Select * from Select - mysql

Its very weird situation I know, nut I have got myself into it somehow. I have to connect to some other system service by passing some parameters in url.
In their service they are creating some query using parameter I pass.
For my case I have to pass 'Select' as a parameter name which is actually some class name on their side. So they end up in creating query as Select * from select
and some condition.
On execution I am getting error response as:
'There was a syntax error in a SQL query or filter expression at line
1, position 186. Saw \"Select\" but expected
'..SQL: \"SELECT col1, col2 FROM Select AS D where
some condition.
Can somebody help me on this.

Since Select is reserved word, you have to escape it by enclosing in backticks characters in order for MySQL to process your query:
select * from `select`

Its recommended not to use MySQL reserved keywords.. but if its necessary there is a solution..
Use this, it will work for you :
select * from yourdatabasename.select

Related

Using PDO and LIKE not working, why?

I'm using PDO to connect to MySQL. Everything is working fine, except this doesn't work.
Does anyone knows why? And how should i do it?
SELECT * FROM flagIt WHERE :flagids LIKE CONCAT('%', flagIt.flagIt_id, '%')
:flagids is equivalent to a string like "ID1 ID2 ID3".
EDIT (just to compare)
SELECT * FROM flagIt WHERE 'ID1 ID2 ID3' LIKE CONCAT('%', flagIt.flagIt_id, '%)
If i use like this, it works fine, so...why it does not work with :flagids?
I hope you understand my problem.
Thank you very much.
EDIT
I tried:
"SELECT * FROM flagIt WHERE flagIt.flagIt_id IN(:flagids)"
and as Hobo Sapiens suggested
"SELECT * FROM flagIt WHERE FIND_IN_SET(flagIt.flagIt_id, :flagids)"
and nothing works!!!!!!!!!
This is the query you're submitting to PDO::prepare():
SELECT * FROM flagIt WHERE :flagids LIKE CONCAT('%', flagIt.flagIt_id, '%')
The process of preparing a statement doesn't just involve evaluating the contents of the placeholders, substituting them in a string and executing the resulting query.
A prepare asks the server to evaluate the query and prepare an execution plan that includes the table and indexes it will use. For that it needs to know which columns of which tables it must work with, which is why one cannot use a placeholder where you would need an identifier.
The problem with your query is that the server has no way to know at the time it prepares the statement whether the placeholder represents a string literal or a column identifier. Without that information, the preparation cannot be done, and your prepare will fail.
If you have some flexibility over the value you're using in :flagids you could use find_in_set():
SELECT * FROM flagIt WHERE find_in_set(flagIt_id, :flagids)
where a variable containing, for example, 'ID1,ID2,ID3' is bound to :flagids.
This will be fine for small lists, but will be slow for a large list.
MySQL reference for find_in_set()

Working with parameters Delphi XE7 Firedac

Any assistance here would be great.
I am trying to use parameters to dynamically change 'ORDER BY'
Below is the code I have tried but despite following the documentation I still get an error '[FIREDAC][PHYS][MYSQL] You have an error in your SQL syntax ... near "ORDER BY some_field" at line 4'
I have set ParamCreate to True
My database is MySQL
FDQuery1.Close;
FDQuery1.SQL.Clear;
FDQuery1.SQL.Add('SELECT *');
FDQuery1.SQL.Add('FROM my_table');
FDQuery1.SQL.Add('LIMIT 1000');
FDQuery1.SQL.Add(':id');
FDQuery1.ParamByName('id').AsString := 'ORDER BY some_field';
FDQuery1.Open;
You did not cite the exception message as it shows up. Here is the original message
[FireDAC][Phys][MySQL] You have an error in your SQL syntax ... near ''ORDER BY some_field'' at line 4.
compare to your cite
[FIREDAC][PHYS][MYSQL] You have an error in your SQL syntax ... near "ORDER BY some_field" at line 4
To avoid this for the future just press CTRL+C on the focused exception window and the complete message is inside your clipboard and can be pasted wherever you like
Now reading this, the error is now very clear.
You expect to get a statement like this
SELECT *
FROM my_table
LIMIT 1000
ORDER BY some_field
But using the parameter you will get the following statement
SELECT *
FROM my_table
LIMIT 1000
'ORDER BY some_field'
and that is exactly what the exception message is telling you.
Just check the exception message with the previous statement
... near 'ORDER BY some_field' at line 4.
and
... near ''ORDER BY some_field'' at line 4.
As a conclusion it is not possible to change the statement itself using parameters. You can only pass values as parameters for the statement.
And the correct statement should be anyway
SELECT *
FROM my_table
ORDER BY some_field
LIMIT 1000
Don't know if this helps.
But you can use the 'Macros' property of TFDQuery, like Parameter that are identified by the ':', the Macros are identified bye the '!', You can also combine Macros and Params. The Macros property works almost as the Params property. Use the TFDQuery.MacroByname to assign a Macro Value, and use the TFDQuery.MacroByname('MacroName').AsRaw to assign a string As-Is.
So your query should look like:
FDQuery1.Close;
FDQuery1.SQL.Text := 'SELECT * FROM !TABLE_NAME !WHERE_CLAUSE !ORDERBY_CLAUSE';
FDQuery.MacroByname('Table_name').AsRaw := 'my_table';
FDQuery.MacroByname('Where_clause').AsRaw := 'WHERE field1 = :ID_Value';
FDQuery.MacroByname('OrderBy_clause').AsRaw := 'ORDER BY field1';
FDQuery.ParamByname('ID_Value').AsInteger := 1;
FDQuery1.Open;
Hope this helps
you need very simple SQL query:
FDQuery1.Close;
FDQuery1.SQL.Text := 'SELECT * FROM my_table';
FDQuery1.Open;
To set a limit of the record count, you can use property of the FDQuery1:
FDQuery1.FetchOptions.RecsMax := 1000;
To sort values you can use
FDQuery1.IndexFieldNames = 'field_name'
or
FDQuery1.IndexFieldNames = 'field_one_name;field_two_name'
instead of your code.
Edit: Oh, I didn't actually answer your question. So for FireDac, you can just set the FDQuery1.IndexFieldNames property to the name of the field/s you want to order by. No need to close and re-open your query, or change the SQL.
Previous answer: You cannot pass SQL code [EDIT: including ORDER BY etc.] in parameters, only parameter values, i.e. integers, strings etc.
This principle is extremely important, otherwise you could pass e.g.
FDQuery1.ParamByName('id').AsString := '; TRUNCATE TABLE my_table';
Executing your query would then delete everything in the table instead of doing what it's supposed to do. Or with a bit more work, your same query could return passwords, credit card numbers or whatever else is in your database. This would have been a huge vulnerability, and is known as SQL Injection. Please see for example:
http://www.w3schools.com/sql/sql_injection.asp
http://sqlmap.org/
http://hackaday.com/2014/09/01/gaining-access-to-the-oculus-developer-database
RXLIB has this functionality. It has the MACRO opttions, where you can write a code like this:
Select %fields_
from %table_
where %condition_
order by %order_
BUT it´s only for use qith BDE.
Will be wonderfull if someone rewrite the code to work with ADO ou FIREDAC.

MySql explode/in_array functionalilty

In my table I have a field with data such as 1,61,34, and I need to see if a variable is in that.
So far I have this
SELECT id, name FROM siv_forms WHERE LOCATE(TheVariable, siteIds) > 0
Which works, with the exception that if the siteIds were 2,61,53, and TheVariable was 1, it would return the row as there is a 1 in 61. Is there anyway around this using native MySql, or would I need to just loop the results in PHP and filter the siteIds that way?
I've looked through the list of string functions in MySql and can't see anything that would do what I'm after.
Try with find_in_set function.
SELECT id, name FROM siv_forms WHERE find_in_set(TheVariable, siteIds);
Check Manual for find_in_set function.

Django raw SQL query trouble with format characters and string interpolation

In my Django app, I need to generate a MySQL query like this:
SELECT * FROM player WHERE (myapp_player.sport_id = 4 AND (myapp_player.last_name LIKE 'smi%'))
UNION
SELECT * FROM player WHERE (myapp_player.sport_id = 4 AND (myapp_player.first_name LIKE 'smi%'));
I can't use Q objects to OR together the __istartswith filters because the query generated by the Django ORM does not use UNION and it runs at least 40 times slower than the UNION query above. For my application, this performance is unacceptable.
So I'm trying stuff like this:
Player.objects.raw("SELECT * FROM myapp_player WHERE (sport_id = %%s AND (last_name LIKE '%%s%')) UNION SELECT * FROM sports_player WHERE (sport_id = %%s AND (first_name LIKE '%%s%'))", (sport.id, qword, sport.id, qword))
I apologize for the long one-liner, but I wanted to avoid using a triple-quoted string while trying to debug this type of issue.
When I execute or repr this queryset object, I get exceptions like this:
*** ValueError: unsupported format character ''' (0x27) at index 133
That's a single-quote in single quotes, not a triple-quote. If I get rid of the single-quotes around the LIKE clauses, then I get a similar exception about the close-paren ) character that follows the LIKE clause.
Apparently Django and MySQL disagree on the correct syntax for this query, but is there a syntax that will work for both?
Finally, I'm not sure that my %%s syntax for string interpolation is correct, either. The Django docs suggest that I should be able to use the regular %s syntax in the arguments for raw(), but several online resources suggest using %%s or ? as the placeholder for string interpolation in raw SQL.
My sincere thanks for just a little bit of clarity on this issue!
I got it to work like this:
qword = word + '%'
Player.objects.raw("SELECT * FROM myapp_player WHERE (sport_id = %s AND (last_name LIKE %s)) UNION SELECT * FROM myapp_player WHERE (sport_id = %s AND (first_name LIKE %s))", (sport.id, qword, sport.id, qword))
Besides the fact that %s seems to be the correct way to parameterize the raw query, the key here was to add the % wildcard to the LIKE clause before calling raw() and to exclude the single quotes from around the LIKE clause. Even though there are no quotes around the LIKE clause, quotes appear in the query ultimately sent to the MySQL sever.

Problem with SELECT * in MySQL through ODBC from Microsoft SQL Server

I have a MySQL server as a linked server in Microsoft SQL Server 2008. For the link I use MySQL ODBC Connector version 5.1.8. When invoking queries using OPENQUERY (the only way I found of performing queries), problems occur. Simple queries, such as
SELECT * FROM OPENQUERY(MYSQL, 'SHOW TABLES')
work fine. Selection of individual columns, e.g.,
SELECT * FROM OPENQUERY(MYSQL, 'SELECT nr FROM letter')
works fine as well, but SELECT * syntax does not work. The query:
SELECT * FROM OPENQUERY(MYSQL, 'SELECT * FROM mytable')
raises an error:
Msg 7347, Level 16, State 1, Line 6
OLE DB provider 'MSDASQL' for linked
server 'MYSQL' returned data that does
not match expected data length for
column '[MSDASQL].let_nr'. The
(maximum) expected data length is 40,
while the returned data length is 0.
How can I make the SELECT * syntax work?
This problem happens if you are querying a MySQL linked server and the table you query has a datatype char(). This means fixed length and NOT varchar(). This happens when your fixed length field has a shorter string than the maximum length that SQL Server expected to get from the ODBC.
To fix this go to your MySQL server and change the datatype to varchar() leaving the length as it is. Example change char(10) to varchar(10).
Executing the following command before queries seems to help:
DBCC TRACEON(8765)
The error messages go away and queries seem to be working fine.
I'm not sure what it does though; I found it here: http://bugs.mysql.com/bug.php?id=46857
Strangely, SQL Server becomes unstable, stops responding to queries and finally crashes with scary-looking dumps in the logs a few minutes after several queries to the MySQL server. I am not sure if this has to do anything with the DBCC command, so I'm still interested in other possible solutions to this problem.
What I did to fix this since I can't modify the MySQL database structure is just create a view with a cast ex: CAST(call_history.calltype AS CHAR(8)) AS Calltype,
and select my view from MSSQL in my linked server.
The reason behind is that some strange types don't work well with the linked server (in my case the MySQL enum)
I found this
"The problem is that one of the fields
being returned is a blank or NULL CHAR
field. To resolve this in the Mysql
ODBC settings select the option "Pad
CHAR to Full Length"
Look at the last post here
An alternative would be to use the trim() function in your SELECT statement within OPENQUERY. The downside is you have to list each field individually, but what I did was create a view that calls OPENQUERY and then perfrom select * on the view.
Not ideal, but better than changing data types on tables!
Here is a crappy solution I came up with because I am unable to change the datatype to varchar as the db admin for the MySQL server is afraid it will cause issues with his scripts.
in my MySQL select query I run a case statement checking the character length of the string and add a filler character in front of the string "filling it up" to the max (in my case its a char(6)). then in the select statement of the openquery I strip the character back off.
Select replace(gradeid,'0','') as gradeid from openquery(LINKEDTOMYSQL, '
SELECT case when char_length(gradeid) = 0 then concat("000000", gradeID)
when char_length(gradeID) = 1 then concat("00000", gradeID)
when char_length(gradeID) = 2 then concat("0000", gradeID)
when char_length(gradeID) = 3 then concat("000", gradeID)
when char_length(gradeID) = 4 then concat("00", gradeID)
when char_length(gradeID) = 5 then concat("0", gradeID)
else gradeid end as gradeid
FROM sometableofmine')
it works but it probably is slower...
maybe you can make a MySQL function that will do the same logic, or come up with a more elegant solution.
I had the similar problem to this myself, which I resolved by wrapping the column-names in single ` style quotes.
Instead of...
column_name
...use...
`column_name`
Doing this helps the MySql query-engine should the column-name clash with a key or reserved-word.*
Instead of using SELECT * FROM TABLE_NAME, try to use all column names with quotes:
SELECT `column1`, `column2`, ... FROM TABLE_NAME
Example for normal datatype columns
SELECT * FROM OPENQUERY(MYSQL, 'SELECT `column1`, `column2`,...,`columnN` FROM mytable')
Example for ENUM datatype columns
SELECT * FROM OPENQUERY(MYSQL, 'SELECT `column1`, trim(`column2`) `column2`, `column3`,...,`columnN` FROM mytable')
*For those used to Sql Server, it is the MySql equivalent of wrapping a value in square-brackets, [ and ].