like condtion in sqldatasource for oracle database - asp.net

i have an sqldatasource for a grid to query data from oracle database. everything works fine and dandy till i run into a problem with the where clause with "like" condition. below is the command i would like to pass into the datasource.
ssql = "select * from table1 where lastname like upper('%' || :last_name || '%')"
sqldatasource.selectparameters.add("last_name","test")
but no matter what i do it keeps saying invalid variable name/number. can someone help me please? thanks

There's probably something that you can do in the code to escape the %, but you could always avoid the issue by changing the sql statement to use chr(37) instead of '%'. E.g.:
select * from dual
where 'ABXD' like chr(37)||'X'||chr(37);
(I'd comment the code heavily to make it clear why you've done that, if you do end up choosing this route, though!)

Related

Heroku Postgres thowing an errror-> message relation "aspnetusers" does not exist from AspNetUsers [duplicate]

I'm trying to run the following PHP script to do a simple database query:
$db_host = "localhost";
$db_name = "showfinder";
$username = "user";
$password = "password";
$dbconn = pg_connect("host=$db_host dbname=$db_name user=$username password=$password")
or die('Could not connect: ' . pg_last_error());
$query = 'SELECT * FROM sf_bands LIMIT 10';
$result = pg_query($query) or die('Query failed: ' . pg_last_error());
This produces the following error:
Query failed: ERROR: relation "sf_bands" does not exist
In all the examples I can find where someone gets an error stating the relation does not exist, it's because they use uppercase letters in their table name. My table name does not have uppercase letters. Is there a way to query my table without including the database name, i.e. showfinder.sf_bands?
From what I've read, this error means that you're not referencing the table name correctly. One common reason is that the table is defined with a mixed-case spelling, and you're trying to query it with all lower-case.
In other words, the following fails:
CREATE TABLE "SF_Bands" ( ... );
SELECT * FROM sf_bands; -- ERROR!
Use double-quotes to delimit identifiers so you can use the specific mixed-case spelling as the table is defined.
SELECT * FROM "SF_Bands";
Re your comment, you can add a schema to the "search_path" so that when you reference a table name without qualifying its schema, the query will match that table name by checked each schema in order. Just like PATH in the shell or include_path in PHP, etc. You can check your current schema search path:
SHOW search_path
"$user",public
You can change your schema search path:
SET search_path TO showfinder,public;
See also http://www.postgresql.org/docs/8.3/static/ddl-schemas.html
I had problems with this and this is the story (sad but true) :
If your table name is all lower case like : accounts
you can use: select * from AcCounTs and it will work fine
If your table name is all lower case like : accounts
The following will fail:
select * from "AcCounTs"
If your table name is mixed case like : Accounts
The following will fail:
select * from accounts
If your table name is mixed case like : Accounts
The following will work OK:
select * from "Accounts"
I dont like remembering useless stuff like this but you have to ;)
Postgres process query different from other RDMS. Put schema name in double quote before your table name like this, "SCHEMA_NAME"."SF_Bands"
Put the dbname parameter in your connection string. It works for me while everything else failed.
Also when doing the select, specify the your_schema.your_table like this:
select * from my_schema.your_table
If a table name contains underscores or upper case, you need to surround it in double-quotes.
SELECT * from "Table_Name";
I had a similar problem on OSX but tried to play around with double and single quotes. For your case, you could try something like this
$query = 'SELECT * FROM "sf_bands"'; // NOTE: double quotes on "sf_Bands"
This is realy helpfull
SET search_path TO schema,public;
I digged this issues more, and found out about how to set this "search_path" by defoult for a new user in current database.
Open DataBase Properties then open Sheet "Variables"
and simply add this variable for your user with actual value.
So now your user will get this schema_name by defoult and you could use tableName without schemaName.
You must write schema name and table name in qutotation mark. As below:
select * from "schemaName"."tableName";
I had the same issue as above and I am using PostgreSQL 10.5.
I tried everything as above but nothing seems to be working.
Then I closed the pgadmin and opened a session for the PSQL terminal.
Logged into the PSQL and connected to the database and schema respectively :
\c <DATABASE_NAME>;
set search_path to <SCHEMA_NAME>;
Then, restarted the pgadmin console and then I was able to work without issue in the query-tool of the pagadmin.
For me the problem was, that I had used a query to that particular table while Django was initialized. Of course it will then throw an error, because those tables did not exist. In my case, it was a get_or_create method within a admin.py file, that was executed whenever the software ran any kind of operation (in this case the migration). Hope that helps someone.
In addition to Bill Karwin's answer =>
Yes, you should surround the table name with double quotes. However, be aware that most probably php will not allow you to just write simply:
$query = "SELECT * FROM "SF_Bands"";
Instead, you should use single quotes while surrounding the query as sav said.
$query = 'SELECT * FROM "SF_Bands"';
You have to add the schema first e.g.
SELECT * FROM place.user_place;
If you don't want to add that in all queries then try this:
SET search_path TO place;
Now it will works:
SELECT * FROM user_place;
Easiest workaround is Just change the table name and all column names to lowercase and your issue will be resolved.
For example:
Change Table_Name to table_name and
Change ColumnName to columnname
It might be silly for a few, but in my case - once I created the table I could able to query the table on the same session, but if I relogin with new session table does not exits.
Then I used commit just after creating the table and now I could able to find and query the table in the new session as well. Like this:
select * from my_schema.my_tbl;
Hope this would help a few.
Make sure that Table name doesn't contain any trailing whitespaces
Try this: SCHEMA_NAME.TABLE_NAME
I'd suggest checking if you run the migrations or if the table exists in the database.
I tried every good answer ( upvote > 10) but not works.
I met this problem in pgAdmin4.
so my solution is quite simple:
find the target table / scheme.
mouse right click, and click: query-tool
in this new query tool window, you can run your SQL without specifying set search_path to <SCHEMA_NAME>;
you can see the result:

Error with SQLite query, What am I missing?

I've been attempting to increase my knowledge and trying out some challenges. I've been going at this for a solid two weeks now finished most of the challenge but this one part remains. The error is shown below, what am i not understanding?
Error in sqlite query: update users set last_browser= 'mozilla' + select sql from sqlite_master'', last_time= '13-04-2019' where id = '14'
edited for clarity:
I'm trying a CTF challenge and I'm completely new to this kind of thing so I'm learning as I go. There is a login page with test credentials we can use for obtaining many of the flags. I have obtained most of the flags and this is the last one that remains.
After I login on the webapp with the provided test credentials, the following messages appear: this link
The question for the flag is "What value is hidden in the database table secret?"
So from the previous image, I have attempted to use sql injection to obtain value. This is done by using burp suite and attempting to inject through the user-agent.
I have gone through trying to use many variants of the injection attempt shown above. Im struggling to find out where I am going wrong, especially since the second single-quote is added automatically in the query. I've gone through the sqlite documentation and examples of sql injection, but I cannot sem to understand what I am doing wrong or how to get that to work.
A subquery such as select sql from sqlite_master should be enclosed in brackets.
So you'd want
update user set last_browser= 'mozilla' + (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
Although I don't think that will achieve what you want, which isn't clear. A simple test results in :-
You may want a concatenation of the strings, so instead of + use ||. e.g.
update user set last_browser= 'mozilla' || (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
In which case you'd get something like :-
Thanks for everyone's input, I've worked this out.
The sql query was set up like this:
update users set last_browser= '$user-agent', last_time= '$current_date' where id = '$id_of_user'
edited user-agent with burp suite to be:
Mozilla', last_browser=(select sql from sqlite_master where type='table' limit 0,1), last_time='13-04-2019
Iterated with that found all tables and columns and flags. Rather time consuming but could not find a way to optimise.

asp:SqlDataSource - Debugging a parameterized query

Is there any way to see what the SQL looks like after the parameters are resolved?
For example here is a small part of my SQL:
([Event].[Start_Time] LIKE #StartTimeValue)
And my parm:
SqlDataSourceObject.SelectParameters.Add("StartTimeValue", TypeCode.DateTime, StartTimeValue)
But what does the final SQL look like when the parm #StartTimeValue is replaced with the value in StartTimeValue?
How can I see that?
Thanks for your help.
Do you have access to the database server? From there you could run a tool like SQL Profiler.
Another way is to set a break point just before the query is executed and examine the variables that went in. Usually the issue lies somewhere with the variables you're passing in (they are null, etc) and not with the resolved query itself. You could also set it up in a SQL query window like so:
-- Declare the variable to be used.
DECLARE #StartTimeValue datetime;
-- Initialize the variable.
SET #StartTimeValue = '<PASTE VARIABLE VALUE YOU GOT FROM DEBUGGING HERE>';
SELECT * FROM [Event] WHERE ([Event].[Start_Time] LIKE #StartTimeValue);

Easiest way to query oracle database

i need to interact with an oracle database,i usually use toad but i need to simplify some operations.
i'd like to have forms and buttons to launch custom query
EX
have a button "username" and a button "start" so when i press the button ,the program will do some checks whit ifs and cases and then some insert or update
web page or windows application i don't care as long its "easy" to do
i've tried visual basic but i cant understand how to do updates and inserts
Thank you
AFAIK you can try every language that .NET framework supports (even F#), but most popular way is to use C# with .NET.
There are a lot of books and manual online abut connecting .NET to DB. Also try reading about LINQ.
You may strat by looking on the net if there is an easy code that it could help you on your needs.
You can always try paste some code of your mine here so ppl will help you.
IF you managed to make calls to Oracle from VB or the other languages that you are using, but you are having trouble with specific commands, you could wrap them in PL/SQL procedures or packages.
Here's a simple example:
create or replace procedure updateuser(p_user in varchar2) as
--here you can declare local stored procedure variables and you can already give some starting value if you want
somevariable number := length(p_user) + 1;
someothervariable varchar2(10);
begin
--some useless code just to show you basic usage:
someothervariable := '(' || p_user || ')';
--Your update or insert statement:
UPDATE sometable
SET somecolumn = someothervariable
where username = p_user;
commit;
end;
To call it from your VB, you might need to do something like this: (forgive my poor knowledge of vb, the syntax may be all wrong):
myvbsub "begin updateuser('" + vbuservar + "'); end;"
Hope this helps!

Classic ASP: RecordSet Field giving no value

I'm not really an ASP developer, so a little bit lost.
I have the following data access code:
sSQL = "SELECT answer_id, company_name, old_access_company_name, answer, flag_asker_notified FROM Q01_ask_sheiiba_answer_company2 WHERE question_id="& sQuestion_id &" ORDER BY answer_id"
rs.open sSQL, conn
DO WHILE NOT rs.EOF
Response.Write(rs.Fields("answer"))
rs.MoveNext
LOOP
I have tested that the sql query is built properly by outputting it to the response before it is called. It produces the following query:
SELECT answer_id, company_name, old_access_company_name, answer, flag_asker_notified
FROM Q01_ask_sheiiba_answer_company2
WHERE question_id=988
ORDER BY answer_id
When I copy that exact query to sql management studio and run it I get the expected results of 5 rows and each row containing data in every cell, BUT, when I run it through the above code, I get the same 5 rows with the same cell data, EXCEPT for the answer column, which is empty!
What am I missing?
Thanks in advance
There are two things you might want to try:
Put your text field at the end of the query. For example:
SELECT answer_id, company_name, old_access_company_name, flag_asker_notified, answer
If this doesn't give you the results, you might want to try:
WHILE NOT rs.EOF
theanswer=rs("answer")
Response.Write(theanswer)
rs.movenext
wend
Text and Memo fields can play a little havoc with ASP.
EDIT: Another thing that you can try is:
rs.CursorLocation = adUseClient
or
rs.CursorLocation = 3
The problem is that the ODBC driver can't access large text blobs as strings; you need to access them as chunked BLOB data.
I advise instead to dump the ODBC connection and connect using the OLE-DB driver directly. This will let you access that column as if it was just another varchar column.
I just had a similar problem (I think). I converted a varchar field to text. When I did so, I found that the text field seemed to "disappear" from my selected record set. I my case, I discovered that you can reference the text field ONLY ONCE. After that, it seems to disappear. Accordingly, for the text field, I now simply move it into a string variable and then operate on the string. That solved my problem.
John
Had the same problem and found the solution here https://web.archive.org/web/20170224013842/http://www.4guysfromrolla.com/aspfaqs/ShowFAQ.asp?FAQID=80
Basically when you open the recordset (not connection.execute) use the options adOpenKeyset (val 1) and adUseClient (val 3), and the text filed should be the last in your field list in strSql
example: rs.Open strSql, dbConn, adOpenKeyset, adUseClient

Resources