Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I am looking for all the possible positions in a sql statement that a sql function can be called. It is my first time to use sql functions and in my code I need to detect whether users' input contains sql function, if so, the input is not valid.
The position in sql statement means SELECT clause or other clause like FROM, WHERE......
I am using SQL Server
So is there any suggestions for detect sql functions in a sql statement or all the possible positions for the function in a statement?
SQL functions are allowed in any place in a SELECT where a column is allowed, i.e. anywhere in the SELECT list, in WHERE, JOIN, GROUP BY, HAVING, ORDER BY.
You'll need a SQL parser to know for sure if it's a function...
If I understood your question, you are asking how and where to check about SQL code entered by the user.
Where:
I think you might need to check it in the user interface, check the textbox or files or whatever the input stream of the user is. This shall not be done in the sql server ASAIK
How:
usually you can use parameters in your SQL statements so that any value passed by the user is passed by a parameter and if it contains a SQL code, it will not be executed.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
In the question Difference between a statement and a query in SQL, the accepted answer says:
A statement is any text that the database engine recognizes as a valid command.
and
A query is a statement that returns a recordset (possibly empty).
For example, I know that update and insert can return a recorset when they use a returning clause, so I guess they return an empty returnset in the other case. Also, according to the postgres documentation, the update command returns a “command tag”. But I don’t understand if the tag is attached to an empty recordset or if it’s really all that is returned.
My question is: Considering this list of SQL commands, how do I know which one does not a return a resultset (not even an empty one) and what are they returning instead exactly?
Generally accepted version is that
Query(ies) are select statement which may or may not return rows
but does not make any changes to database.
Statement(s) are instructions when executed and successful will make
changes in the database(after commit)
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
I have an SQL in Access 2010 that was written by someone else that gives a Wrong Number of Arguments error when I try and run it. It's supposed to filter a report from a search page.
SELECT Activity.[ProjNo], Activity.[Code], Activity.[Type], Activity.[ProjNoStatus],
Activity.[Preliminary], Activity.[Planner], Activity.[Designer],
Activity.[Officer], Activity.[Manager], Activity.[Staff], Activity.[Analyst],
Activity.[Manager], Activity.[DeptHead], Activity.[ContractNumber],
Activity.[InfoOfficer],Activity.[ProjNoDesigner]
FROM Activity
WHERE Activity.ProjNo=Index.ProjNo AND (((IIf([Forms]![SearchForm]![txtCode]="",
"*",[Activity].[Code]=[Forms]![SearchForm]![txtCode]))<>False)
AND ((IIf([Forms]![SearchForm]![txtType]="","*",[Activity].[ Type]="",
"*", [Activity].[Type]=[Forms]![SearchForm]![txtType]))<>False) AND
((IIf([Forms]![SearchForm]![txtProjNoStatus]="","*",
[Activity].[ProjNoStatus]<=[Forms]![SearchForm]![txtProjNoStatus]))<>False));
I'm not very experienced with SQL and, like I said, I didn't write this code (the person who did has long since retired) so any help would be great.
That query defines just one data source (table or query):
FROM Activity
But then the WHERE clause appears to reference another data source named Index:
WHERE Activity.ProjNo=Index.ProjNo
Since Index is not included in the FROM clause, Access will object when you try to use it in the WHERE clause.
However, I'm not sure that is the cause of the first error Access complains about. It may help to show us the full text of that error message.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 8 years ago.
Improve this question
I'm writing the following SQL query:
SELECT *
FROM OS
WHERE OS.VERSION LIKE '%1%';
In my table there are rows with char 1 in it. However, it returns an empty result.
I changed a little bit the LIKE clause to different values, but it still doesn't work.
What can I do to fix that?
Try double-quotes and * for wildcards. You are using Oracle syntax instead of Access syntax.
LIKE operation can't be used with columns of integer type. I assume that OS.Version is of integer type?
Edit1:
If you are referring to MS Access then you have to do the LIKE with stars (*) instead of %.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
Just for reference I am using SQL Azure.
I noticed when I am trying to select data from a table based on a license plate and the state of that plate I get no results back if the state is "IN". I realize the word "IN" is reserved in SQL server; however, I am containing that within quotes in my query. I currently am in testing phase and have only one record in the table which has a lisence plate 287YGB and state IN.
If I write my query as follows I get nothing back.
SELECT MakeModel, CitizenID, VehicleID FROM tblVehicles WHERE tblVehicles.Lisence = '287YGB' AND tblVehicles.PlateState = 'IN'
If I write my query this way I get back my result. But this is not good enough.
SELECT MakeModel, CitizenID, VehicleID FROM tblVehicles WHERE tblVehicles.Lisence = '287YGB'
And finally, if I write my query this way I get the only row in the table.
SELECT MakeModel, CitizenID, VehicleID FROM tblVehicles
From these tests I can see that the last where parameter is causing the problem. I am assuming it is due to the fact that the word "IN" is reserved. Is there a way around this?
Reserved words usually only cause problems if you're using them as field names, and in that case you need to wrap them with brackets ("[]") to eliminate the problem. I will amost guarantee you that your PlateState has some garbage in it, so you need to either trim it first (LTRIM(RTRIM(PlateState)) = 'IN') or use Like '%IN%' instead, and this will return the results you expect.
try this
SELECT MakeModel, CitizenID, VehicleID FROM tblVehicles WHERE tblVehicles.Lisence = '287YGB' AND LTRIM(RTRIM(tblVehicles.PlateState)) = 'IN'
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Improve this question
What does the "s" do at the end of line 8 of this query:
http://www.sqlfiddle.com/#!3/f8816/20/0
I can't find it anywhere and the statement won't work without it.
Thanks!
The s is an alias for the result set which allows it to be referenced within the query.
The readability of a SELECT statement can be improved by giving a table an alias, also known as a correlation name or range variable. A table alias can be assigned either with or without the AS keyword:
table_name AS table alias
table_name table_alias
Using table aliases
The s is a table alias. It gives a name to a table or subquery used in the from clause.
SQL Server requires that all subqueries use aliases. Not all databases do.
I strongly encourage you to use them. They often make queries much more readable.
The data set getting created in the from is given the name 's' (similar to putting "AS s") so you can reference it otherwise in the code. Any data sets being created in a from requires a name be given to it, hence why it only works with the 's'.