Here is the query that I am using. Let's assume that the URL which was used to access this page is http://www.domain.com/default.aspx?id=3
<query name="SimpleQuery" rowElementName="Table" runif="showpage">
<sql>
<![CDATA[
select * from Table where ID = #QueryStringID
]]>
</sql>
<queryparam paramname="#QueryStringID" paramtype="request" requestparamname="id" sqlDataType="int" defvalue="0" validationpattern="" />
</query>
So this should translate this query: select * from Table where ID = 3, but it is not getting the querystring parameter properly.
According to the AspDotNetStorefront documentation (http://manual.aspdotnetstorefront.com/p-157-xml-packages.aspx), the paramtype request can be used to access querystring variables, but I cannot figure out how.
Any help would be greatly appreciated :)
That looks right. Your query, however, might not be executing due to your runif attribute (runif="showpage").
Exert from the link you referenced:
"The runif attribute can be used to run the query under only certain circumstances. The value should be either a querystring/form/cookie param or an appconfig param. If the specified querystring/form/cookie param or an appconfig param doesn't exist or is an empty the query will not be executed. This could be used for a page where the query should not be run until the page is submitted with a form field."
Related
I have SQL Select statement with optional filter that i would like to exposed as an API . I used the dynamic SQL Query to get the parameters to filter with like this :
<query id="selectprofile" useConfig="default">
<sql>SELECT BADLOGINS,EMAIL,FRAMED_ROUTE,FULLNAME FROM USERS :filterQuery </sql>
<result outputType="json">{
"accounts":
{ "account" :
[{
"BADLOGINS":"$BADLOGINS",
"EMAIL":"$EMAIL",
"FRAMED_ROUTE":"$FRAMED_ROUTE",
"FULLNAME":"$FULLNAME"
}]
}
}</result>
<param name="filterQuery" sqlType="QUERY_STRING"/>
</query>
but it didn't work for me and it give me an error
DS Code: INCOMPATIBLE_PARAMETERS_ERROR\nNested
Exception:-\njavax.xml.stream.XMLStreamException: DS Fault Message:
Error in 'Query.extractParams', cannot find query param with
name:filterQuery\nDS Code:
i invoked the API like this with get method :
localhost:8290/services/MYSQLDataService/selectprofile?FULLNAME="AHMED"
NB : I followed this documentation https://apim.docs.wso2.com/en/latest/reference/synapse-properties/data-services/sample-queries/#defining-a-dynamic-sql-query
The resource path should only contain the resource name if you need to use a query param. In your case, the resource element should be as follows,
<resource method="GET" path="selectprofile">
<call-query href="selectprofile">
<with-param name="filterQuery" query-param="filterQuery"/>
</call-query>
</resource>
According to the above example, when invoking the data service you will need to pass a query parameter named filterQuery. This parameter should contain the complete query you need to use(It seems you have missed the WHERE clause).
localhost:8290/services/MYSQLDataService/selectprofile?filterQuery=WHERE FULLNAME="AHMED"
For more information check Exposing Data as a REST Resource
I have a PG table with a field of type char(10)[].
I need to update a record in the table with values from a Mule flow.
So, i did something like this:
flowVars.test=['aaa', 'bbb',ccc'];
Then, I'm trying to submit an update statement like this:
update tab1 set fld1=#[flowVars.test]
it's failing with the error:
Cannot cast an instance of java.util.ArrayList to type Types.ARRAY
My understanding is that SQL array should be used in this scenario but I can't figure out how to get an instance of such an array in a flow and how to work with it in MEL.
Can someone please advise?
Thank you,
There are many sources that suggest to use the Connection#createArrayOf(). But I don't know how to use it in the Database connector.
However, for this purpose I will do this solution:
Convert the ArrayList to a String. It should be formed as: {value1, value2, ...}
Change the Database Query Type from Parameterized into Dynamic
Update the SQL Query become: update tab1 set fld1 = '#[flowVars.test]'. The additional single quote is required for this query type.
Finally, by using the following configuration I can update field of type character(10)[]:
<expression-transformer expression="#[flowVars.test = ['aaa', 'bbb', 'ccc'].toString().replace('[', '{').replace(']', '}')]" doc:name="Expression"/>
<db:update config-ref="Postgre_Database_Configuration" doc:name="Database">
<db:dynamic-query><![CDATA[update tab1 set fld1 = '#[flowVars.test]']]></db:dynamic-query>
</db:update>
Ok, I've found an answer in MuleSoft doc.
Starting from version 3.6 DB connector supports custom types and allows defining mapping between SQL arrays and structures and custom user classes.
It's documented here .
Using Postman, I am forming a GET request query to my P21 database middleware to retrieve items with a specific value in a UserDefinedField.
I am able to query things on the top level of the item data, such as ItemID and ItemDesc like so:
http://[server]:[port]/api/inventory/parts?$query=ItemDesc eq 'CONTROL VALVE'
However, the values I would like to use in my query string are nested inside the UserDefinedFeilds element. I am specifically looking for items with:
http://[server]:[port]/api/inventory/parts?$query=UserDefinedFeilds/OnEbay eq 'Y'
But this is not the correct way to form this query string. Can anyone please explain how to specify a nested element inside a query string like this? Thanks.
In this situation, using P21 API, it is unnecessary to specify the parent field 'UserDefinedFields'. The actual ID of the column I was looking for was actually 'on_ebay', so I was able to query this user defined field simply:
http://[server]:[port]/api/inventory/parts?$query=on_ebay eq 'Y'
I have this site with the following parameters:
http://www.example.com.com/pagination.php?page=4&order=comment_time&sc=desc
I use the values of each of the parameters as a value in a SQL query.
I am trying to test my application and ultimately hack my own application for learning purposes.
I'm trying to inject this statement:
http://www.example.com.com/pagination.php?page=4&order=comment_time&sc=desc' or 1=1 --
But It fails, and MySQL says this:
Warning: mysql_fetch_assoc() expects parameter 1 to be resource,
boolean given in /home/dir/public_html/pagination.php on line 132
Is my application completely free from SQL injection, or is it still possible?
EDIT: Is it possible for me to find a valid sql injection statement to input into one of the parameters of the URL?
The application secured from sql injection never produces invalid queries.
So obviously you still have some issues.
Well-written application for any input produces valid and expected output.
That's completely vulnerable, and the fact that you can cause a syntax error proves it.
There is no function to escape column names or order by directions. Those functions do not exist because it is bad style to expose the DB logic directly in the URL, because it makes the URLs dependent on changes to your database logic.
I'd suggest something like an array mapping the "order" parameter values to column names:
$order_cols = array(
'time' => 'comment_time',
'popular' => 'comment_score',
... and so on ...
);
if (!isset($order_cols[$_GET['order'])) {
$_GET['order'] = 'time';
}
$order = $order_cols[$_GET['order']];
Restrict "sc" manually:
if ($_GET['sc'] == 'asc' || $_GET['sc'] == 'desc') {
$order .= ' ' . $_GET['sc'];
} else {
$order .= ' desc';
}
Then you're guaranteed safe to append that to the query, and the URL is not tied to the DB implementation.
I'm not 100% certain, but I'd say it still seems vulnerable to me -- the fact that it's accepting the single-quote (') as a delimiter and then generating an error off the subsequent injected code says to me that it's passing things it shouldn't on to MySQL.
Any data that could possibly be taken from somewhere other than your application itself should go through mysql_real_escape_string() first. This way the whole ' or 1=1 part gets passed as a value to MySQL... unless you're passing "sc" straight through for the sort order, such as
$sql = "SELECT * FROM foo WHERE page='{$_REQUEST['page']}' ORDER BY data {$_REQUEST['sc']}";
... which you also shouldn't be doing. Try something along these lines:
$page = mysql_real_escape_string($_REQUEST['page']);
if ($_REQUEST['sc'] == "desc")
$sortorder = "DESC";
else
$sortorder = "ASC";
$sql = "SELECT * FROM foo WHERE page='{$page}' ORDER BY data {$sortorder}";
I still couldn't say it's TOTALLY injection-proof, but it's definitely more robust.
I am assuming that your generated query does something like
select <some number of fields>
from <some table>
where sc=desc
order by comment_time
Now, if I were to attack the order by statement instead of the WHERE, I might be able to get some results... Imagine I added the following
comment_time; select top 5 * from sysobjects
the query being returned to your front end would be the top 5 rows from sysobjects, rather than the query you try to generated (depending a lot on the front end)...
It really depends on how PHP validates those arguments. If MySQL is giving you a warning, it means that a hacker already passes through your first line of defence, which is your PHP script.
Use if(!preg_match('/^regex_pattern$/', $your_input)) to filter all your inputs before passing them to MySQL.
I authenticate users through Radius, and I have the option to assign Radius attributes through SQL statements, but I can't for the life of me find any documentation on this. Anyone know the proper syntax?
Okay, I figured it out, and for anyone else who ends up having this problem:
Under the Authorization tab, in the Response List:
When adding an attribute from an SQL query, the first selected variable from the query is the attribute and the second is the value.
ex.
SELECT 'attribute', value FROM table WHERE username ='$u'
For a more specific example:
SELECT 'Ascend-Data-Rate', hsbrate.rate FROM hsbrate, customer WHERE customer.id = hsbrate.id AND username='$u'
This statement will basically pass the following:
Ascend-Data-Rate=1024000
(assuming 1024000 is the rate value stored in the database)
NOTE: $u is an understood variable in Clearbox Radius that denotes the current-active user being authenticated.
kylex, try these links and see if they help. Specifically the first one
http://www.xperiencetech.com/forum/topic.asp?TOPIC_ID=97
http://www.xperiencetech.com/forum/topic.asp?TOPIC_ID=62