I got a problem with this code:
string sql = "select distinct ruoli.c_tip_usr"
+ " from vneczx_ute_app_trn ruoli"
+ " join vnecyd_ent_prf ind"
+ " on ruoli.c_ent = ind.c_ent"
+ " where ruoli.c_app = :appCode"
+ " and ruoli.c_ute_mat = :matricola"
+ " and ind.t_des_ent = :indirizzo";
var ruoli = session.CreateSQLQuery(sql)
.SetString("appCode", Config.Configurator.Istance.ApplicationCode)
.SetString("matricola", user.Matricola)
.SetString("indirizzo", indirizzoCasella)
.List<string>();
This code is correctly executed, the query logged is correct, and the parameter passed correctly evaluated... but it doesn't return any result at all.
Copying the query from the debug console and executing it directly in an Oracle client application (SQL Developer), it gets 2 results (the results I expect to be right).
I found out that the problem is in the last parameter indirizzo, and should depend on the fact that it contains a special char # (indirizzo is an email address).
So I ended up using this solution:
string sql = "select distinct ruoli.c_tip_usr"
+ " from vneczx_ute_app_trn ruoli"
+ " join vnecyd_ent_prf ind"
+ " on ruoli.c_ent = ind.c_ent"
+ " where ruoli.c_app = :appCode"
+ " and ruoli.c_ute_mat = :matricola"
+ " and ind.t_des_ent = '" + indirizzoCasella + "'";
var ruoli = session.CreateSQLQuery(sql)
.SetString("appCode", Config.Configurator.Istance.ApplicationCode)
.SetString("matricola", user.Matricola)
.List<string>();
But it gives me thrills! Aren't the parameters in a query supposed to handle specifically this situation, and thus handle themselves situations with special char, and so on?
Why here a string concatenation works better that a parametric query?
Isn't there a way to force the NHibernate engine to escape some special char?
Update:
I found out how to solve this particular issue: usign the trim command on the field who raise the problem, the problem disappears.
So last line of my sql string now is:
+ " and trim(ind.t_des_ent) = :indirizzo";
I can't understand why it solves the problem thought. Not the field, nor the variable contains empty chars and copying th query on SQL Developer works in both way.
So we have some luck soving the problem, but we have no idea why now it works?
Any thoughts?
even I was facing the same issue, but your hint using TRIM for column saved my day. Since I was looking for a long time, but not able to figure it out.
Along with that, I was able solve my issue by doing the below changes as well:
We were using CHAR datatype some of the columns which used in the query where clause. This was causing the issue to fetch the data from NHibernate. We changed the data type of that column from CHAR to VARCHAR2 and even updated the data with actual size and removed the TRIM from Where clause, the TRICK WORKED!!!! :)
So, any one face this kind of issue, first check whether you are having any column with CHAR and then change to VARCHAR2.
But one more thing you have to remember is: if you are running your application from ASP.Net Development Server, close it and re-run your application. Since if the opening Asp.Net Development Server and if you make any changes to datatype that will NOT be refreshed in your oracle connection. So, better you close the ASP.Net Development server and then re run the application.
Hope my points will help somebody in future!!
Regards,
Sree Harshavardhana
You are not using parameters in a SQL query if you want SQL parameters use a SQL stored proc
Related
I am a bit stumped with what happens here. I'm working on a challenge for an online programming course and the solution involves adding a second where statement to the sql query.
when I do this, however, python gives me a typeerror, saying "TypeError: 'NoneType' object is not subscriptable".
I'm pretty sure this is because the fetchone()[1] at the end requires a list or tuple to retrieve the ID. what I don't understand is why adding the second bit of the WHERE clause would change the type of the result.
I have checked the statement itself and it works when testing it on the database, and the first link_id statement in the code below works fine, it returns an int object but the second gives an error. It should return a similar int object.
link_id = self.cursor.execute(self.sql_select + " WHERE " + self.field + "=?", (value,)).fetchone()[1]
print("link_id type:", type(link_id))
link_id = self.cursor.execute(self.sql_select + " WHERE " + self.field + "=? AND albums.artist=?", (value, self.artist_id)).fetchone()[1]
print("link_id type:", type(link_id))
it was because self.artist_id was None. it reset when running this block of code again.
im reading book is about " SQL-injection " so i defaced a title
"Incorrectly Handled Query Assembly" what does this mean? and can you give me a example code ? Thanks.
I think you might have understood SQL injection. Incorrectly Handled Query Assembly seems to mean incorrect construction of query string.
Think of a simple scenario where you have written a query to list the whole details of the (logged in) user. Let us
String part1="SELECT * FROM TRANSACTIONS WHERE TAG=' ";
part2=" ' AND ID=' ";
part3=" ';";
//Constructing query with user inputted tag and user ID
String query=part1+ user_entered_tag + part2 + user_id + part3;
//This is an unsafe construction of query.
If the user enters tag like this:
Abc' OR '2'='2' OR '1'='1
The query will become like this:
SELECT * FROM TRANSACTIONS WHERE TAG='Abc' OR '2'='2' OR '1'='1' AND ID='544678';
If the query is then executed, all the transactions will be fetched.
Thus unauthorized person will have access to data. This happens because a loophole is left in the construction of query. The developer should avoid such injection by adding type checking or using built-in features like prepared statements .
I am working with the Rally/Excel plug-in and setting up queries/filters for our various delivery teams. One of the teams is named "Agency / L&C". The & is causing me all sorts of problems that I cannot seem to get past. The current filter is:
((Release.Name = "2013 November") AND (Project.Name = "Agency / L&C"))
When I execute the query I get this error:
Query failed due to errors:
Could not parse: Cannot parse expression "((Release.Name = "2013 November") AND (Project.Name = "Agency / L" as a query
I have tried several things, ' before and after, '' before and after, %, " and \ and nothing seems to be making it register the & as text.
Thanks for the help
This is an educated guess but I would think the problem arises from the ampersand not being escaped before the request is made to the to the API. You might try changing it to "%26" (the HTML code for "&") and see what you get.
i'm trying to execute following line of code with my servelet in netbeans:
ResultSet rs = stmnt.executeQuery("select * from ZEE.WORDCOUNT where WORD =" + searchTxt);
where searchTxt is String variable.
but it says "Column 'zeeshan' is either not in any table in the FROM list or appears within a join specification and is outside the scope of the join . . . . ".
it really works fine, if i provide the hardcoded value instead of variable, as:
ResultSet rs = stmnt.executeQuery("select * from ZEE.WORDCOUNT where WORD= 'zeeshan'");
i'm not getting, what i'm missing?
You are missing the single quotes around the sql string you are constructing. So this should work:
ResultSet rs = stmnt.executeQuery("select * from ZEE.WORDCOUNT where WORD ='" + searchTxt+"'");
Please note that constructing SQL statements in this way is really dangerous, because it opens your application up for SQL injection attacks. Use bind parameters instead.
This will also allow better caching of parsed statements on many rdbms's.
the old query works, the new on doesnt. the android logcat gives me error as:
Failure 1: no such column abcname. abcname is the value of a editview that im trying to get from a popup in android.
i know that the first query will insert those values in the fields, as they are given in single inverted commas. the same query, i typed in the adb shell, works. so i copied the query, and just removed the data corresponding to the field names, and inserted the variable names. on trying to run, i get the above said error.
OLD QUERY:
MapsActivity.myDB.execSQL("INSERT INTO "
+MapsActivity.TableName
+ " (name, user_comment, latitude, longitude) "
+ " VALUES ('tagName','tagComment','tagLatitude','tagLongitude');");
NEW QUERY:
MapsActivity.myDB.execSQL("INSERT INTO "
+MapsActivity.TableName
+ " (name, user_comment, latitude, longitude) "
+ " VALUES ("+tagName +",'tagComment','tagLatitude','tagLongitude');");
what is the problem?
If tagName has, e.g., the value "abc", your query will expand to ... VALUE (abc,'tagComment',.... It's missing the single quotes.
Building SQL like this give bad karma. Use SQLite's parameter-binding mechanism instead.
I recommend creating a simple active record db implementation. here is a great tutorial for a simple sqlite active record for android. This adds some extra time up front but saves you time while you develop.
wrap your double quotes with single quotes?
...('"+tagName +"',....