Sophisticated JPQL String Query - sql

I am trying to execute a pretty-sophisticated query on a string field in the database. I am not very experienced at JPQL, so I thought I would try to get some help.
I have a field in the database called FILE_PATH. Within the FILE_PATH field, there will be values such as:
'C:\temp\files\filename.txt'
'file:\\\C:\testing\testfolder\innerfolder\filename2.txt'
I need to be able to do a search from a user-given query on the file name only. So, instead of simply doing a SELECT Table FROM Table AS t WHERE t.filePath LIKE '%:query%', things will have to get a bit more complicated to accomodate for just the filename portion of the path. The file path and file name are dynamic data, so I can't just hard-code a prefix string in there. This has me pretty confused, but I know there are some string expressions in JPQL that might be able to handle this requirement.
Basically, I just need to return all rows that match the given query on whatever comes after the last '\' in the FILE_PATH field. Is this possible?
Thanks for the help.
EDIT: Database that is being used is SQL Server.

Probably the best solution is to add a separate column that contains just the file name. If you can't, then this might work (depending on the database you use):
drop table test;
create table test(name varchar(255));
insert into test values('C:\temp\name2\filename.txt');
insert into test values('file:\\\C:\\innerfolder\filename2.txt');
select * from test
where substring(name, locate('\', name, -1)) like '%name2%'
This is pure SQL, but as far as I understand all the functions are supported within JPQL: http://www.datanucleus.org/products/accessplatform/jpa/jpql_functions.html
One problem is the locate(,,-1). It means 'start from the end of the string'. It works for the H2 database, but not MySQL and Apache Derby. It might work for Oracle, SQL Server (I didn't test it). For some databases may need to replace '\' with '\\' (MySQL, PostgreSQL; not sure if Hibernate does that for you).

Final WHERE Clause:
LOWER(SUBSTRING(fs.filePath, LENGTH(fs.filePath) - (LOCATE('\\', REVERSE(fs.filePath)) - 2), (LOCATE('\\', REVERSE(fs.filePath)) - 1))) LIKE '%:query%'
NOTE: For performance, you might want to save the location of the slash.
Thanks to Thomas Mueller for the assistance.

Related

table with "." in its name

I was trying to use sqlFetch. The fetch works perfectly when I change the name of my table to have underlines instead of periods. So if I use the command
sqlFetch(conn, "HelloWorld_40")
It works fine. Unfortunately, my friends are all using the real name of the table
sqlFetch(conn, "HelloWorld.40")
But then it crashes and it tells me that
Error in sqlColumns(conn, "HelloWorld.40") :
'HelloWorld.40': table not found on channel
I'm guessing the period "." is illegal name for a table. But I don't want my friends to change it because it's a lot of people who would be affected. Is there a way I can call the table, or do I have to secretly go to their database, change the name while I use it and then change it back to a period (risking that I will forget, someone will read, blah blah).
Thanks.
put the table name in square brackets:
[HelloWorld.40]
It is a problem with sqlFetch which parse table name. Unfortunately it did not handle table quotes, so it's search for table 40 in schema HelloWorld. You need to directly call sqlQuery (with quoted table name, brackets for MS SQL Server):
sqlQuery(dbhandle, "SELECT * FROM [HelloWorld.40]")
Side note: you should specify which database you are using.
The best delimiter is double quotes -- that should work in most underlying databases:
"HelloWorld.40"
In MySQL, you can also use back ticks (`):
`HelloWorld.40`
In SQL Server, Access, and I think Sybase, you can also use square braces:
[HelloWorld.40]

Data pattern SQL

This I am sure is a fairly simple question. Clients are entering data into a column that looks like this 600/4768/4. I need to be able to remove the / once the data has been entered. How would I do this?
It is usually entered in this format as it is being referenced from another source in this pattern.
You could do it either in program before data is submitted, or in sql. Exactly how depends on what you're programming with, an what database you're using.
in MySql you can do this: replace('00/4768/4', '/', ''); Most any rdbms will have a similar function.
http://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_replace
I usually find it's easier to do this kind of thing in the program than in sql though.
Using SQL SERVER you can try REPLACE (Transact-SQL)
Replaces all occurrences of a specified string value with another
string value.
Usage:
SELECT REPLACE('abcdefghicde','cde','xxx');
You can use REPLACE function in your SQL query:
replace( string1, string_to_replace, [ replacement_string ] )
select REPLACE('600/4768/4','/','')
While user enters the data take it and then replace the "/" and then store in the table
While inserting client data in to column you can use the REPLACE function, I believe, you are using SQLServer. Below is the example how you can use replace.
REPLACE('600/4768/4','/','');
USe REPLACE if you want to update in SQL
like
REPLACE(<column_Name>,'/',' ')
whole query will look like
Update <table_name>
set <column_Name> = REPLACE(<column_Name>,'/','')
hope this helps

sql or trick to search through whole database

is there a way to actually query the database in a such a way to search for a particular value in every table across the whole database ?
Something like a file search in Eclipse, it searches accross the whole worspace and project ?
Sorry about that .. its MS SQL 2005
SQL Workbench/J has a built in tool and command to do that.
It's JDBC based and should also work with SQL Server.
You will need to use the LIKE operator, and search through each field separately. i.e.
SELECT * FROM <table name>
WHERE (<field name1> LIKE '%<search value>%') OR
(<field name2> LIKE '%<search value>%') OR
... etc.
This isn't a quick way though.
I think the best way would be to
1) programatically generate the query and run it
2) use a GUI tool for the SQL server you are using which provides this functionality.
In mysql you can use union operator like
(SELECT * from table A where name = 'abc') UNION (SELECT * from
table B where middlename = 'pqr')
and so on
use full text search for efficency
http://dev.mysql.com/doc/refman/5.0/en/fulltext-search.html
Well, your best bet is to write a procedure to do this. But to give you some pointers you can use the INFORMATION_SCHEMA.Tables to get a list of all the tables in a given database and INFORMATION_SCHEMA.Columns to get a list of all columns. These tables also give you the datatype of columns. So you will need a few loops on these tables to do the magic.
It should be mentioned most RDBMSs nowadays support these schemas.
In phpmyadmin, go to your database, reach the search tab.
Here you will be able to select all of your tables and search through your entire db in one time.

Can you explain this SQL injection?

The website i worked was recently attempted to be hacked by the following SQL injection script
boys' and 3=8 union
select 1,
concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30), char(9),0x252423),
3,4,5,6,7,8,9
from `information_schema`.`tables`
where table_schema=0x62646B3032 limit 44,1 -- And '8'='8
This injection returned the mysql table name. This was reported by the error reporting system on that website and we managed to fix that part however I am not able to understand what does the above injection mean?
Anyone can explain this?
Penuel
They're using a select from the Information Schema views in mysql server :
http://dev.mysql.com/doc/refman/5.0/en/information-schema.html
They use some clever hacks to rout out simple sql injection prevention techniques.
According to this the MySQL concat()
Returns the string that results from
concatenating the arguments. May have
one or more arguments. If all
arguments are nonbinary strings, the
result is a nonbinary string. If the
arguments include any binary strings,
the result is a binary string. A
numeric argument is converted to its
equivalent binary string form
So 0x232425 is converted to #$% which is simply added to the begining and end of the table_name field. Maybe just to make it easier for them to pull out the Table names later using Regex.
Later on the char(9) is equivalent to a tab as you can see here and is just there to format the output nicer.
The 3,4,5,6,7,8,9 is just there so that the columns match the boys table that they are performing the Union on.
This injection returned the mysql table name.
Do you mean that your website displayed the table name when you gave it this input, or that the query returns that when run from the mysql client? If it showed on your website, then the attacker has the ability to inject much more harmful queries. Check your data.

Parameterise table name in .NET/SQL?

As the topic suggests I wish to be able to pass table names as parameters using .NET (doesn't matter which language really) and SQL Server.
I know how to do this for values, e.g. command.Parameters.AddWithValue("whatever", whatever) using #whatever in the query to denote the parameter. The thing is I am in a situation where I wish to be able to do this with other parts of the query such as column and table names.
This is not an ideal situation but it's one I have to use, it's not really prone to SQL injection as only someone using the code can set these table names and not the end-user. It is messy however.
So, is what I am asking possible?
EDIT: To make the point about SQL injection clear, the table names are only passed in by source code, depending on the situation. It is the developer who specifies this. The developer will have access to the database layer anyway, so the reason I am asking is not so much for security but just to make the code cleaner.
You cannot directly parameterize the table name. You can do it indirectly via sp_ExecuteSQL, but you might just as well build the (parameterized) TSQL in C# (concatenating the table-name but not the other values) and send it down as a command. You get the same security model (i.e. you need explicit SELECT etc, and assuming it isn't signed etc).
Also - be sure to white-list the table name.
I don't think I've ever seen this capability in any SQL dialect I've seen, but it's not an area of expertise.
I would suggest restricting the characters to A-Z, a-z, 0-9, '.', '_' and ' ' - and then use whatever the appropriate bracketing is for the database (e.g. [] for SQL Server, I believe) to wrap round the whole thing. Then just place it directly in the SQL.
It's not entirely clear what you meant about it not being a SQL injection risk - do you mean the names will be in source code and only in source code? If so, I agree that makes things better. You may not even need to do the bracketing automatically, if you trust your developers not to be cretins (deliberately or not).
You can pass the table name as a parameter like any other parameter. the key is you have to build a dynamic sql statement, which then you should consider if it's easier to build it in your app tier or in the procs.
create procedure myProc
#tableName nvarchar(50)
as
sp_executesql N'select * from ' + #tablename
fyi this code sample is from memory have a look at BOL for the proper syntax of sp_executesql.
Also this is highly sucesptible to SQL injection as you indicated is not an issue for you but anyone reading this should be very wary of accepting input from a user to generate their queries like this.
SQL query parameters can only take the place of a literal value. You cannot use a parameter for a table name, column name, list of values, or other SQL syntax. That's standard SQL behavior across all brands of database.
The only way to make the table name dynamic is to interpolate a variable into your SQL query before you prepare that string as a statement.
BTW, you're fooling yourself if you think this isn't a risk for SQL injection. If you interpolate the table name into the query dynamically, you need to use delimited identifiers around the table name, just as you would use quotes around a string literal that is interpolated from a variable.
The idea that it is not prone to SQL injection is misguided. It may be less prone to SQL injection from front end users, but it is still very much prone to SQL injection. Most attacks on databases come from inside the company being attacked, not from end users.
Employees may have grudges, they may be dishonest, they may be disgruntled, or they may just be not so bright and think that it's ok to bypass security to do whatever it is that THEY think should be done to the database.
Please see this post answer by user Vimvq1987:
MySqlParameter as TableName
Essentially you first check the table name against the schema, in which the table name is used in a parameterized fashion. Then if all is ok, the table name is legit.
Paraphrased basic idea is:
SELECT table_name
FROM information_schema.tables
WHERE table_schema = 'databasename'
AND table_name = #table;
cmd.Parameters.AddWithValue("#table",TableName);
If this returns ok with the table name, go ahead with your main query...
I would just check
select OBJECT_ID(#tablename)
the idea is to prevent injection you know it has to be table name this was if this returns a number then i would run the actual query,