I know how to create a Query though Query Design (manually)
but how to create a "Query" with command?
i am looking for something like
Create Query [Query_Name]
As
Select * from Table1
Can anyone post me the code snippet that can do something like this?
Things i have TRIED
Erik von Asmuth's solution : The below query
CREATE PROCEDURE MyQuery
[#Param1] Integer;
SELECT *
FROM SalesInvoice
WHERE SalesInvoice.S_Id = [#Param1]
gave the following error
You can use the PROCEDURE command. Since Access doesn't have stored procedures, that just creates a query.
E.g.:
PROCEDURE MyQuery
[#Param1] Integer;
SELECT *
FROM MyTable
WHERE MyTable.ID = [#Param1]
The use case is pretty limited, since queries are usually created through VBA using the CurrentDb.CreateQueryDef method.
Related
I'm painfully new to SQL/mySQL as a whole so I'm flying blind right now so apologies.
I made a procedure in mySQL that selects a varchar data from a specific column and table, turn it into INT (contents of said column are numerical to begin with) and output its values after going through a mathematical operation as a (very simple) attempt in data masking. As follows:
CREATE PROCEDURE qdwh.mask_varchar_num2(tablename varchar(100), colname varchar (100))
BEGIN
set #a=concat('select','(','(','(','(','select',colname ,'from',tablename,')','+','0',')','+','297',')','*','5',')','as','colname');
prepare query from #a;
execute query;
deallocate prepare query;
END
but when i tried to call the procedure with the following line:
select [column] , mask_varchar_num2 ([column]) from [table];
an error "FUNCTION qdwh.mask_varchar_num2 does not exist" shows up. I wanted the script to output a select function of the column in question after the conversion to INT and the mathematical operation done to it, so i can then use this procedure in a larger script ("create table select as" kinda stuff) to convert the whole table into masked data as needed.
Is there something i am missing and what am i doing wrong? Dbeaver acknowledges the procedure script as legit so i dont know whats wrong. Thanks in advance for the advice.
Procedures are run by using call and cannot be called within a select query. To define a function, you need to use create function.
not an answer but here's what your select looks like..
set #colname='a';
set #tablename='t';
set #a=concat('select','(','(','(','(','select',#colname ,'from',#tablename,')','+','0',')','+','297',')','*','5',')','as','colname');
select #a
'select((((selectafromt)+0)+297)*5)ascolname'
missing a lot of spaces between tokens
hi friends i googled for this and find different methods use by others to prevent sql injection. i wrote in below stored procedure before finalising to follow specific method i want suggestion from you guys. which method should i follow.
below is the example of my stored procedure, in which i wrote different methods
CREATE DEFINER=`root`#`localhost` PROCEDURE `spTestSQLInjection`(pSelfId VARCHAR(100),bIntSelfId BIGINT(20))
BEGIN
SET #sSelfId = pSelfId;
-- Method:1
-- below code is for injection
SET #selectQuery = CONCAT('select * from userProfile where userId = ',#sSelfId);
PREPARE stmt FROM #selectQuery;
EXECUTE stmt ;
DEALLOCATE PREPARE stmt;
-- Method:2
-- injection doesent affect below code
select * from userProfile where userId = #sSelfId;
-- Method:3
select * from userProfile where userId = bIntSelfId;
-- Method:4
SET #sSelectQuery=
'select * from userProfile where userId = ? ';
PREPARE stmtQuery FROM #sSelectQuery;
EXECUTE stmtQuery USING #sSelfId;
DEALLOCATE PREPARE stmtQuery;
END
executed below stored procedure in workbench :
1)call spTestSQLInjection('231', 231);
result : when i pass proper data then result set gives single user data for all then 4 method.
2)call spTestSQLInjection('231 OR 1=1', 231);
result : when i pass '231 OR 1=1' data then result set gives all user data for method 1 and single record for method,2,3,4.
so concluded that method1 is prone to sql injection so not to follow this method, as its dynamic query
& its advisable not to write dynamic query in stored procedure.
method2, method3 worked & gave single user record, which means this query are not prone to sql injection.
method4 is adviced by most of the developer to follow this to prevent sql injection in stored procedure. but my
live project contains 20 to 30 queries(insert/update/delete) inside a stored procedure, so writing prepared statement
for all is time consuming.
so guide me to follow which method, method2, method3, or method4
Thanking you in advance, any help will be appreciated.
Methods 2, 3, and 4 are safe from SQL injection, but method 3 is the simplest solution.
CREATE DEFINER=`root`#`localhost` PROCEDURE `spTestSQLInjection`(pSelfId VARCHAR(100), bIntSelfId BIGINT(20))
BEGIN
-- Method:3
select * from userProfile where userId = bIntSelfId;
END
There's no need to create a user-defined variable, because the procedure parameter bIntSelfId is already a variable.
There's no need to use a parameter or a prepared statement in this case, because the variable is treated only as a scalar value. It doesn't need to modify any SQL syntax, nor is it used as an identifier, so it can simply be used in the query as shown above.
This assumes your table does not have its own column with the same name of bIntSelfId. If it did, the use of that identifier would be ambiguous. It's recommended to name your parameters distinctly from any of the columns of tables you will query using that variable. Using a user-defined variable or a query parameter would also avoid the ambiguity.
I already wrote a pretty complex stored procedure, but now i want to bring some dynamics into the procedures using variables. I still call myself a newbiew when it comes to sql programming, so i might be totally on the wrong way with what i'd like to achieve.
I am running the latest MySQL server 8.0.13 on windows (just for local dev).
My current idea for the stored procedure
... uses an input variable
... declares a cursor (using the var)
... create a temp table (using the var)
... iterates through the temp table
... write data to a new table
I think i understand some of the basic tools to do that but i fail again and again with handling the variable(s)
The following code shows the top part of the project where i already fail.
PROCEDURE sprProcedure (
IN vInputParameter varchar(64)
)
BEGIN
DECLARE vFinished INTEGER DEFAULT 0;
-- declare cursor
DECLARE cCursor CURSOR FOR SELECT * FROM tbltmp_(vInputParameter);
DECLARE CONTINUE HANDLER
FOR NOT FOUND SET vFinished = 1;
-- drop / create temp table
DROP TABLE IF EXISTS (vInputParameter);
CREATE TEMPORARY TABLE tbltmp_(vInputParameter)
SELECT * FROM `tbl_DataSource`;
... did not paste any further code as i can't deal with the following issue.
I tried
... using the variable directly > variable is not resolved in DECLARE CURSOR statement
... define user-defined variable before local-variables is not allowed
... CONCAT'ed the string to build a statement and EXECUTE'ed it > does not work in the DECLAREpart of the stored procedure
At this point i am totally open to every hint or totally new ideas about how to approach this.
Thanks for any advice!
[Update]
My approach up there has some flaws and i did not understand the basic concept of temp tables for example being unique to the session. Thanks to 'D's Query' and a little more reading i now have a working stored procedure without having to deal with dynamic names of cursors and temp tables.
I dont know what actually you are focusing on but loading a dynamic tables can be possible with prepared statements in Stored Procedures but prepared statements won't work with CURSORS.
Example of Prepared statement is
SET $sql=CONCAT('SELECT * from ', var_tablename);
PREPARE stmt FROM #sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
Please have a look at the code below:
DELIMITER $$
DROP PROCEDURE `mostPopular`
CREATE PROCEDURE `mostPopular`()
BEGIN
DROP view if exists mostRec;
create view mostRec as select count(*) as ord,course_code from cms.courses_viewed group by course_code;
select course_name from course join mostRec on course.course_code=mostRec.course_code order by ord desc;
END
This code works in Mysql Workbench but it does not work in phpMyadmin.
It prints "Cannot return a ResultSet in the Given Context in mysql". Does anyone know why this might be happening?
Most probably this is because the PMA doesn't use mysqli_multi_query you can test it by making a php script that executes this procedure using the mentioned function
[SQL Server 2008 Std]
I have a stored procedure that is used to insert new data into a table, which works as expected. However I now need to call this stored procedure multiple times using the results of a query as the parameters.
e.g.
select
name, age, foo, bar
from
sometable
where
wobble = 'true'
exec insertProc name age foo bar
I know I can use a cursor to acheive this, but I keep reading that "cursors are bad"...but I don't know any other way to do this?
One solution is to use cursor. Other is to prepare your result set into temp table before calling the procedure and then supply it to the procedure ( you have to alter the procedure by adding table-value param as input param). Some info in msdn.