I'm currently using the Java Version of General SQL Parser for Oracle for some relatively complex Oracle SQL Queries.
As in my case I have no access to any Oracle DB but only have the SQL statements in a file I encounter some statements where the parser fails, one particular boils down to following.
select id from (
with foo as (
select bar from sometable
)
select *
from foo
)
The with clause can be parsed without problem, if not nested.
with foo as (
select bar from sometable
)
select *
from foo
So do I have a bug in the parser or in the statement?
Best,
Will
The SQL statement is valid, so I guess the parser just can't handle it.
To be sure, try running the SQL in SQL Plus.
This is a perfectly valid statement in Oracle (I just tried it).
But it might not be valid ANSI SQL and that might be the reason why the parser doesn't understand it.
Related
Trying to exploit SQL injection for my assignment. Is it possible to execute delete or drop query after order by in select query without using the semicolon in Postgresql?
This is my sample query:
Select *
from table
order by {sql injection payload}
Without using the semicolon in the payload, can we delete data or drop a table?
https://stackoverflow.com/a/6800585
Do we have similar to this Postgrsql?
I tried
Select * from (delete from table_name returning *) a
But getting sql error as 'syntax error at or near from'
Check this document it says we can bypass forbidden character by CHR()
https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection
DELETE cannot be put inside a subquery. Nor can DELETE be part of a UNION.
So aside from running a second query (that is, separated by a semicolon), there's almost no way you can do what you describe.
You could invoke a stored procedure or function, if you knew of an existing function that performs a DELETE. Example:
Select *
from table
order by {sql injection payload}
After your payload modifies this query:
Select *
from table
order by SomeFunctionThatDeletes()
Another type which works because you can select from a procedure in PostgreSQL:
Select *
from table
order by id
UNION
Select *
from SomeProcedureThatDeletes()
You can't create the function or procedure with SQL injection, so that routine must exist already, and you would need to know its name and how to call it.
DELETE or DROP TABLE are not the only bad things that can happen from SQL injection. It could be a problem if the query returns data that the current user shouldn't have privilege to see. For example, records about a different user's purchases or medical history.
SQL injection can also be accidental instead of malicious. I would even say that most instances of SQL injection result in simple errors instead of data breaches. Those aren't really attacks, but they lead to an unsatisfactory experience for your users.
I have a large list of SQL commands such as
SELECT * FROM TEST_TABLE
INSERT .....
UPDATE .....
SELECT * FROM ....
etc. My goal is to parse this list into a set of results so that I can easily determine a good count of how many of these statements are SELECT statements, how many are UPDATES, etc.
so I would be looking at a result set such as
SELECT 2
INSERT 1
UPDATE 1
...
I figured I could do this with Regex, but I'm a bit lost other than simply looking at everything string and comparing against 'SELECT' as a prefix, but this can run into multiple issues. Is there any other way to format this using REGEX?
You can add the SQL statements to a table and run them through a SQL query. If the SQL text is in a column called SQL_TEXT, you can get the SQL command type using this:
upper(regexp_substr(trim(regexp_replace(SQL_TEXT, '\\s', ' ')),
'^([\\w\\-]+)')) as COMMAND_TYPE
You'll need to do some clean up to create a column that indicates the type of statement you have. The rest is just basic aggregation
with cte as
(select *, trim(lower(split_part(regexp_replace(col, '\\s', ' '),' ',1))) as statement
from t)
select statement, count(*) as freq
from cte
group by statement;
SQL is a language and needs a parser to turn it from text into a structure. Regular expressions can only do part of the work (such as lexing).
Regular Expression Vs. String Parsing
You will have to limit your ambition if you want to restrict yourself to using regular expressions.
Still you can get some distance if you so want. A quick search found this random example of tokenizing MySQL SQL statements using regex https://swanhart.livejournal.com/130191.html
I am trying a query similar to the below one on Informix, but I get a syntax error (-201: "A syntax error has occurred") every time.
with a_qry (locationnames) as (SELECT * FROM TABLE(LIST{'abc','xyz'}))
select locationnames from a_qry;
Can someone please help with this?
Informix 14.10 and later
Informix 14.10 (released in March 2019) added support for the WITH statement (Common Table Expressions).
Informix 12.10 and earlier
The documentation for the Informix SELECT statement in Informix 12.10 (which was the latest when this question was asked) does not include the WITH clause because the server does not support the WITH clause and common table expressions (CTEs) — a grievous omission, but nevertheless a fact of life.
For your specific example, you could use:
SELECT locationnames
FROM (SELECT * FROM TABLE(LIST{'abc','xyz'})(locationnames));
which would yield:
abc
xyz
though the sub-query isn't necessary here, of course (you could simply use SELECT * FROM TABLE(LIST{'abc','xyz'})(locationnames) to get the same result). In general, though, you'll have to write out each reference to a CTE in full, with the consequential risk that the optimizer doesn't spot the commonality and therefore doesn't optimize as well as it might if it could.
You can try to use a temp table (which doesn't require special permission).
select * from (your query)
into temp myTmpTable;
select * from MyTmpTable;
We have an application which indexes data using user-written SQL statements. We place those statements within parenthesis so we can limit that query to a certain criteria. For example:
select * from (select F_Name from table_1)q where ID > 25
Though we have discovered that this format does not function using a Sybase database. Reporting a syntax error around the parenthesis. I've tried playing around on a test instance but haven't been able to find a way to achieve this result. I'm not directly involved in the development and my SQL knowledge is limited. I'm assuming the 'q' is to give the subresult an alias for the application to use.
Does Sybase have a specific syntax? If so, how could this query be adapted for it?
Thanks in advance.
Sybase ASE is case sensitive w.r.t. all identifiers and the query shall work:
as per #HannoBinder query :
select id from ... is not the same as select ID from... so make sure of the case.
Also make sure that the column ID is returned by the Q query in order to be used in where clause .
If the table and column names are in Upper case the following query shall work:
select * from (select F_NAME, ID from TABLE_1) Q where ID > 25
I need a common select statement that returns a fixed value / row without the need of tables, which has to work with both Oracle & Sql Server.
eg for Oracle I know I can use:
select 'O' AS INDICATOR from DUAL;
But this won't work on Sql Server.
Can this be done with the same SQL on both Oracle & SQL Server?
AFAIK, you'll need different queries, unless you can find a table that exists both on the SQL Server and on the Oracle Server.
Oracle uses the DUAL table for dummy queries, while the syntax to just select a constant on SQL server is a bit simpler:
select 'O' as Indicator
will return a one-row recordset.
P.S. If you intend to write just standard SQL and have it work on both SQL Server and Oracle, note that there are lots and lots of differences, even if you do not use database-side code (stored procedures and functions).
Off the top of my head, some things that are different:
Case statement syntax
NVL vs IsNull
Null sorting behaviour
Data conversion functions
String manipulation functions
etc, etc.
You can't select data in Oracle without from statement. So you need to have a table in Oracle (common practice is to use standard table - Dual). The best solution if you really need to run same query on both database servers is to create Dual table with only one row in MS SQL. But really it's better to use different queries for different servers (maybe via some abstraction layer).
Use a common table expression (CTE) e.g.
WITH D (INDICATOR)
AS
(
SELECT *
FROM (
VALUES ('O')
) T (c1)
)
SELECT INDICATOR
FROM D;
Or more simply in line:
SELECT *
FROM (
VALUES ('O')
) D (INDICATOR)
You can create the DUAL table in SQL Server:
CREATE TABLE DUAL (DUMMY NVARCHAR(1) NOT NULL);
INSERT INTO DUAL VALUES ('X');
and then use the same query as in Oracle:
select 'O' AS INDICATOR from DUAL;