error while using the EXCEPT identifier in sql query - sql

i have a user table with one attribute as habits that has valus like shopping,sports etc. Now when i log in to my application i get the username from the FORM tag and this is used in javascript for further use. I need a query that displays all the user table contents where habits=shopping but it shouldnt display the details of the currently logged in user. The query i used for this is,
select * from user where habits='shopping' except select * from user where username='niranjan';
But this line is generating an error stating that the EXCEPT identifier is not a valid input at this point.
pls correct my error or provide an alternative code for my issue.

select * from user where habits='shopping' and username!='niranjan';

No need for except here. Just add a condition to your where caluse:
And username <> 'niranjan'

The problem may be that user is a reserved word for SQL Server. I would suggest that you rename the table to users to get around this problem.
In the meantime, you can use square braces for the query:
select * from [user] where habits = 'shopping'
except
select * from [user] where username = 'niranjan';
However, it is bad form to use reserved words for table and column names.

Related

BigQuery and Data Studio - Extracting the value of #DS_USER_EMAIL in a query

So in the BigQuery console you can see the queries that have been run by your users. Data Studio supplies a parameter called #DS_USER_EMAIL that contains the email of the user that made the query.
We need that email for billing reasons: We need to bill/notify people based on their usage.
An example query of this, logged in BQ:
select #DS_USER_EMAIL as user_email from test_table;
So I can only see the variable, not the resolved value. Was hoping the logged query would be actual query run like so:
select 'test#test.com' as user_email from test_table;
Any way around this? If not, what are our options for getting the email?
From my understanding, #DS_USER_EMAIL can be used to create dynamic reports, so certain users get access to specific data (Ref)
If you are looking for a way to check total bytes processed based on the user e-mail you can try using the INFORMATION_SCHEMA tables and JOBS_BY_ORGANIZATION (Documentation Link)
An example:
SELECT
job_id,
creation_time,
user_email,
total_bytes_billed
FROM `region-us`.INFORMATION_SCHEMA.JOBS_BY_ORGANIZATION
WHERE state == "DONE"

Inject SQL query into http URL

I got an assignment to make SQL injection to a fake website that was built for that purpose.
I wanted to know how to inject SQL query into an URL.
for example, http://localhost:<>/vulnerabilities/webapi/users//nickname?username=my_id
i have this URL, and i want to inject UNION query to it, how do I do that?
Thanks.
Let's assume that your web query will be translated to
SELECT * FROM users WHERE username = 'my_id';
Now, the trick is to replace 'my_id' by the malicious code. I assume that the purpose of the UNION query is to return all the users instead of just one. The result should be:
SELECT * FROM users WHERE username = 'my_id' UNION SELECT * FROM users; -- ';
Maybe the original query has a field list instead of *. Then you will have to duplicate this list in the second query.
Now instead of my_id, you must enter
my_id' UNION SELECT * FROM users; --
Note that we terminate our entry with a -- introducing a comment. The query mechanism will terminate the query by appending a final single quote (and maybe a semicolon). Now they will be turned into a comment.
The next question is, how do we escape this correctly for the URL. Using the online tool Code Beautify, HTML Escape/Unescape, we get:
my_id%27%20UNION%20SELECT%20*%20FROM%20users%3B%20--
This gives the full URL:
http://localhost:<>/vulnerabilities/webapi/users//nickname?username=my_id%27%20UNION%20SELECT%20*%20FROM%20users%3B%20--

table with "." in its name

I was trying to use sqlFetch. The fetch works perfectly when I change the name of my table to have underlines instead of periods. So if I use the command
sqlFetch(conn, "HelloWorld_40")
It works fine. Unfortunately, my friends are all using the real name of the table
sqlFetch(conn, "HelloWorld.40")
But then it crashes and it tells me that
Error in sqlColumns(conn, "HelloWorld.40") :
'HelloWorld.40': table not found on channel
I'm guessing the period "." is illegal name for a table. But I don't want my friends to change it because it's a lot of people who would be affected. Is there a way I can call the table, or do I have to secretly go to their database, change the name while I use it and then change it back to a period (risking that I will forget, someone will read, blah blah).
Thanks.
put the table name in square brackets:
[HelloWorld.40]
It is a problem with sqlFetch which parse table name. Unfortunately it did not handle table quotes, so it's search for table 40 in schema HelloWorld. You need to directly call sqlQuery (with quoted table name, brackets for MS SQL Server):
sqlQuery(dbhandle, "SELECT * FROM [HelloWorld.40]")
Side note: you should specify which database you are using.
The best delimiter is double quotes -- that should work in most underlying databases:
"HelloWorld.40"
In MySQL, you can also use back ticks (`):
`HelloWorld.40`
In SQL Server, Access, and I think Sybase, you can also use square braces:
[HelloWorld.40]

Dash in a field name in access database table

Im having problems retrieving a field from my ms-access database.
The table name is TEST and one of the field's name is HD-TEST
When i do:
SELECT * from TEST where TEST.HD-TEST='H' and i execute the query, ms-access shows me a dialog expecting the parameter HD.
Do you know what could be the reason?
Thanks a lot.
Kind Regards.
Josema.
Try to add brackets to the begin and the end of the column name (not tested, but works in SQL Server):
SELECT * from TEST where TEST.[HD-TEST]='H'

How to Append String at the end of a Given a Column in SQL Server?

I have a project I am working on. based off a backup SQl Server database from a production server. They have over 16,000 user email addresses, and I want to corrupt them so the system (which has automatic emailers) will not send any emails to valid addresses.
But I still want the users, and I want them in a way that I can reverse what I do (which is why I dont want to delete them).
The SQL I am trying is:
UPDATE Contact SET
EmailAddress = EmailAddress + '.x'
But it isnt working, what am I doing wrong?
Error Message is as follows:
---------------------------
Microsoft SQL Server Management Studio Express
---------------------------
SQL Execution Error.
Executed SQL statement: UPDATE Contact SET EmailAddress = EmailAddress + '.x'
Error Source: .Net SqlClient Data Provider
Error Message: String or binary data would be truncated. The statement has been terminated.
---------------------------
OK Help
---------------------------
The issue is that EmailAddress +".x" results in some of your data being to long for the given field. You could do:
select * from Contact where len(EmailAddress +".x") > LENFIELD
Replace LENFIELD with the length of the column defined on the table. If you just want to mung the data why not just set all the fields to a single email address? Or modify the rows that are causing the error to occur to be shorter.
Can you be more specific about any errors that you get? I've just knocked up an example and it works fine.
Edit - EmailAddress fields you're trying to update are already close to the full size for the field, to make sure the edit applies to all the required record, you need to change add 2 to the column size for that field
BTW Sql to convert it back again
update Contact
set EmailAddress = SUBSTRING(EmailAddress , 0 , len(EmailAddress ) - 1)
where SUBSTRING(EmailAddress , len(EmailAddress ) - 1, 2) = '.x'
Are these fully-qualified email addresses, with #domain.name ? In that case, you could use UPDATE... SELECT REPLACE to change the # to, say, *.
It looks to me like appending the extra text will make one or more of the email addresses longer than the field size. Rather than appending why don't you replace the last character with a different one?
First result on Google searching for the error message says:
"String or binary data would be truncated" MS Sql error
This problem occurs when you trying to insert to field a string that exceeds fields length. The only solution I could find was to set a bigger field length.
Ref: http://www.dotnetjunkies.com/WebLog/skiff/archive/2005/01/31/49336.aspx
try:
UPDATE Contact SET
EmailAddress = EmailAddress || '.x';
the || is the string (varchar) concatanation operator in SQL.
HINT: Error messages would help if asking more questions.