Select column of other row in parameterized statement - sql

I am a beginner in SQL, and I was having some trouble with special characters like parentheses and asterisks in user generated data. So far, I have mostly been using a lot of ad hoc methods of getting rid of these characters and they work well enough. Based on what I have read, I think paramaterized queries might be a more systematic way of getting around some of the problems that I have.
I have following query:
insert into midstep (street)(select street from addresses limit 10)
The column street in the table addresses has a lot of parantheses, asterisks etc. The code above works as expected. What I want to do is something like this:
prepare midstreet (text) AS insert into midstep (street)(select $1 from addresses limit 10);
execute midstreet ( street from addresses);
However, when I enter in that code I get the following error message:
ERROR: syntax error at or near "from"
SQL state: 42601
Character: 29
I have tried a bunch of variations on this code and read through the documentation on Prepare and Execute but always get error messages. Any help is appreciated!
EDIT: I forgot to mention, I am using postgresql 9.3 on and my os is Ubuntu. Please ask if you need any more information to help!

You do not need a parameter in your case, as you get your values using a sub-query. As a matter of fact, you cannot know the needed values on server-side. Parameters like that are needed if and only if you have some values defined on application level and you want to pass them to the database.

Related

Problems using cubeSQL trying to add data to table

I just got cubeSQL admin and SQL Lite manager, and am new at this, trying to create a database for an mobile app to get video info and urls from to stream. I set up a database and connected it to the manager, but cannot get it to accept the script that I am using. This is what i am putting in to get it to add data to a table.
INSERT INTO Sabbath School
VALUES
(number 1, hello, great, google.com, google.com),
This is the error I get:
Here are screenshots of what I am working with. The first one is the database:
The next one is the table configuration
The final one is what the table looks like.
Any help would be most appreciated as to what I am doing wrong here. I am really not knowing what I am doing and trying to learn how to use sql.
This looks a "quoted identifier" issue. Since the table name has a space in it, you will need to surround the table in double quotes. The query parser believes your table name is "Sabbath" and is expecting the VALUES keyword next, or an opening parenthesis ( to start your (column list). Since it sees "School" next, you get the syntax error. My preference is to avoid spaces in table names so you don't need to quote it all the time.

Why do i keep getting a parameter error in my sql update?

I have been trying to use SQL with PYQT4 to update an access database with information a user has inputted into my program. I don't want to update all of the records just a specific record and a specific amount of columns (5 out of the 10 columns). however, I keep getting an error that reads:
"pyodbc.Error: ('07002', '[07002] [Microsoft][ODBC Microsoft Access
Driver] Too few parameters. Expected 6. (-3010) (SQLExecDirectW)')"
I can't seem to resolve it.
Here is my code:
SelectDatabase.execute('UPDATE Order_Table SET DateDue=(dateDueString), TimeDue=(timeDueString), PaymentType=(paymentExp), Paid=(paidExp), Customer_ID=(customerExp) WHERE OrderLine_ID=(orderlineExp)')
The values inside the brackets are variables that I have created and I am trying to call upon them, I have proof checked them multiple times, including spell checking them and I can't find a problem in that regard.
If anyone has any ideas or needs more information please let me know.
I have managed to figure out the problem. I was trying to use a variable within my SQL which once I had formatted differently worked straight away this is what I changed it to.
SelectDatabase.execute('UPDATE Order_Table SET DateDue=?, TimeDue=?, PaymentType=?, Paid=?, Customer_ID=? WHERE OrderLine_ID=?', dateDueString,timeDueString,paymentExp,paidExp,customerExp,orderlineExp)
This way by changing the values to unknowns inside the SQL procedure and referencing them in order after the edit allowed for the string values of the variables to be found and the correct columns to be edited.
Thank-you for trying to help.
Well i guess you need create your stored procedure in SQL first with all parameters and then simply call it.
Exec dbo.mYParameter 'timeDueString','paymentExp','paidExp','customerExp','orderlineExp'

Syntax error in INSERT INTO statement

I am trying to insert some information in an MS Access database.
In my database I have the following columns and types:
log_order - Autonumber (I need this to keep the order where inserted in the db),
userID - Text,
time - Text,
date_ - text,
message - Text.
My query:
command.CommandText = "INSERT INTO logs(userID, time, date_, message) VALUES ('"+verifiedUser+"', '"+msg_time+"', '"+msg_date+"', '"+msg+"')";
OleDbDataReader reader = command.ExecuteReader();
The error that I get:
System.Data.OleDb.OleDbException: 'Syntax error in INSERT INTO statement.'
I tried several posts but no post helped me. I believe there might be a problem with the autonumber column (log_order). Because of what I remember I don't have to include it in the query.
PS: I know I have to pass the values as parameters.
Thank you in advance
Probably one of your variables (msg?) contains an apostrophe
The way you've written your SQL is a massive security risk. Please immediately look up "parameterized queries" and never, ever, ever write an sql like this again (where you use string concatenation to tack the values into the query). Your code has a proliferation of issues and using parameterized queries will solve all of them; they aren't difficult to write
It seems your data in some of the variables passed in INSERT may be causing this error. Try debugging the value in command.CommandText before executing it.
If any of the variables have a single quote they must be escaped...
Ref: How do I escape a single quote in SQL Server?
Also brush up on SQL Injection Ref: SQL Injection
I totally agree with all that has been said, but to answer your question directly, I am pretty sure you will need to put square brackets around your field names. OleDb tends not to like special characters and could well be having a problem for example with date_ ; sending [date_] instead should get round the issue.
It will not like time either. Same solution
Addendum on SQL Injection
As an aside, in fact calling Access through OleDb is relatively protected from SQL Injection. This is because any attempt to execute multiple instructions in one command fails. (You get an incorrect formatted string error). So whilst you could argue that what you are doing is safe, it is not for other db providers. The sooner you get into good habits, the less likely you will be to introduce a vulnerability in a case where it could be dangerous. If it seems like you are getting a stream of abuse, it is just because everyone here wants to keep the net safe.

SQL query syntax error using INSERT INTO

So, I know my code for the database connection and reader is functional, because it has worked for me many times before, however, something about this SQL query:
gives this error message:
when this data is inputted:
This is the database table that I am trying to add the data to:
The issue is that you are using "password" as a column name and that's a reserved word in Jet SQL. Either change the name or escape it in SQL code. You do the latter by wrapping it in square brackets [].

Error while Querying : The value of a host variable in the EXECUTE or OPEN statement is too large for its corresponding use

On trying to use a select query statement. The input variable has 8 characters just as expected.
I dont know why this error comes for select query because for a select query it will query and if its available it will return else it will retun blank rows.
Hibernate is used. Even in mapping its correctly mapped as 8 only.
This is what i found in log file:
Cause = com.ibm.db2.jcc.a.SqlException: The value of a host variable in the EXECUTE or OPEN statement is too large for its corresponding use.
Has anybody come across this error before? Please suggest me some solutions on why this error occurs..
One possibility... This issue can come even in SELECT statement. When the parameter passed into the query is more than the size of its datatype's size, this error will pop-up.
Example:
Datatype - CHAR(12)
Search Param: "123456789012345"