MySQL gives me syntax error for a simple query but I don't see any error. If you guys find any please help.
insert into cast(sid,celeb_id,type,name,prior)
values(30,1,1,'James Keziah Delaney',2)
It gives sql syntax error near cast.
The main cause of this error is that there is a function Cast in mysql.
It look like to call the cast() function.
You can choose one of the solutions to solve it.
add ` to contain cast table name
look like this.
insert into `cast`(sid,celeb_id,type,name,prior) values(30,1,1,'James Keziah Delaney',2)
sqlfiddle
add a space between cast and ( let mysql know you did't want to execute Cast method. thank for #Barmar remind.
Note:
I would suggest you don't give the table name from keyword or function name.
You can't insert into cast(). It requires a list of column names.
Related
I am new to MySQL and I am building a Flask project and using mysql.connector to query a MySQL Database. I know this question has been answered many times before but this is more specific to using MySQL with Flask.
I need to pass a query where I want to plug in the table name into the query, dynamically, depending on the value stored in the session variable in Flask. But the problem is, if I try to do:
Method 1:
cur.execute('SELECT * FROM %s;',(session['table_name'],))
the database throws an error stating that such a table is not found. However, the problem is mysql.connector keeps enclosing the table name with single quotes, hence the error.
Sample Error Statement:
mysql.connector.errors.ProgrammingError: 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''52_data'' at line 1
Here the table name should be 52_data and not '52_data'.
Only other workaround, I figured, is using:
Method 2:
cur.execute('SELECT * FROM '+session['table_name']+';')
which is working but it does not escape SQL Injection, I am guessing, since it's direct concatenation, unlike Method 1, where the cur.execute() function handles the escaping, as per this question.
The value being passed is stored in a sessions variable in Flask, which is not so secure, as per Miguel's Video. Hence, I want to escape that string, without triggering off an error.
Is it possible to implement Method 1 in a way that it does not add the quotes, or maybe escape the string using some function? Or maybe any other Python/Flask package that can handle this problem better?
Or if nothing works, is checking for SQL Injection manually using regex is a wiser option?
Thanks in advance.
Note: The package name for this mysql.connector is mysql-connector-python and not any other same sounding package.
For identifiers, you can use something like:
table_name = conn.converter.escape(session['table_name'])
cur.execute('SELECT * FROM `{}`'.format(table_name))
For values placeholders, you can use your Method 1, by using the parameters in the cur.execute() method. They will be escaped and quoted.
More details in https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html
NOTE: You don't need to end the SQL statements with ;
I can not figure out (not sure what the error codes mean) what is wrong with the below SQL statement and I am do not have enough experience to troubleshoot it. Thank you :).
UPDATE `dbo.Custom_PrimerSet`
SET `Hyperlink` = replace(Hyperlink, 'xxxx', 'pxlence')
Error
Error in table name or view name in UPDATE clause.
Error in set list in UPDATE clause.
Incomplete SET clause.
Unable to parse query text.
You use both Hyperlink and 'Hyperlink'. If you make those consistent and correct does it work out better?
Correct in this case being to omit the quote in the update statement. At least that what works for me in a sqlfiddle
I need this query for testing exception handling, so I would prefer that the query is not schema dependent. I am looking for something like SELECT 1; but of course that doesn't fail.
I am using Java and MySQL but I hope to find answers that doesn't depend on programming languages and/or RDBMSs.
What about "SELECT 1/0" for starters?
You could put an invalid token into the query
select doesnotexist.* from something_else
Or of course, what you should do is mock out the method and have it throw the exception during your test.
there are tons of ways to make a query fail, like mispelling a field, or selecting from non existing tables. for example:
SELECT some_fake_field FROM table_that_doesnt_exists
One way to trigger a failure is to call a stored procedure with the wrong number of parameters. Another similar idea is to write an update/insert statement with the wrong number of arguments...
More ideas here:
How to raise an error within a MySQL function
Any old syntax error will do... like an unterminated string
select 'bob
To get 1/0 to raise an error in MySQL, you need to set sql_mode to ERROR_FOR_DIVISION_BY_ZERO.
Try this:
SET sql_mode = 'ERROR_FOR_DIVISION_BY_ZERO';
SELECT 1/0;
If this sql_mode isn't set, MySQL will return a NULL instead of an error.
You can check what your current settings are with the following:
SELECT ##GLOBAL.sql_mode;
SELECT ##SESSION.sql_mode;
In MySQL the below query is executing properly.
SELECT * FROM <Table-name> WHERE (Table.ID LIKE '1%')
But when I try to execute the above query in Postgres, I get the following exception
"org.postgresql.util.PSQLException: ERROR: operator does not exist:
integer ~~ unknown Hint: No operator matches the given name and
argument type(s). You might need to add explicit type casts".
If I convert the same query
SELECT *
FROM <Table-name>
WHERE CAST(Table.ID as TEXT) LIKE '1%'
This gets executed directly in Postgres DB. But I need some query which implicitly type cast in DB, which allows me to execute the MySQL query without any exception. Because I remember there is a way for integer to boolean implicit type cast.
Thanks in advance.
If you search this site with [postgresql] explicit type casts you will get enough information to solve your problem.
I am using navicat lite with mysql database.
my database is test
and i have a table named transactions with schema:
date, sharename,buyORsell,quantity,finalrate
I am trying to create a new procedure which takes some input and outputs some results, and I would want that when I execute this procedure, this procedure asks for the input parameter from the user and outputs results accordingly.
My requirement: given a input (transaction type i.e. 'buy' or 'sell'), it should output all the transactions with that type
I create a function and click on procedure
BEGIN
#Routine body goes here...
select * from test.transactions where buyORsell = intype;
END
In the space below, I see:
IN `intype` char
But when I run this prcedure and type sell in "enter parameter" pop-up, I get the error:
Unknown column 'sell' in 'field list'
Please help..
I had the same problem. I fixed it by defining char with a length (i.e. char(254)) and then wrapping the input string in quotes when prompted.
You have an error in your stored procedure definition and forgot to include the intype as a parameter
Looks like it might be a Navicat problem. I now use HeidiSQL for functions and that seems to work fine.
With Navicat, the same problem occurs when I have an input parameter - whether or not I use that paramater. Like Martin I can clear out all the code from BEGIN...END but still get the error if I use any char or varchar input parameter.
In fact, using varchar as an input parameter ALWAYS gives a save/compile error with ANY function using Navicat. With Navicat, Varchar in functions seems completely broken.