spring boot get data from mysql table given by url - mysql

I want to create simple app to search some data in specific table.
I've got one database and can connect to it.
Also when I hardcoded table name it works great.
But I want to make url like that:
/demo/{table}/{author}
It should work that i give specific table for eg. 'comedy' and next I set name of author for eg. 'smith'.
My booksRepository:
#Query(value = "SELECT * FROM :table WHERE author = :author",
nativeQuery=true)
public List<Book> findByAuthor(#Param("author") String author, #Param("table") String table);
But it didn't work. I've got error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''comedy' WHERE author = 'Smith'' at line 1
It's adding ' to Query. Is there way to delete that? Is it possible or I need to put everything in one table?
Cheers :)

I haven't looked it up, but it seems that the variables in the query SQL can only be used to insert quoted values, not unquoted identifiers like a table name.

Related

Avoid symbolic error in MySql when user selected options transmitted

I have VB.net website. Somewhere I have used Update Query which has no errors in terms of syntax but suppose If user has selected some symbolic values like below
UPDATE Table SET Column = ''A'-wing' Where ID = '123'
So here in column the value 'A'-wing has quote which result to syntax error in my query. How do I avoid users option related error in query?
You have to escape your quotes by adding a backslash in front of them. Change your query to this:
UPDATE Table SET Column = '\'A\'-wing' Where ID = '123'
For more informations about this, check the official documentation here.

Hibernate SQL Injection

I'm auditing a project and I found a way to inject data in a query.
The project uses Hibernate and for this piece of code Session.createSqlQuery() and then a .list()
The SQL is something like : "SELECT * FROM tablename ORDER BY column XXXXXX"
XXXXXX can be modified using Fiddler. So I tried
SELECT * FROM tablename ORDER BY column DESC; truncate table tablename;
Unfortunately (well only for my injection attempt) it's not working and I'm getting :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'truncate table tablename'
My question is, since they're using createSQLQuery, are they safe from injection. If they're not, could you give me an example to highlight the issue.
I tried using %08 (Backspace character) thinking I would be able to delete previous query characters for example (It didn't work ;) )
Thanks.
After some research it seems I won't be able to modify data with this security hole, however using ORDER BY (CASE WHEN ...) would allow to "scan" the tables and the data.
Is the column name specified using a parameterized statement or are you just concatenating text?
ex: in perl::DBI, the drivers support the following syntax:
$dbh->do("SELECt * FROM asdf ORDER BY ?", undef, $order_by);
The ? there is a form of parameterized statement which sanitizes the input automatically.

C# MySql Syntax Exception when querying against an IP addres

I'm querying against an IP address stored in a table of a database with the following:
"SELECT user_id, is_login FROM users WHERE last_ip_address = '" + this.GetIPAddress() + "'"
I know that the IP is in the table because I see it there. I'm literally staring at it, but this query returns no rows.
When I run it without the single tick quotes ('), I get a syntax error:
"SELECT user_id, is_login FROM users WHERE last_ip_address = " + this.GetIPAddress()
So where is this going wrong? The IP returned by the function is the standard format ###.###.###.### IP address, and the syntax error itself is this:
{"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.##.#' at line 1"}
Edit: Some more info, the field itself is a varchar(30) type, and it says Collation = latin1_swedish_ci, but I don't even know what that is.
Thanks
Try using a LIKE then:
"SELECT user_id, is_login FROM users WHERE last_ip_address LIKE '%" + this.GetIPAddress() + "%'"
Edit: I would try to change that collation to UTF8.
Okay I am sorry for the confusion. I am very new to using MySql with C# and very VERY new (like I mean I just started today) with MySqlConnector.
To make a long answer short, I was trying to treat the table like, well, a table, and just read from it like a two dimensional array, when what I needed to be doing was using the MySqlDataReader. I found a good answer here:
How to read columns and rows with C#?
Thanks all for your help and advice.

MySQL - Data with the symbol "&"

I have the below data in my MySQL table "categories":
id Name
-----------------
1 Books & CDs
2 Dress
When I try to get the value from table it works fine with below SQL.
SELECT * FROM `categories` WHERE `name` = 'Books & Cds';
But when using in PHP, it gives me some SQL error.
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '' at line 5
Where can I find the actual reason for this? How to debug this?
If you want to search for rows in your Category table in your PHP code, I recommend that you add a column in your table for a code to use instead of searching on the name that you use for the end users. The potential problem that you're facing is that if you want to change the name of a category, you'd have to find everywhere in your code that you referred to that category by name and change it too. But if your table looked like this:
ID code name
1 BCDS Books & CDs
2 DRS Dress
then your code can do things like "where code = 'BCDS'" and you can call that category "Books & CDs", "CDs and Books", or anything else you like.
Now, as far as fixing your syntax problem, you'll have to post the PHP that you use to generate the query that fails. As another poster said, you're probably escaping something incorrectly and MySQL isn't getting the query you think it's getting.

Rails 3 MySQL 2 reports an error in what looks to be valid SQL syntax

I am trying to use the following bit of code to help in seeding my database. I need to add data continually over development and do not want to have to completely reseed data every time I add something new to the seeds.rb file. So I added the following function to insert the data if it doesn't already exist.
def AddSetting(group, name, value, desc)
Admin::Setting.create({group: group, name: name, value: value, description: desc}) unless Admin::Setting.find_by_sql("SELECT * FROM admin_settings WHERE group = '#{group}' AND name = '#{name}';").exists?
end
AddSetting('google', 'analytics_id', '', 'The ID of your Google Analytics account.')
AddSetting('general', 'page_title', '', '')
AddSetting('general', 'tag_line', '', '')
This function is included in the db/seeds.rb file. Is this the right way to do this?
However I am getting the following error when I try to run it through rake.
rake aborted!
Mysql2::Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'group = 'google' AND name = 'analytics_id'' at line 1: SELECT * FROM admin_settings WHERE group = 'google' AND name = 'analytics_id';
Tasks: TOP => db:seed
(See full trace by running task with --trace)
Process finished with exit code 1
What is confusing me is that I am generating correct SQL as far as I can tell. In fact my code generates the SQL and I pass that to the find_by_sql function for the model, Rails itself can't be changing the SQL, or is it?
SELECT * FROM admin_settings WHERE group = 'google' AND name = 'analytics_id';
I've written a lot of SQL over the years and I've looked through similar questions here. Maybe I've missed something, but I cannot see it.
"group" is a keyword so you can't use it as-is as an identifier, you have to quote it with backticks (for MySQL at least):
SELECT *
FROM admin_settings
WHERE `group` = 'google'
AND name = 'analytics_id'
Any SQL that Rails/ActiveRecord generates will use the quoted version of the column name so I'd guess that you're generating some SQL (or just a snippet of SQL for the WHERE clause) and neglecting to quote the column names.
I'd recommend against using group as a column name, use something else so that you don't have to worry about sprinkling backticks all over the place in your code.
group is an invalid field name if left unquoted, as it is a SQL keyword. To fix, surround it with backticks in your find_by_sql query, so your DB doesn't attempt to interpret it as the GROUP keyword.