SQL Server 2000 - DVWA - including '-' character - sql

I am working with Damn Vulnerable Web App against a Microsoft SQL Server. My question is actually quite straight forward, but can be mis-interpreted quite easily. Basically. This is my query:
+AND+1=convert(int,
(select+
top+1+
user+
from+
TBL-Users
)
)--
Now my question is simple. This is the query to extract data from the columns. How do I craft it so that it allows me to extract data from this column? Because apparently, it does not like that I am using the '-' character in this query (but that's the table name).
According to this error:
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect
syntax near '-'.
How can I work around this, and get the data from the column assuming that the '-' character is in the table name?

In SQL-Server you can basically use most of the reserved words and special characters inside []:
select * from [TBL-Users]

Related

SQLSyntaxErrorException Using LTRIM to trim character 'x' in query

I using TRIM function to trim some characters in query, I using hibernate following is my query.
from ABean s where s.cId in (select ca.id from CBean ca where LTRIM(ca.refNumber,'0') = LTRIM('$ref$','0') and ca.valid = 0)
$ref$ is replace with actual value in query.
I am seeing a different behaviour when I am running with DB2 and When I am running with Mockito test (Using In memory DB).
With DB2 this query is working fine but with Mockito in memory db I am getting java.sql.SQLSyntaxErrorException, Error is something like this.
Syntax error: Encountered "," at line 1, column {column_number_in_actual_query}.
I am not able to make it working with in memory db, Is there anything wrong I am doing?
Thanks.
in IBM DB2, in the SYSIMB schema, LTRIM takes a second argument of characters being trimmed like you have (see here). However, in the SYSFUN schema (and in most other SQL implementations) it only takes one argument and assumes you are trimming whitespace (see here).
Based on the error it looks like the interpreter wasn't expecting a comma, so it's probably trying to use the more standard version of the function and failing when it sees the second argument.
based on the documentation for function references you should be able to replace LTRIM with SYSIBM.LTRIM

How would I fix these "ORA-00933: SQL command not properly ended" "ORA-00923: FROM keyword not found where expected" errors?

This Statement:
SELECT id, units, cost FROM inventory_list WHERE cost <= 20;
Gives me:
ORA-00923: FROM keyword not found where expected
While this statement:
SELECT * FROM items WHERE ilt_id = 'il010230126' OR ilt_id = 'il010230128';
Gives me:
ORA-00933: SQL command not properly ended
Not sure about this and may be version dependent (below link is for oracle 10g... but you can see on this site
https://docs.oracle.com/cd/B19306_01/em.102/b40103/app_oracle_reserved_words.htm
That cost is an oracle reserved keyword, so it is not wise to use it as a column name.
If you have no control of the table I think you may be able to surround it in double quotes eg select "COST" to avoid oracle picking it up as a reserved word.
By default Oracle creates fields in uppercase so the field name will need to be in uppercase unless when the table was created it was forced into different case by surrounding it in Quotes.
Check that you don't have invisible characters in your file and that you're using the right encoding. I sometimes accidentally introduce them because I have a non english keyboard map and accidentally hit the wrong key combination.
Just type again one of your SQL statements and test them.

Microsoft Query; use of SubString in Excel

I'm trying to filter results from a Query i have created in Microsoft Query to pull data from a database into my Excel sheet. Specifically I'm trying to filter out based on the nth character of a string.
I can easily filter out the based on the first char:
SOPOrderReturnLine.ItemCode Like 'A25%'
But I have no idea how I could filter to show only entries where the 10th char = "A". I'm sure I have to use a Substring function, but it's not familiar to me and I'm struggling to get it to work.
Try to edit your sql query and enter the following statement:
select * from SOPOrderReturnLine where substring(SOPOrderReturnLine.ItemCode,10,1) = 'A';
The statement should work for a MySql database as well as for an Sql Server in the background; (I've tested it with an MySql database).
Hope this helps.
In MSQuery (Jet under the covers, I think), the function is Mid.
SELECT * FROM tblLocation WHERE (Mid(LocationName,2,1)='e')
to find a lower case 'e' in the second location.
I assume when you say MS Query, you are running a query against a DBMS (SQL Server or some other via ODBC).
The use of substr, substring or mid should work, depending on which DBMS. That said, unless you're using MS Access, I think most DBMSs will support the underscore character as "any single character." It might even work in Access, but I don't know for sure. Therefore, I think in addition to the suggestions you've gotten, this will also work in most cases:
SOPOrderReturnLine.ItemCode Like '_________A%'
If you want to use substring, don't hold me to these, but I think:
Oracle / DB2 / SQLite - substr
Microsoft SQL Server / Sybase / MySQL - substring
MS Access - mid
PostgreSQL -substr or substring

SQL Left/Deliminated Character

Pretty simple one today. I've got a column, let's call it title, with a bunch of project titles. What I need to to pull everything from the left of the ":" and do a left/right trim (I'm then going to be using that in a join later on but I just need a column with the new data for now). So here's an example of what the current column looks like:
And here's what I need it to look like after the query is run:
The problem is while the # are 6 characters now, I can't guarantee they'll always be 6 characters. So if I was doing this in Excel I'd use the deliminated feature or just write a left/len/search function. Wondering how to do the same in SQL. BTW, I'm using SQL Server Management Studio.
Thoughts?
Assuming that your number is always followed by a [space]:[space], then simply look for that first space, and use its location as the argument for a left-substring operation:
SELECT LEFT(Title, CHARINDEX(' ', Title, 0)) AS "New Title"
p.s. Just say you're using MS SQL Server. SSMS is just a management front-end for that database.
check this post out. it does exactly what you are trying to do.
SQL Server replace, remove all after certain character

Incorrect syntax near '-'

i am trying to run a query in another server and need to specify it in the select statement but the server name has got an '-' in it, like server-name.
this is producing the error in the title.
How can i fix it?
Use square brackets [] around the servername:
select *
from [server-name].[db-name].[schema-name].[table-name]
I came across an SQL query on some website, which was supposed to be correct, but I was getting the same error. It appears, that some websites format text and swap the minus sign with some Office-like abomination.
Incorrect minus character: –
Correct one: -
I also came across this error when I work with spring boot and MSSQL db. We may get this error, when we did not define the schema and the table name correctly.
I have included the below schema name with square brackets in the model class and I could overcome this issue.
#Table(name = "FIELDS_PARAM",schema = "[sample-schema]")