I have issue when i use scop_identity in sqlite it showing the error like near "select": syntax error...i write query like this
string txtSQLQuery = "insert into SerpTrak_Site (SiteName) values ('" + txturl.Text + "')select scope_identity();";
any wrong in this query please help me...
SQLite does not have a function by the name scope_identity
You are probably looking for 'SELECT last_insert_rowid()'
See also this question: Does SQLite support SCOPE_IDENTITY?
Missing a semicolon between the two queries.
string txtSQLQuery = "insert into SerpTrak_Site (SiteName)
values ('" + txturl.Text + "'); select scope_identity();";
Related
I am inserting record in db using below mentioned query but it gives me error "Invalid number" so guide me.
string query1 = "insert into MNE.MNE_users(USER_ID,INSERTED_DATE) values ( '" + id + "',to_date('" + INSERTED_DATE.Text + "','DD/MM/YYYY') )";
Please guide me.
to_date() function solves my Problem
I think you should replace; 'yyyy-mm-dd + ' with 'yyyy-mm-dd'
I have the following SQLite statement:
"SELECT * FROM HISTORICALPICKS WHERE BETTYPE = " + betType.ToString().ToUpper() + " ORDER BY DATETIME ASC"
And betType.ToString().ToUpper() is the string "ATS"
For some reason I get the following error:
System.Data.SQLite.SQLiteException : SQL logic error or missing database
no such column: ATS
...which leaves me baffled. ATS is not a column. BETTYPE is the column. I want it to select rows that have "ATS" in the BETTYPE column.
My hunch is that something is wrong with the syntax. Here is a picture showing the table name and column name, along with a highlight of the value ATS:
You need single quotes around the value.
"SELECT * FROM HISTORICALPICKS WHERE BETTYPE = '" + betType.ToString().ToUpper() + "' ORDER BY DATETIME ASC"
I am getting following error on insert statement for sqlite DB
could not prepare statement (1 near "undefined": syntax error)
I tried 2 variations of insert, for both error is same
var sql = "INSERT INTO Med(MedID) VALUES(?),";
sql += "['"+dataObj[i].MedID+"']";
var sql = "INSERT INTO Med(MedID) VALUES ('"+dataObj[i].MedID+"')";
tx.executeSql(sql);
The correct way to give parameters to an SQL statement is as follows:
var sql = "INSERT INTO Med(MedID) VALUES (?)";
tx.executeSql(sql, [dataObj[i].MedID]);
It looks like you are missing the space that is needed between the table name and the column names.
Try this:
var sql = "INSERT INTO Med (MedID) VALUES ('"+dataObj[i].MedID+"')";
tx.executeSql(sql);
Make sure your dataObj[i].MedID is also defined. Add a console.log(sql) before your executeSql statement to check the command before using it.
Read this:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
On the dynamic sql part it has various such as this:
So, if you had an existing Dynamic query being generated in your code that was going to Oracle that looked like this:
String query = "SELECT user_id FROM user_data WHERE user_name = '" + req.getParameter("userID")
+ "' and user_password = '" + req.getParameter("pwd") +"'";
try {
Statement statement = connection.createStatement( … );
ResultSet results = statement.executeQuery( query );
}
You would rewrite the first line to look like this:
Codec ORACLE_CODEC = new OracleCodec();
String query = "SELECT user_id FROM user_data WHERE user_name = '" +
ESAPI.encoder().encodeForSQL( ORACLE_CODEC, req.getParameter("userID")) + "' and user_password = '"
+ ESAPI.encoder().encodeForSQL( ORACLE_CODEC, req.getParameter("pwd")) +"'";
And it would now be safe from SQL injection, regardless of the input supplied.
But the later is says:
Oracle 10g escaping
An alternative for Oracle 10g and later is to place { and } around the string to escape the entire string. However, you have to be careful that there isn't a } character already in the string. You must search for these and if there is one, then you must replace it with }}. Otherwise that character will end the escaping early, and may introduce a vulnerability.
I did not see an example, but does this mean I can use braces instead of the Codec ORACLE_CODEC....etc.? Does anyone have an example? Thanks.
No, this is not an injection prevention technique. The only way to be 100% sure that you're not vulnerable to injection is to use prepared statements and bind parameters for all user input that needs to be inserted into the query. Anything less than that, and you're pretty much just rolling the dice.
When i run this as my first commend i get an exception an error near "last_insert_rowid". This is referring to the last last_insert_rowid();. If i set the curser to the line command.CommandText = and run it again it is fine.
What gives? The last_insert_rowid seems to be working properly why doesnt the last_insert_rowid after the 2nd insert work.
I tried moving last_insert_rowid() to after the execute and i still get an error. What gives?
using (var trans = connection.BeginTransaction())
{
command.CommandText =
"INSERT INTO link_list(link, status, hash_type, hash_id) " +
"VALUES(#link, #status, #hash_type, #hash_id);" +
"INSERT INTO active_dl(linkId, orderNo) " +
"VALUES(last_insert_rowid(), (SELECT COUNT(*) FROM active_dl)); last_insert_rowid();";
command.Parameters.Add("#link", System.Data.DbType.String).Value = link;
command.Parameters.Add("#status", System.Data.DbType.Int32).Value = SiteBase.Status.none;
command.Parameters.Add("#hash_type", System.Data.DbType.Int32).Value = 0;
command.Parameters.Add("#hash_id", System.Data.DbType.Int32).Value = 0;
int rowid = command.ExecuteNonQuery();
trans.Commit();
}
Why is the last last_insert_rowid() there? After the second insert you call last_insert_rowid with no select or anything to identify what you want to do with it.
You would have to put a select in front of it to retrieve the value wouldn't you?
You're trying to execute 2 sql commands in the one statement. You'll need to split the 2 statements up into 2 calls and return the inserted id from the first statement.
An alternative suggestion is a stored procedure but I don't think sqlite supports these.