I want to create a table for making a comment box. I was told that I should be wary of sql injection (dont even know what that means).
So I thought I should ask around at SO. my requirements are:
Comments table
a comment row ~400 chars
aid -> every comment should be linked to an aid. duplicates should be allowed. means aid = 21, can have more than 1 comment. I should be able to search through the DB to see all the comments related to aid = 21.
timestamp for the comment
userid for the comment.
A MySQL query for the above table that should not allow SQL injection. I am pretty confused. any help would be highly appreciated. thanks a lot in advance.
Creating a table usually happens only once, when the system is installed. There is, therefore, no risk of SQL injection (which happens when a query is run with data provided by the user).
The above description would probably be implemented as:
CREATE TABLE `comment` (
`comment_id` INTEGER NOT NULL AUTO_INCREMENT PRIMARY KEY,
`comment_text` VARCHAR(400) NOT NULL,
`aid_id` INTEGER NOT NULL REFERENCES `aid`(`aid_id`),
`comment_time` DATETIME NOT NULL,
`user_id` INTEGER NOT NULL REFERENCES `user`(`user_id`)
);
Try and use stored procedures in mysql .
Use parameters to pass the input to the stored procedure.
thuis tutorial is for you .
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
SQL injection is explained at Wikipedia and other places.
Use mysql_real_escape_string() or stored procedures are standard techniques that will avoid SQL injection.
Related
I am using SQL Server Management Studio and would like to create a table that when dates are entered in to the table, it checks that someone is over 18.
I have got as far as:
CREATE TABLE tCustomer
(
FirstName VARCHAR(20) NOT NULL,
DateOfBirth DATE CHECK (DateOfBirth < GETDATE())
);
I know this is currently wrong as all it is doing is checking that the DateOfBirth is less than the current time. But I can't quite seem to find what I am looking for.
If it is too complex for create table, maybe some sort of trigger? I do not really want to use a stored procedure.
Your help would be appreciated.
Cheers.
This condition is invalid in a check constraint because it is non-deterministic. If the clock is turned back suddenly rows that were valid could now become invalid. The constraint would retroactively be invalidated.
You should probably move this check to the application.
Is there a standardized way I can create a table in SQL with a column (lets call it ID) that is auto incremental so that I can basically use it in all databases?
(e.g. standardized in SQL-92)
If so - how? If not, why? I think auto_increment is a very often used property so I thought it would be very important to standardize it…
Nope, sorry. There is AUTO_INCREMENT in MySQL, but e.g. in MS SQL this is called IDENTITY and SERIAL in PGSQL. Many things are not really standardized in SQL - and most are in the schema creating area.
It's a mess, but you can use stuff like e.g. Hibernate/NHibernate to try to use a single code base.
Update: Few year later there is a more standard way that some DBMS support (e.g. PG SQL from version 10.0, so from October 2017):
GENERATED BY DEFAULT AS IDENTITY -- the value has a default auto incrementation, but you can insert your own.
GENERATED ALWAYS AS IDENTITY -- forbids inserting own values (in a standard query, might be overriden)
This is something that should work in PG SQL 10+, DB2, Oracle:
DROP TABLE IF EXISTS simple_test;
CREATE TABLE simple_test(
s_id int PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY
);
Note however that this will not work in Microsoft SQL Server (not even in MS SQL Server 2022). MSSQL does not support the generated keyword. MySQL/MariaDb has generated columns, but MariaDb does not support the identity syntax.
So yeah, 10 years later the answer is kind of the same really -- it is still a mess and you should probably use a framework for that.
You can use so-called identity columns:
CREATE TABLE foo(id int GENERATED ALWAYS AS IDENTITY);
This is in the SQL standard and should be supported by PostgreSQL 10 and Oracle:
https://www.2ndquadrant.com/en/blog/postgresql-10-identity-columns/#comment-248607
In Oracle you need to create a SEQUENCE
SQLite uses it for rowid and a synonym of it e.g. RowIdSyn INTEGER PRIMARY KEY AUTOINCREMENT
I am trying to dynamically create a SQL table only if it's not already existing. I have seen many solutions on the internet but they usually rely on a specific database, while I'm trying to find the most generic solution.
I was thinking of always running the CREATE command and then assuming that if it fails then the table exist and I can start inserting data into it. I can't see any flaw in this reasoning (not counting performance issues), but I might be wrong.
Is this an acceptable method?
Can you suggest other methods which are database independent, or that use ANSI SQL that all RDBMS would accept?
if there is a table - say - EMP, does that really imply that it is the same EMP that you are expecting?
Either query the appropriate data dictionary for the table structure, or fill your code with a ton of error checking and conditional logic...
INFORMATION_SCHEMA is part of the ANSI SQL Standard, so you should be able to:
IF NOT EXISTS(SELECT NULL FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'YourTable')
CREATE TABLE...
what about: create table if not exists
This is probably stupid simple, but for some reason I'm having trouble getting it to work. I have a typical import script I'm trying to run on a MS SQL server with one master user (as opposed to a single user with only access to one database).
When I run the .SQL script, it creates the database and then starts to create tables. Here's where it gets interesting. It's not creating the databases under the DB I just made. It's throwing the tables under the "System Databases" view and not restricting the table creation to the DB that was just created.
I have tried:
CREATE TABLE table_name
CREATE TABLE database_name.table_name
Maybe I'm overlooking something really easy. I don't usually run into this with MySQL with a single user mapped to one database, I think since the user can only see that one database, so MySQL assumes it must be the one to work with.
The difference now is that I'm using MSSQL 2008 and maybe it works a little differently and I'm overlooking something. Thanks for your help!
Tried this too. No luck. Says database doesn't exist when it tries to create the table. I would think being a top/down read of the query script it would first create the database, then try to create the table afterwards.
CREATE DATABASE DATABASENAME;
CREATE TABLE DATABASENAME.dbo.TABLENAME
(
field_one VARCHAR(100) NOT NULL,
field_two INT NOT NULL,
PRIMARY KEY(field_one)
)
This is a working example after getting it all figured out. This syntax works well and I don't need to specify the DBO pathing stuff before table names this way. Cleaner and got me the results I was looking for. Thanks everyone.
IF Db_id('DBNAME') IS NULL
CREATE DATABASE DBNAME;
GO
USE [DBNAME];
GO
CREATE TABLE TABLENAME
(
COL1 VARCHAR(100) NOT NULL,
COL2 INT NOT NULL,
PRIMARY KEY(COL2)
)
INSERT INTO TABLENAME
(COL1,
COL2)
VALUES('1234',1001),
('1234',1002),
('1234',1003),
('1234',1004)
It basically just does a check to make sure database is created before doing anything else, then sets the USE database to the one I'm working with. Everything else is just normal SQL, so have fun. Cheers!
Probably you need to include the USE sentence at the begining of your script in order to indicate the database as follows:
USE [database_name]
GO
By default SQL-SERVER use the master DB that´s listed under system databases.
Other way is to use the database prefix, but including the owner:
INSERT INTO database_name.dbo.table_name
INSERT INTO database_name..table_name
I need to test a column which changed from varchar(30) to varchar(65). I don't have a access to insert a value into that column.Is there any other way so that i can test the column?
Your best bet is to put together a testing database and make the change there first. Point your application at the test database and see what happens.
Use "desc" in oracle or an equivalent command depending on the database to describe the table. This will list out all the table columns along with their data types.
DESC TableName shows the table structure. Isn't that more than an assurance? :-D