out of curiosity is it possible to write an alter table add col statment with just sql. Since the statement is going into a script and I can't really do any sort of checks with C++.
So pretty much I am wondering if its possible to do something in the line of
Alter table "test" add "test_col" if 0 < ( select count("test_col") from "test");
or with combination of other sql statements.
Thanks.
This is not possible in SQLite.
You have to check this in your application, or just execute the script and ignore the error.
Related
let's suppose to have the table
create table mytable
(val1 number(5),
val2 varchar2(10));
insert into mytable values (1,'XXX');
and asked to generate the following XML
<ns1:head>
<ns1:val1>1</val1>
<ns1:val2>XXX</val2>
</ns1:head>
It's quite simple by running
select xmlelement("head",
xmlelement("val1",val1).extract('/*'),
xmlelement("val2",val2).extract('/*')
).extract('/*')
from mytable;
and to get
<head>
<val1>1</val1>
<val2>XXX</val2>
</head>
The problem is that if I try to do that way but for getting each node with "ns1:" in front of every tag
select xmlelement("ns1:head",
xmlelement("ns1:val1",val1).extract('/*'),
xmlelement("ns1:val2",val2).extract('/*')
).extract('/*')
from mytable;
I get an ORA-31011: XML parsing failed
Maybe I dont' konw how exactly the .extract('/*') works and in my case the "ns1:" could fails
Oracle version 10g
Thanks in advance!
Mark
What is the purpose of using extract('/*')?
Also a namespace prefix must be defined. You can add its declaration in the root element with xmlattributes.
select xmlelement("ns1:head", xmlattributes('http://www.example.com/ns1' as "xmlns:ns1"),
xmlelement("ns1:val1",val1),
xmlelement("ns1:val2",val2)
)
from mytable;
result:
<ns1:head xmlns:ns1="http://www.example.com/ns1"><ns1:val1>1</ns1:val1><ns1:val2>XXX</ns1:val2></ns1:head>
Update:
XMLELEMENT returns and XML object. If you want to get it as a formatted text, you can use XMLSERIALIZE.
select XMLSERIALIZE(document xmlelement("ns1:head", xmlattributes('http://www.example.com/ns1' as "xmlns:ns1"),
xmlelement("ns1:val1",val1),
xmlelement("ns1:val2",val2)
) indent)
from mytable;
result:
<ns1:head xmlns:ns1="http://www.example.com/ns1">
<ns1:val1>1</ns1:val1>
<ns1:val2>XXX</ns1:val2>
</ns1:head>
Update 2:
as I found out, indent instruction does not exist in Oracle 10g. So, if extract('/*') worked without namespaces, then adding xmlattributes to your original query with namespaces might work. I don't have Oracle 10g to test this.
select xmlelement("ns1:head", xmlattributes('http://www.example.com/ns1' as "xmlns:ns1"),
xmlelement("ns1:val1",val1).extract('/*'),
xmlelement("ns1:val2",val2).extract('/*')
).extract('/*')
from mytable;
Update 3:
Using extract('/*') for indenting lines looks like an undocumented feature. On Oracle 12c it doesn't work this way. So, updating Oracle version might break this undocumented behavior.
I've been attempting to increase my knowledge and trying out some challenges. I've been going at this for a solid two weeks now finished most of the challenge but this one part remains. The error is shown below, what am i not understanding?
Error in sqlite query: update users set last_browser= 'mozilla' + select sql from sqlite_master'', last_time= '13-04-2019' where id = '14'
edited for clarity:
I'm trying a CTF challenge and I'm completely new to this kind of thing so I'm learning as I go. There is a login page with test credentials we can use for obtaining many of the flags. I have obtained most of the flags and this is the last one that remains.
After I login on the webapp with the provided test credentials, the following messages appear: this link
The question for the flag is "What value is hidden in the database table secret?"
So from the previous image, I have attempted to use sql injection to obtain value. This is done by using burp suite and attempting to inject through the user-agent.
I have gone through trying to use many variants of the injection attempt shown above. Im struggling to find out where I am going wrong, especially since the second single-quote is added automatically in the query. I've gone through the sqlite documentation and examples of sql injection, but I cannot sem to understand what I am doing wrong or how to get that to work.
A subquery such as select sql from sqlite_master should be enclosed in brackets.
So you'd want
update user set last_browser= 'mozilla' + (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
Although I don't think that will achieve what you want, which isn't clear. A simple test results in :-
You may want a concatenation of the strings, so instead of + use ||. e.g.
update user set last_browser= 'mozilla' || (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
In which case you'd get something like :-
Thanks for everyone's input, I've worked this out.
The sql query was set up like this:
update users set last_browser= '$user-agent', last_time= '$current_date' where id = '$id_of_user'
edited user-agent with burp suite to be:
Mozilla', last_browser=(select sql from sqlite_master where type='table' limit 0,1), last_time='13-04-2019
Iterated with that found all tables and columns and flags. Rather time consuming but could not find a way to optimise.
The only thing I don't have an automated tool for when working with Oracle is a program that can create INSERT INTO scripts.
I don't desperately need it so I'm not going to spend money on it. I'm just wondering if there is anything out there that can be used to generate INSERT INTO scripts given an existing database without spending lots of money.
I've searched through Oracle with no luck in finding such a feature.
It exists in PL/SQL Developer, but errors for BLOB fields.
Oracle's free SQL Developer will do this:
http://www.oracle.com/technetwork/developer-tools/sql-developer/overview/index.html
You just find your table, right-click on it and choose Export Data->Insert
This will give you a file with your insert statements. You can also export the data in SQL Loader format as well.
You can do that in PL/SQL Developer v10.
1. Click on Table that you want to generate script for.
2. Click Export data.
3. Check if table is selected that you want to export data for.
4. Click on SQL inserts tab.
5. Add where clause if you don't need the whole table.
6. Select file where you will find your SQL script.
7. Click export.
Use a SQL function (I'm the author):
https://github.com/teopost/oracle-scripts/blob/master/fn_gen_inserts.sql
Usage:
select fn_gen_inserts('select * from tablename', 'p_new_owner_name', 'p_new_table_name')
from dual;
where:
p_sql – dynamic query which will be used to export metadata rows
p_new_owner_name – owner name which will be used for generated INSERT
p_new_table_name – table name which will be used for generated INSERT
p_sql in this sample is 'select * from tablename'
You can find original source code here:
http://dbaora.com/oracle-generate-rows-as-insert-statements-from-table-view-using-plsql/
Ashish Kumar's script generates individually usable insert statements instead of a SQL block, but supports fewer datatypes.
I have been searching for a solution for this and found it today. Here is how you can do it.
Open Oracle SQL Developer Query Builder
Run the query
Right click on result set and export
http://i.stack.imgur.com/lJp9P.png
You might execute something like this in the database:
select "insert into targettable(field1, field2, ...) values(" || field1 || ", " || field2 || ... || ");"
from targettable;
Something more sophisticated is here.
If you have an empty table the Export method won't work. As a workaround. I used the Table View of Oracle SQL Developer. and clicked on Columns. Sorted by Nullable so NO was on top. And then selected these non nullable values using shift + select for the range.
This allowed me to do one base insert. So that Export could prepare a proper all columns insert.
If you have to load a lot of data into tables on a regular basis, check out SQL Loader or external tables. Should be much faster than individual Inserts.
You can also use MyGeneration (free tool) to write your own sql generated scripts. There is a "insert into" script for SQL Server included in MyGeneration, which can be easily changed to run under Oracle.
I am new to robotframework and I am trying to get the hang of the keywords of DatabaseLibrary. I am getting error at 3 of such keywords.
1) I am using rowcount keywords as below-
${rowCount} Row Count <sql query>
And I always get ${rowCount}=0 irrespective of the number of rows in my table.
2) I am using Delete All Rows From Table as below-
Delete All Rows From Table <Table_Name>
And I get ORA-00911: invalid character but if use the same table with other keywords like Query ,it works fine.
3) I am using Table Must Exist as below-
Table Must Exist <Table_Name>
And I get ORA-00942: table or view does not exist but this table is very much there.
Please help me find what am I doing wrong.
Thanks in Advance!!!
I could be wrong but I believe a colleague told me there were issues, at the very least with the Row Count keyword.
However, for all three options there are easy solutions, which you've even hinted at in your question by using Query or Execute SQL Script
1)
${result}= Query Select count(id) from table
${rc} = ${result[0][0]} #Play with this as I forget exact syntax
2) Put your delete script in a test scripts folder with your tests and call it using Execute SQL script. You could also use Query to perform a select query before and after to confirm expected states.
3) Again perform a query against the table you're expecting to be there, a simple row count on id would do for this purpose. You could set a variable based on the result and use this again later if required.
I had similar issues.
I use cx_Oracle.
With the Table Must Exist keyword my problem was the same.
I dont really understand why, but first I have to use Encode String to Bytes keyword.
And I need to use a DatabaseLibrary 0.8 at least, because earlier versions didnt have solution for cx_Oracle. These solved this issue for me.
But with Delete all rows from table I still have problems.
Because this keyword puts a ; at the end of the line and it passes on that line to execute query if I understand weel, so it still causes an ORA-00911 error for me.
With Execute Sql String and the command DELETE FROM tablename you can have the same results, but it will work this way.
I hope it helps a little
I get the following error:
Cannot use empty object or column names. Use a single space if necessary.
Msg 1038, Level 15, State 3, Line 1
and the query command looks like:
SELECT TOP 100 PERCENT
[].[cms_page].[pa_id], [].[cms_page].[pa_key],
[].[cms_page].[pa_title], [].[cms_page].[pa_keywords],
[].[cms_page].[pa_description], [].[cms_page].[pa_header],
[].[cms_page].[pa_created], [].[cms_page].[pa_modified],
[].[cms_page].[pa_language] FROM [cms_page]
WHERE
[cms_page].[pa_key] = #pa_key0
ORDER BY
[pa_id] ASC;
Strange indeed. Why does this happen? I'm using SubSonic 2.1.
Connectionstring:
<add name="OCDB" connectionString="Network Library=DBMSSOCN;Data Source=127.0.0.1,1433;Initial Catalog=test_db;User ID=test;Password=testpwd"/>
Edit: Well the solution was just to simply generate and rebuild the Data Access Layer and I was good to go.
You seem to be using a 3 part name with part of it empty, i.e. '[].'
It looks as though the query text is being constructed with an empty table schema.
Those empty [] square brackets should contain something like "dbo" to make the query syntactically valid. I don't know enough about SubSonic to give you a code sample though.
I'm not familiar with SubSonic, but have you tried a simpler query to test if you have your syntax correct? Does this query even work in SQL Server (Management Studio / Query Analyzer)?
Just looking at this from the perspective of SQL Server, you are using way too many brackets. If I was writing that query in SQL Server, it would look more like what I wrote below. I'm not sure about the variable #pa_key0, is this query part of a stored procedure or does SunSonic replace this variable when the query is ran?
SELECT
pa_id,
pa_key,
pa_title,
pa_keywords,
pa_description,
pa_header,
pa_created,
pa_modified,
pa_language
FROM
cms_page
WHERE
pa_key = #pa_key0
ORDER BY
pa_id ASC;
I think you need to set the schema for Subsonic to use. This thread seems to have some information:
Subsonic - How to use SQL Schema / Owner name as part of the namespace?