
Someone looking at my code said that the SQL query below (SELECT * FROM...) was obviously open to attack. I have researched this and it seems I'm doing this correctly by using a parameterized query, but clearly I'm missing something.
app.get("/api/v1/:userId", async (req, res) => {
try {
const teammate = await db.query("SELECT * FROM teammates WHERE uid = $1", [
req.params.userId,
]);
This query is not open to SQL injection, because it uses a parameterized query. The data is not substituted for the parameter ($1), but sent separately in a “bind” message, so no matter what the data contain, it is not interpreted as part of the SQL statement.
Moreover, it looks like the argument is an integer, and SQL injection can only happen with string arguments.
Someone at that company may have assumed that the $1 was going to be used for string interpolation, instead of a SQL query parameter.
They might not be aware that PostgreSQL uses the dollar-sign sigil for a query parameter placeholder. Other databases like MySQL use ? for a placeholder, and Oracle uses a : sigil in front of a named parameter.
You wrote the code correctly. See a similar example for node.js and PostgreSQL here: https://node-postgres.com/features/queries The section on "Parameterized query" specifically shows that style of code as the defense against SQL injection.
You might be better off not getting that job, in retrospect.
I am querying a postgres db using python/pandas with sqlalchemy. I have an sql query that looks like this:
SELECT table_name
FROM fixed_602fcccd0f189c2434611b14.information_schema."tables" t
WHERE table_type='BASE TABLE'
and table_schema='di_602fccd10f189c2434611be9'
and (
table_name like 'general_journal%'
or table_name like 'output_journal_line%'
or table_name like 'output_journal_tx%'
or table_name like 'flats%'
)
I've tested it in dBeaver and it works perfectly. I am now trying to pass the same query through pandas read_sql as follows:
from_string = pg_db + '.information_schema."tables"'
print(from_string)
pg_query = queries.id_tables.format(from_string,di_id)
The idea is that I construct the query with variables 'pg_db' (string) and 'di_id' (string) as I make a series of queries. The problem is the query returns empty array when done this way. No error is thrown.
I suspected the challenge is the "tables" attribute that when pandas interprets the query eg. strips off the ", but that doesn't actually seem to matter. Any thoughts on how to make this work with pandas?
UPDATE:
I have tried parameterized and met with the same problem. It seems to boil down to the FROM parameter gets passed in with double quotes. I have tried to strip these but it looks like pandas appends them anyways. In principle double quotes should be fine according to postgres docs but that doesn't seem to be the case even when doing the query in dBeaver. If I pass in the query via pandas as it is written at the top of this post, no problem. The challenge is when I try to use variables for the FROM and table_schema parameters, I get syntax errors.
It turns out that the problem disappeared when I removed the parentheses I put around the 'or' statements. I think the message is to pay attention to how you construct the query eg. form and join all the strings and variables before passing them to pandas.
That said I have used parentheses with much more complex queries in pandas and they were not a problem.
I would first suggest that you use a parameterized query for input but in some cases its just easier to use a built in function repr()
s = "SQL sometimes likes \"here\" and %s \"now\" problems"
print(repr(s))
gives
'SQL sometimes likes "here" and %s "now" problems'
I'm using the #sap/hana-client npm module in a NodeJS project to connect to a HANA database and run queries.
I have a list of IDs that I want to include in a WHERE ID IN(...) SQL clause via parameterized queries, but cannot seem to figure out the syntax to do it.
Here's what I imagine it would look like (but this does not work, fails at the parameter binding stage)
const ids = [1,2,3,4];
const params = [ids];
const sql = "SELECT * FROM T WHERE ID IN (?)";
// this fails with => code: -20007, message: 'Can not bind parameter(0).', sqlState: 'HY000'
conn.query(sql, params, (err, result) => {
// process query results or errors
});
I know that in Postgres I can do this by using the UNNEST(...) 1 array function, but the same does not seem to work in HANA
That's a well-known difficulty with HANA.
ARRAY-like types are not natively supported in the client software.
Your (special) case of this, namely turning an array into a list of parameters for an IN clause requires some additional efforts.
See e.g. Errors with declared array/table variable values in SAP HanaDB SQL
The bottom line is that Postgres handles this special case specifically by replacing the single IN-clause parameter ? with a whole list of delimited values.
HANA does (sadly) not do something like that.
Instead, if you have to know in advance how many elements (at max) the IN-list will have so that you can prepare a statement with a parameter ? for each of those elements.
Alternatively, you can use SQLScript and the UNNEST construct that I've shown in the linked question, or you can create a temporary table, fill it with the IN-list elements and use it in the IN-clause (or join it).
Either way, it's rather cumbersome to manually do this, and I'd probably look for a framework that does that sort of stuff.
I want to pass 'A0101', 'A0201' this like a parameter in sql server query using in clause but from c# to a sp
If the "IN" clause is just being used to filter, you can use Linq without passing it into the stored procedure (it will still be evaluated on server with deferred execution).
var results = (from item in context.SPCall
where new[] {"A0101", "A0201"}.Contains(item.Property)
select item).ToList();
I am using EF to connect with Oracle database and writing a linq query like this
var keyword = this.Keywords.ToLower();
var filteredItems = from item in active_items
where item.Name.Contains(keyword)
select item;
The generated SQL from linq makes use of Like and keyword wrapped in %% signs.
e.g. WHERE "EXTENT1"."NAME" LIKE '%keyword%'
Which seems OK but I need the sql to make use "Contains" keyword and need the SQL to be like
e.g. WHERE CONTAINS(NAME,'keyword') > 0
How do I achieve this?
First option:
use devart library: http://blog.devart.com/using-oracle-full-text-search-in-entity-framework.html
Second option:
make a stored procedure in oracle that receive your keyword and search it and map the procedure into your model (if you are using model-first)
Third option:
in the linq mapping use a function like INSTR. See http://docs.oracle.com/cd/E11882_01/win.112/e18754/canonical_map.htm#ODPNT7777