Convert text box values in access query to mysql - mysql

I am currently in the process of moving all my Access databases to a MySQL server. I have some pretty big queries I would like to convert into sql direct.
The only thing is that in those queries I am using the content of a textbox in my form :
IIf(IsNull([Formulaires]![DialogueMAJDossier]![FiltreTypeEntree]),[TypeDossier],[Formulaires]![DialogueMAJDossier]![FiltreTypeEntree])
(Excuse me for all the names being in french)
I know that when I convert it to MySQL syntax, it should give something like this :
IFNULL(`Formulaires`.`DialogueMAJDossier`.`FiltreTypeEntree`, `TypeDossier`)
But I have no idea how to account for the text box value in my query.
Any help will be gladly appreciated

Pass-Through queries cannot have parameters, so you'll have to use a workaround.
Option 1:
Save the SQL with "variables" in a template table, e.g. SELECT foo, {FiltreTypeEntree} FROM bar.
Then before executing the Pass-Through query, read the template SQL, Replace() the variable with the result of your IIf expression, and set the .SQL property of the query with the final string.
Option 2:
Create a "Variables" table in MySql. Fill its fields via code, and have your Pass-Through query join this table to get the variable values.
In a multi-user scenario, you'd have to introduce some kind of session management for Option 2, so I'd go with (1) in this case.

Related

Save MySql 'Show' result in db

So I'm kind of stumped.
I have a MySql project that involves a database table that is being manipulated and altered by scripts on a regular basis. This isn't so unusual, but I need to automate a script to run (after hours, when changes aren't happening) that would save the result of the following:
SHOW CREATE TABLE [table-name];
This command generates the ready-to-run script that would create the (empty) table in it's current state.
In SqlWorkbench and Navicat it displays the result of this SHOW command in a field in a result set, as if it was the result of a SELECT statement.
Ideally, I want to take into a variable in a procedure, and change the table name; adding a '-mm-dd-yyyy' to end of it, so I could show the day-to-day changes in the table schema on an active server.
However, I can't seem to be able to do that. Unlike a Select result set, I can't use it like that. I can't get it in a variable, or save it to a temporary, or physical table or anything. I even tried to return this as a value in a function, from which I got the error that a function cannot return a result set - which explains why it's displayed like one in the db clients.
I suspect that this is a security thing in MySql? If so, I can totally understand why and see the dangers exposed to a hacker, but this isn't a public-facing box at all, and I have full root/admin access to it. Hopefully somebody has already tackled this problem before.
This is on MySql 8, btw.
[Edit] After my first initial comments, I need to add; I'm not concerned about the data with this question whatsoever, but rather just these schema changes.
What I'd really -like- to do is this:
SELECT `Create Table` FROM ( SHOW CREATE TABLE carts )
But this seems to be mixing apples and oranges, as SHOW and SELECT aren't created equal, although they both seem to return the same sort of object
You cannot do it in the MySQL stored procedure language.
https://dev.mysql.com/doc/refman/8.0/en/show.html says:
Many MySQL APIs (such as PHP) enable you to treat the result returned from a SHOW statement as you would a result set from a SELECT; see Chapter 29, Connectors and APIs, or your API documentation for more information. In addition, you can work in SQL with results from queries on tables in the INFORMATION_SCHEMA database, which you cannot easily do with results from SHOW statements. See Chapter 26, INFORMATION_SCHEMA Tables.
What is absent from this paragraph is any mention of treating the results of SHOW commands like the results of SELECT queries in other contexts. There is no support for setting a variable to the result of a SHOW command, or using INTO, or running SHOW in a subquery.
So you can capture the result returned by a SHOW command in a client programming language (Java, Python, PHP, etc.), and I suggest you do this.
In theory, all the information used by SHOW CREATE TABLE is accessible in the INFORMATION_SCHEMA tables (mostly TABLES and COLUMNS), but formatting a complete CREATE TABLE statement is a non-trivial exercise, and I wouldn't attempt it. For one thing, there are new features in every release of MySQL, e.g. new data types and table options, etc. So even if you could come up with the right query to produce this output, in a couple of years it would be out of date and it would be a thankless code maintenance chore to update it.
The closest solution I can think of, in pure MySQL, is to regularly clone the table structure (no data), like so:
CREATE TABLE backup_20220618 LIKE my_table;
As far as I know, to get your hands on the full explicit CREATE TABLE statement, as a string, would require the use of an external tool like mysqldump which was designed specifically for that purpose.

SQL injection attack in LIKE clause

I have a file that runs a SQL query:
SELECT * FROM items WHERE name LIKE "%<String Passed to It>%"
I am trying to test for basic web security here. How can I break this query to drop the items table, without using spaces or semi-colons
Try setting the value of the to be:
'\gDROP TABLE items\g--
You will need to escape that apostrophe.
Making you're query look like this:
SELECT * FROM items WHERE name LIKE '%'\gDROP TABLE items\g--%'
In mySQL \g is equivalent to a semi-colon. However, I'm not sure if spacing is required as I do not currently have a local installation of mySQL set up, and I do not know exactly what language and framework you're using to execute that query.
However, the other comments are right that using a prepared statement and parameters rather than building the SQL string in code is the way to go in trying to prevent SQL Injection attacks.
See here

How to find a string in all tables and all columns?

I'd like to write a query to find a string wherever it exists.
Something that would work like:
foreach(table in database) {
foreach(column in table) {
// in the end, i need to know, which columns in
// which tables that string appears.
}
}
Is this possible?
May I ask why? Honestly, unless it is something you need to do at runtime, I would use mysqldump and use a text editor to do the search.
If you have to do this at runtime, you are going to have to build something dynamically. You can use "show tables" to get a list of tables. You can then use show columns for each of those tables. You'd then need to do some sort of select statement on each column looking for your text (using locate, or using like for example).
This is going to be a really slow process to run at real-time on a server...
yes, this is possible. But I don't think you can do it in pure SQL; you'd better do it in some script languages, like PHP, or shell scripts.
I dare to say, this is impossible with (current) MySQL, as metadata (such as column names) and data (such as the field values) cannot be part of the same query.
Especially
SELECT Field from (DESCRIBE <tablename>)
will error out, as will
SELECT Field from (SHOW FIELDS FROM <tablename>)
as will
DECLARE flds CURSOR FOR DESCRIBE <tablename>
in a stored procedure.
This is to say it is impossible INSIDE MYSQL - it is trivial in PHP and freinds.

Dynamic Linq - query a schema that is only known at run time?

I know with dynamic linq you can construct expressions dynamically in the same way that you might build and execute a dynamic SQL statement - e.g. a dynamic where clause or a dynamic select list. Is it possible to do this in cases where the schema is not known at compile time?
In a database I'm working with users can define their own entities which causes new tables/columns to be created in the back-end database. At run time I'll know the table & column names I need to work with but I won't know the schema at compile time hence I can't build a DBML to work with up front.
Is there any facility for the dynamic discovery of the schema at run time or is this a case where I need to stick with building dynamic SQL statements?
As far as we understand, you don't know neither schema name nor the full structure of your schema for sure.
In this case it seems that the strongly-typed ExecuteQuery method overload will be an option.
Just write the SQL queries and add the necessary parameters (like table and column names) either using string concatenation or as parameters.

Whats the Efficient way to get data from db using LINQ To SQL or LINQ To Entities?

When you run Linq to Sql or Linq to Entites to get a list of records it runs query to select all fields from a table. Is it an efficient solution. Lets say: I run this LINQ
dim lstCustomers = from c in db.Customers select c
it run query to get all fields from a table whether i need all fields or not. I am using asp.net with MVC so should i write this query in view (where i only need CustomerID and name)
dim lstCustomers = from c in db.Customers _
select new Customer with { c.CustomerID, c.Name }
If i have to use 2nd query then whats the advantage of LINQ and Entity Framework. This thing i can do with SQL query (with different syntax)
Anyone can help?
First of all, LINQ queries are evaluated lazily. That means that single line doesn't do anything but itself, so I assume you actually iterate the results with For Each.
The answer to your first question is yes, all fields are retrieved from the database with the first statement.
Yes, but in order to use SQL directly, you'll have to manually create entity classes, manually retrieve data using SqlDataReader or something to achieve the level of abstraction LINQ provides in that line. That's lots of more work on your behalf. With LINQ to SQL, you don't even need to explicitly write code to open a connection to database.
actuly linq have different sets of advantages over writing normal writing sql queries:
if you wrote sql queries then overloaded steps:
1. you need a sql connection class
2. you need a sql command or sqldataadapter.
3.then you need a container like datatable and dataset.
so while using linq you dont need all those steps. just write the queries as you wrote above.
also incase you wrote something incorrect in your sqlquery then there is no compile time error. error only generates when you execute the query during runtime.
but unlike sql queries, linq provides you the compile time error.
also linq is best of strongly type collections.