I have problem a piece of shipping software. I have one query to pull up order info(ie name address, order number), one to pull up the items. Then I have one to find the rates based on weight and zone. I cannot log in to that last query. Every time I hit that query I get a log in failed.
My question is why is that query failing?
Here is the method I am calling my query with:
private void pscost(int billedweight)
{
RateBLL r = new RateBLL();
AmazonProShipDataSet1.uspsDataTable u = r.USPSrate(billedweight);
foreach (AmazonProShipDataSet1.uspsRow row in u)
{...
}
}
Here is the BLL:
[System.ComponentModel.DataObjectMethodAttribute
(System.ComponentModel.DataObjectMethodType.Select, false)]
public AmazonProShipDataSet1.uspsDataTable USPSrate(int weight)
{
return USPS.USPS(weight);
}
The table I am query was add after the first two table where and they are in the same SQL Server express db. The error message is Log In failed could not authenticate. From Untrusted domain.
log in failed has nothing to do with your query executing. You need to ensure that the login you are actually using is valid. If you're getting that message, then your client is able to see the database and is trying to connect, but it can't authenticate. You need to check your underlying permissions.
Without being able to see your code, it makes it difficult to debug -- and most of it's guessing. I would assume, there is something happening with the actual connection between the first and second query. Are you changing databases, authentications, permissions?
Related
Some background, I have a database that holds Organizations and that table has a field that tells me a database name. That database name is used to look up OrgUnits which exist on another database. I need to look this up because there are many databases involved and it changes based on the Organization.
I have tried running this query a couple of different ways and every time it is not making it to SQL and executing correctly. I can't even really find similar errors searching online so it is confusing because I know others have run into this before.
Here are a couple different attempts with the same result. I have also tried changing my DB context.
var orgUnits = _context.Organizations.FromSqlInterpolated($"SELECT * FROM [{orgForDBName.DbCatalog}].dbo.OrgUnits WHERE OrgId = {devices.OrgId}").ToList();
var orgUnits = _context.Organizations.FromSqlRaw("SELECT * FROM [{0}].dbo.OrgUnits WHERE OrgId = {1}", orgForDBName.DbCatalog, devices.OrgId).ToList();
I have put together this test string and it looks like good SQL which executes fine when I run it in SQL Management Studio:
string test = $"SELECT * FROM [{devices.Organizations.DbCatalog}].dbo.OrgUnits WHERE OrgId = {devices.OrgId}";
Why would the SQL query run fine with my "test" string, but I cannot execute it with the FromSql methods? I keep getting this error:
SqlException: Invalid object name '#p0.dbo.OrgUnits'.
I am writing this post because I have encountered something truly weird with an SQL statement I am trying to make.
Context:
I am developing an app which uses JPA in the backend to persist / retrieve objects to/from a postgres database.
Problem:
During some tests I have noticed that when a particular user adds entries in the database and later I try to fetch them by his facebook id, the result is an empty list, even though the entries are there in the database. Doing a select statement on the database returns no rows. This does not happen with other users.
I have noticed that the mentioned user's facebook id is slightly longer then others. I do not know if and how this affects this situation.
Interesting part:
When during debugging I created an entry not programmatically, but manually with a SQL INSERT statement directly on the database (marked red on the 1st screenshot), I could fetch the data by facebook id both in my app and with a select statement.
Do you have any ideas what is going on here?
Please check the screenshots:
result of select * from table:
result of select * from table where user_facebook_id = 10215905779020408 :
Please help,
Thanks
I'm doing some webpentesting exercises and there is this one task saying that I need to make a new account with this name and this password by using SQL injection. On the web page there is a text input username and another text input 'password'. I can enter whatever characters I want inside the username text-input but inside the password text input I need to type a specific injection.
I know I need to inject insert query but the thing is I don't know the table name. In order to insert a new user I need to know the table name so I'm wondering how can I make the web showing me an error with tablename revealed.
The error showing should be like:
Unexpected end of command in statement [SELECT * FROM (tablename) WHERE...]
I tried to enter with just one character (maybe >1 chars are required) inside the password field to make the error show or even delete the parameter text input password. But it just won't show the SQL syntax error.
So the question is: How can I make use of the exploit to make the web page view the SQL syntax error with table name revealed?
And why doesn't injection work on username field but it does on password field?
The first thing is understand the difference between "application" errors (for example, "the user doesn't exist") and execution errors, in which the application fails itself, like the "Unexpected end of command" you mention. The first case is not usually a problem from the security point of view (unless the application is very badly programmed), the second one is what could allow hacking.
A well programmed web application should ideally only have application errors, but the more realistic approach is cope with unexpected execution errors in way that don't make it vulnerable. Also, application should process any user input in a way that don't cause an execution error.
It seems that they are teaching you the most flagrant case that allows SQL injection, apps than don't do any processing to user input (so it's very easy put text in an input field that cause an execution error), and that don't cope with execution errors (in this case, showing the internal execution message to the user).
A common mistake in web applications is constructing the SQL query with string concatenation, so the simplest way of make it fail is using the string delimiter (') in a field, causing the string value to end prematurely. In an sloppy web app it would cause an execution error that shows the full error message, usually including the table name.
From there you craft a SQL query in the input field that insert the user in the table, you could find examples online (note that you need at least basic knowledge on SQL and PHP (or ASP, Java, etc.), in order to do SQL injection, since you need to know how the database access works in order to make it fail).
Finally, SQL injection could work in any input field that is not properly processed, but it depends on how the application is programmed. I suppose that both fields would work but it will be easy do that with the password field because probably is the last one in the SQL query.
I have having an issue with a SQL execution where I am getting an error message
-2147217843 Login Failed for user.
I am able to successfully open the connection to the database and execute select count(*) queries.
I am getting this error when I include fields.
In a separate application that uses the same fields I am able to retrieve the same data so seems to rule out column permissions.
The query coming back with no error is:-
SELECT tbl_PersonalDetails.SystemID
FROM tbl_PersonalDetails
WHERE tbl_PersonalDetails.Title IS NOT NULL
And tbl_PersonalDetails.HospitalNumber IS NOT NULL
AND tbl_PersonalDetails.SiteID = 1
The query coming back with the error is:-
SELECT DISTINCT tbl_PersonalDetails.Title,tbl_PersonalDetails.HospitalNumber
FROM tbl_PersonalDetails
WHERE tbl_PersonalDetails.SiteID = 1
ORDER BY tbl_PersonalDetails.Title,tbl_PersonalDetails.HospitalNumber ASC
This is not specific to these particular queries, in the first query where we are just doing a count I always get a count back with no issue, when I try to request fields such as in the second I always get the Login Error.
Your problem isn't in the SQL queries you've posted. They would either all fail or all succeed based on the information given.
Your problem is your calling/client code. Sounds like you're using Classic ASP ("recordset....adodb connection").
Double check that your ASP code is using the proper connection strings.
To prove this, run any of these queries in SQL Server Management Studio. Connect using the credentials that your connection string contains.
I'm part of a team writing an ERP using , Seam, and Jboss, and on one of my pages, I keep getting an SQL error: 8152 whenever I try to input something. SQL error:8152, for those of you who don't know, is when you try to input a value over the maximum limit of the column.
I've double checked my entity and the database, and their maximum value limits are the same (50 nvarchars). In addition, I'm pretty sure that we're not using audit tables. I then put System.out.println(""); all over the place, and found that the error was happening in between these two println(s):
System.out.println("Flushing");
entityManager.flush();
System.out.println("Flushing complete");
Which is part of a method that process all changes to the table. But I'm pretty new to programming and not sure what's going on.
Any help would be appreciated, thanks in advance, Jeff.
P.s. Code on request, but I didn't post it because there is a lot of it all over the place.
I would verify the SQL that is being executed when the flush() is performed. That way you can see the length of your data and verify that it is too big as shown by the DB error.
If you are using Hibernate, you can output SQL to the console. You don't say what your DB is, but if it's SQL Server you can use the profiler to see what SQL is being executed.