I'm currently working on a query that needs to be created dynamically depending on the input. Basically in my database I store a bunch of maps of key/value pairs, and the query is a map of key/value pairs from which all key/value pairs need to match.
I've found how to use N1qlQuery.parameterized() with a statement and placeholder values using "$param", but this doesn't work for fieldnames in the Expression.x("field") clause. Problem being, while my field values will be safe from SQL injection, my field names won't if I just put the string value the user has entered in there.
How can I escape dynamically built field names in my query ?
String fieldNameThatCanBeHacked = "fieldNameThatCanBeHacked";
Statement statement = Select.select("*").from(CouchbaseConfig.BUCKET_NAME).where(Expression.x(fieldNameThatCanBeHacked).eq("$param");
Related
SELECT name FROM accounts WHERE Name in ("name1","name2");
the values are being sent inside a json array
["name1","name2"]
currently i just convert the array into json string and remove the first and last characters
"name1","name2"
but could i just keep the array intact? i tried json_contains
SELECT name FROM accounts WHERE JSON_CONTAINS(name,'["name1","name2"]');
my understanding as to which why that didn't work is because name column isn't json string array
Core issue is you can't "prepare" flex statements without some sort of preprocessing.
Generally you'll want to do input validation etc, on the application side regardless, and then use some sort of pre-constructor if you're not using an ORM.
ie:
$values = ["name1", "name2"];
// Validation should happen here
$inputs = substr(str_repeat("?,", count($values)), 0, -1);
$bind = str_repeat("s", count($values));
$sqli = "SELECT name FROM accounts WHERE Name in ($inputs);";
...
$stmt->bind_param($bind, ...$values);
...
You can use the same principal for PDO as well, but regaredless you're gunna want to handle the validation layer on the application side, and there is no "easy" way to inject "IN" statements into prepared SQL.
I have to write a stored procedure where I want to set values for a variable called colorId using IN operator, the parameter can be a list of integer ids or no ids. I am wondering what should be the type of variable in the stored procedure?
where color_id IN (1,2,3,4);
Thanks for the help!
If you send a string like '1,2,3,4' as a single parameter, the query will run as if you had done this:
where color_id IN ('1,2,3,4');
The way MySQL does implicit type casts to integer, this converts the value to an integer using only the leading digits, and ignores everything after the first comma. So it will really run as if you had done this:
where color_id IN (1);
There is no way to "remove" the quotes. The point of query parameters is that they are not combined with the query until after the SQL parsing is done. Therefore the parameter is fixed as a single string value in that expression. You can't convert a parameter into a list of discrete values, because that would change the syntax of the query.
So you must pass multiple parameters, one for each value in your list. Like this:
...where color_id IN (?, ?, ?, ?);
And use some function in your client application to split the string into multiple parameters and then pass them not as a single string value, but as multiple integer values.
Some people try to use tricks like using MySQL's FIND_IN_SET() function, but I don't recommend this, because it cannot be optimized with any index.
You tagged this question stored-procedures from which I infer that you are trying to write a procedures that accepts a string of comma-separated integers and use it in an IN() predicate. This is more inconvenient to do in a stored procedure than in any other programming language, because MySQL's stored procedure language doesn't support arrays or good functions for splitting strings or counting elements. It can be done with enough effort, but the code is awful and you will quickly wish you were using any other language.
Your can pass parameter value like this - '1,2,3,4' and FIND_IN_SET function will be able to search in the provided string:
SELECT *
FROM colors
WHERE FIND_IN_SET(color_id, param); # param --> '1,2,3,4'
i have a code in sql for string comparison which takes two parameters as input works upon it and returns a result. both of the parameters are words, i want to change the parameter from a single word to a database column. how do i do that?
say for example in java its like storing the data in an array and than passing the whole array. can something like this be done in sql?
You can use the Select query for passing each value of a particular column from the table into your function.
like this,
SELECT compare_city_name('baroda',t.cityname) from tablename as t
In this query, you pass all cities name from cityname column to the function compare_city_name one by one.
Pass it as a VARCHAR, then build the query with "prepare" and "execute" it.
I need to find intersect value from two comma separated string in stored procedure.
String 1: 40,31,42,23,45 => System generated numbers
String 2: 30,23,24,31,25,32 => User selected numbers
I want to check that, do any of my numbers are present in system generated numbers.
Above value should return 23,31.
I have solution that, i will loop through system generated numbers and will check one by one with my numbers using FIND_IN_SET, if present i will CONCATE that and will get required output.
But is there any shorter and optimized way to do this?
I am trying to pass a parameter to a query, rather than write copious text I have narrowed it down to this simple explanation.
The frament I am trying to insert into is
where pkw_0.keyword in (:kwd)
I have used a String[] to construct a string of the form vals="'AVal','BVal'" which I pass to the query using setParameter("kwd",vals); The query returns zero results. However if I construct the query by hand and use the mysql console the query returns 1 result which is expected.
So I am assuming that either a single string is incorrect for the parameter or there is some conditioning of the values that I need to do prior to passing them via the setParameter call.
Each parameter can only represent a single literal value. You will need to create multiple placeholders in your prepared statement (one for each value) and then provide each value to MySQL as a separate parameter.