I'm trying to get a single value from my table in a database. They are all given a unique id when stored. Here is the code I use to put the in:
With SqlDataSource1
.InsertParameters("page").DefaultValue = ViewState("TrueURL")
If My.User.IsAuthenticated Then
.InsertParameters("sender").DefaultValue = My.User.Name
Else
.InsertParameters("sender").DefaultValue = Request.UserHostAddress.ToString
End If
.InsertParameters("details").DefaultValue = PrepareText(TextBox2.Text)
.InsertParameters("date").DefaultValue = Now()
.Insert()
End With
That was so you could get an idea of what I was looking for, I'm not looking for sql statements, I don't know how to use them.
Just keep in mind, this is all vb.net/asp.net.
Thanks!
--EDIT--
I think I found something useful but I can't find how to use it. The Select function. It returns something and accepts parameters like the insert one I mentioned above... any ideas?
You cant extract it without first running an SQL query to extract it.
If you've got this far, read a little further in the MS help pages about how to run the select querys, this is where you would put your SQL statements.
Related
I've been attempting to increase my knowledge and trying out some challenges. I've been going at this for a solid two weeks now finished most of the challenge but this one part remains. The error is shown below, what am i not understanding?
Error in sqlite query: update users set last_browser= 'mozilla' + select sql from sqlite_master'', last_time= '13-04-2019' where id = '14'
edited for clarity:
I'm trying a CTF challenge and I'm completely new to this kind of thing so I'm learning as I go. There is a login page with test credentials we can use for obtaining many of the flags. I have obtained most of the flags and this is the last one that remains.
After I login on the webapp with the provided test credentials, the following messages appear: this link
The question for the flag is "What value is hidden in the database table secret?"
So from the previous image, I have attempted to use sql injection to obtain value. This is done by using burp suite and attempting to inject through the user-agent.
I have gone through trying to use many variants of the injection attempt shown above. Im struggling to find out where I am going wrong, especially since the second single-quote is added automatically in the query. I've gone through the sqlite documentation and examples of sql injection, but I cannot sem to understand what I am doing wrong or how to get that to work.
A subquery such as select sql from sqlite_master should be enclosed in brackets.
So you'd want
update user set last_browser= 'mozilla' + (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
Although I don't think that will achieve what you want, which isn't clear. A simple test results in :-
You may want a concatenation of the strings, so instead of + use ||. e.g.
update user set last_browser= 'mozilla' || (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
In which case you'd get something like :-
Thanks for everyone's input, I've worked this out.
The sql query was set up like this:
update users set last_browser= '$user-agent', last_time= '$current_date' where id = '$id_of_user'
edited user-agent with burp suite to be:
Mozilla', last_browser=(select sql from sqlite_master where type='table' limit 0,1), last_time='13-04-2019
Iterated with that found all tables and columns and flags. Rather time consuming but could not find a way to optimise.
I am new to robotframework and I am trying to get the hang of the keywords of DatabaseLibrary. I am getting error at 3 of such keywords.
1) I am using rowcount keywords as below-
${rowCount} Row Count <sql query>
And I always get ${rowCount}=0 irrespective of the number of rows in my table.
2) I am using Delete All Rows From Table as below-
Delete All Rows From Table <Table_Name>
And I get ORA-00911: invalid character but if use the same table with other keywords like Query ,it works fine.
3) I am using Table Must Exist as below-
Table Must Exist <Table_Name>
And I get ORA-00942: table or view does not exist but this table is very much there.
Please help me find what am I doing wrong.
Thanks in Advance!!!
I could be wrong but I believe a colleague told me there were issues, at the very least with the Row Count keyword.
However, for all three options there are easy solutions, which you've even hinted at in your question by using Query or Execute SQL Script
1)
${result}= Query Select count(id) from table
${rc} = ${result[0][0]} #Play with this as I forget exact syntax
2) Put your delete script in a test scripts folder with your tests and call it using Execute SQL script. You could also use Query to perform a select query before and after to confirm expected states.
3) Again perform a query against the table you're expecting to be there, a simple row count on id would do for this purpose. You could set a variable based on the result and use this again later if required.
I had similar issues.
I use cx_Oracle.
With the Table Must Exist keyword my problem was the same.
I dont really understand why, but first I have to use Encode String to Bytes keyword.
And I need to use a DatabaseLibrary 0.8 at least, because earlier versions didnt have solution for cx_Oracle. These solved this issue for me.
But with Delete all rows from table I still have problems.
Because this keyword puts a ; at the end of the line and it passes on that line to execute query if I understand weel, so it still causes an ORA-00911 error for me.
With Execute Sql String and the command DELETE FROM tablename you can have the same results, but it will work this way.
I hope it helps a little
Is there any way to see what the SQL looks like after the parameters are resolved?
For example here is a small part of my SQL:
([Event].[Start_Time] LIKE #StartTimeValue)
And my parm:
SqlDataSourceObject.SelectParameters.Add("StartTimeValue", TypeCode.DateTime, StartTimeValue)
But what does the final SQL look like when the parm #StartTimeValue is replaced with the value in StartTimeValue?
How can I see that?
Thanks for your help.
Do you have access to the database server? From there you could run a tool like SQL Profiler.
Another way is to set a break point just before the query is executed and examine the variables that went in. Usually the issue lies somewhere with the variables you're passing in (they are null, etc) and not with the resolved query itself. You could also set it up in a SQL query window like so:
-- Declare the variable to be used.
DECLARE #StartTimeValue datetime;
-- Initialize the variable.
SET #StartTimeValue = '<PASTE VARIABLE VALUE YOU GOT FROM DEBUGGING HERE>';
SELECT * FROM [Event] WHERE ([Event].[Start_Time] LIKE #StartTimeValue);
I built a web application using ASP.NET, data stored at SQL Server 2008.
The application is running ok, but once a couple of day the application displays wrong data and i get error when i enter some pages. system return to normal work after 5 minutes by it self.
can someone give a clue what is the problem?
I'm getting error on lines which try to take data from retrieved DataTable:
like:
txtbx_contact_fullname.Text = dt_contact.Rows[0]["Contact_Fullname"].ToString();
or
lbl_Creation_datetime.Text = dt_YC_Last_Transaction.Rows[0]["Creation_datetime"].ToString();
usually these lines works perfect, and there is no reason that the datatable will return empty.
the error i get is:
Column 'xxxxx' does not belong to table.
The Query that retrieve the data is:
SELECT [Request ID],[Creation Date],[Request Status],[Contact Fullname],[Start Date],[Start Time],[End Date],[End Time],[Work Mode],[Comments],[HPM Points],[FA Points]
FROM dbo.vw_All_Requests
WHERE [Request Status] = #YellowCard_Status
ORDER BY [Creation Date] DESC
From some reason some columns do not get back..
txtbx_contact_fullname.Text = dt_contact.Rows[0]["Contact Fullname"].ToString();
lbl_Creation_datetime.Text = dt_YC_Last_Transaction.Rows[0]["Creation datetime"].ToString();
you column name in asp.net code has _ for example full_name but in sql query it does not have _, i don't know you've assigned names to your datatable or not but give attention to this issue ...
if you code is correct. you are calling Creation_datetime from .NET code, but in SQL you have no such column, what you do have is a Creation date only (from your SELECT query).
so, to fix your problem, all you need to do is change
dt_YC_Last_Transaction.Rows[0]["Creation_datetime"]
to
dt_YC_Last_Transaction.Rows[0]["Creation_date"]
after the issue is fixed, you should learn a better way to query the database using explicit names, for example, using objects instead calling the string value... You should learn a bit of Entity Framework and Linq, it will improve your code a lot.
I am using Xojo 2013 Version 1. I am trying to delete a record from a SQLite database. But I am failing miserably. Instead of deleting the record, it duplicates it for some reason.
Here is the code that I use:
command = "DELETE * from names where ID = 10"
namesDB.SQLExecute(command)
I am dynamically generating command. but however I change it it always does the same. Same result with or without quotes.
Any ideas?
The very first thing I would do is check to see if there is an error being generated.
if namesDB.Error then
dim s as string = namesDB.errorMessage
msgbox s
return
end
It will tell you if there's a database error and what the error is. If there's no error then the problem lies elsewhere.
FWIW, always, always, always check the error bit after every db operation. Unlike other languages, Xojo does NOT generate/throw an exception if there's a database error so it's up to you to check it.
Try calling Commit().
I just made a sample SQLite database with a "names" table, and this code worked fine:
db.SQLExecute("Delete from names where ID=2")
db.Commit
I have done a lot of work with XOJO and SQLite, and they work well together. I have never seen a record duplicated erroneously as you report. That is very weird. If this doesn't help, post more of your code. For example, I assume your "command" variable is a String, but maybe it's a Variant, etc.
I think on SQLite you don't need the * between the DELETE and the FROM.