The setup consists of Hibernate 3. Am trying to execute the raw query as it is. The setup works fine for other simple queries , db inserts & updates.
The query in issue is :
org.hibernate.hql.ast.QuerySyntaxException: unexpected token: ( near line 1, column 29 [
SELECT keyMain, value FROM (select distinct K.[key] as keyMain,
( SELECT value FROM com.trans.dto.Resources as L WHERE L.[key] = K.[key]
and L.lang_code = 'A11' ) as value from com.trans.dto.Resources as K )
as test order by keyMain ]
Resources is the table & has mapping setup in hibernate.cfg.xml
I was under a thought "KEY" is name of one of the column which can not be changed. How do i escape key words ?
If not 1, then is the multi selects in sub query.
Please advise. Any suggestion is of great help.
From here:
You can force Hibernate to quote an identifier in the generated SQL
by enclosing the table or column name in backticks in the mapping document.
Hibernate will use the correct quotation style for the SQL Dialect.
This is usually double quotes, but the SQL Server uses brackets and MySQL uses backticks.
So, try to escape your field with double quotes or with square parenthesis('[key]').
Related
I have an API that performs some query on a table that the caller specifies. The table name is placed in the query via string replace, and so is a risk for SQL injection.
Example:
tableName = req.body.tableName;
sql = "SELECT * FROM <<TABLE_NAME>>;";
sql = sql.replace("<<TABLE_NAME>>", tableName);
I'm required to keep this query dynamic, as we don't want to redeploy this code every time we add a new table. In other words, I can't just maintain a list of valid table names.
So for the purposes of keeping this safe from sql injection, is it sufficient to do a regex validation on the table name? We can be certain the table name will always be of the format schema.table_name where table_name will be only a-z, 0-9, -, _
Is there any sql injection that could slip past this table name regex?
^myschema\.[a-zA-Z0-9-_]+$
Since minus is not a valid character in a tablename, you could change your regex to just:
^myschema\.\w+$
\w is equivalent to [a-zA-Z0-9_]
There is no risk of injection.
Most databases allow special characters, even spaces and minuses, in table names if special syntax is used, eg
MySQL: `my stupid table-name!`
Postgres: "my stupid table-name!"
SQL Server: [my stupid table-name!]
It is poor practice to allow non-standard characters in names in the first place, and it would be fine to deny such names in your situation.
The minus sign cannot be used as an identifier in SQL. In the case of table names, I don't think it will lead to SQL injection attacks, but if you allow minus signs in column names, subtraction can be injected.
In the case of MySQL, the following SQL statement will return all users, not just 'tom'. This is because of the implicit type conversion that occurs when subtracting from a string.
SELECT * FROM users WHERE myschema.user-0 = 'tom'
The workaround is to exclude the minus sign or quote the identifier. The following will not result in a SQL injection attack.
SELECT * FROM users WHERE `myschema`.`user-0` = 'tom'.
The above is the way to write for MySQL, and the way to write for standard SQL is as follows
SELECT * FROM users WHERE "myschema"."user-0" = 'tom'
I'm facing the following issues when i tried to retrieve the data from oracle database by trimming the whitespace. I'm using oracle 12G version.
Let's say the name column has some whitespaces like 'Test '.
Table name - PGM_DETAIL
ID NAME
1 Test
When I'm trying to fetch the data using following query. It's not fetching it.
SELECT * FROM PGM_DETAIL WHERE TRIM(NAME) = TRIM('Test');
Could you anyone please suggest me what the problem in my sql statement.
Thanks in advance...,
Oracle comparisons are case-sensitive by default.
So try:
WHERE UPPER(TRIM(NAME)) = TRIM('TEST');
try
SELECT * FROM PGM_DETAIL WHERE TRIM(NAME) = TRIM('Test');
I do have a piece of SQL code that gave me some problems. The pivot operation results in a table with a column name called 'INITIAL' which has the single quotes in the name. But the values in that column are integers, or NULLs. I managed to access the numbers in SQL developer by enclosing the column name with double quotes: "'INITIAL'". When copying the code to PowerBI, it is not accepted. I returns a
Expression.SyntaxError: Token Comma expected
at the location of the first use of the single quote.
Any idea how to fix this for powerBI?
PIVOT (
SUM(conversion)
FOR PHASE
IN ('INITIAL')
))
SELECT REQUEST, SUM("'INITIAL'")
FROM Pivoted
WHERE 'INITIAL' IS NOT NULL
GROUP BY REQUEST
that nearly did the trick. I misread your post and used this:
SUM(""'02_INITIAL'"")
And that works in PowerBI!
So in SQL Developer I need to use SUM("'INITIAL'")
Best is fo course to avoid quotes in column names, but since my Pivot is based on string values, I get them for free.
Many thanks for your suggestion that put me on the right track!
To escape a character you need to use double quotation ("") mark. Please try this:
PIVOT (
SUM(conversion)
FOR PHASE
IN ('INITIAL')
))
SELECT REQUEST, SUM(""'INITIAL'"")
FROM Pivoted
WHERE 'INITIAL' IS NOT NULL
GROUP BY REQUEST
I have a table called project-users and want to write a SQL query like SELECT * FROM project-users I get this error ERROR: syntax error at or near "-".
I cannot change the table name at this point.
According to http://www.postgresql.org/docs/9.0/static/sql-syntax-lexical.html, you should use double quotes.
In your case, for PostgreSQL the query should be:
SELECT * FROM "project-users";
It is good practice to avoid the use of characters that need escaping or that contain spaces in identifiers.
I have a database which is storing temperature values so my database's column name are 100 150 200
Now the problem is when I trying to fetch values under column name 100 it shows error
My query looks like
Select 100 from user where name='me';
Then
rs.get string("100"); this line gives errors
Can anyone plz suggest me how to retrieve values under these type of column names??
The standard SQL way to escape column names is to enclose within double qoutes.
SELECT "100" from user where name='me';
This is supported in most of DBMS - Oracle, PostgreSQL, MySQL, MSSQL and SQlite.
Apart from it , there are databse specific ways to escape column names
SQL Server - Square brackets []
SELECT [100] from user where name='me';
MySQL - Backticks ``
SELECT `100` from user where name='me';
Note :
Double qoutes act as escaping reserved words in MSSQL when
QUOTED_IDENTIFIER is ON.
Double qoutes ac as escaping reserved words in MySQL if it is in ANSI
mode
So for MSSQL , do first
SET QUOTED_IDENTIFIER;
If your query use a any keyword or numerical column name then use [] for MS-SQL and `` for MySQL.
MS-SQL:
Select [100] from user where name='me';
My-SQL:
Select `100` from user where name='me';