I have this websql script (http://pastebin.com/gvJseBAn) which doesn't perform correctly.
If I run the statement select * from news where id=0772348890 , I get the error The conversion of the varchar value ' 0017707787068' overflowed an int column.
If I run the statement select * from news where id='0772348890' , I get the error Incorrect syntax near '0772348890'.
If I run the statement select * from news where id="0772348890" , I get Invalid column name '0772348890'
Any other variation of '#0772348890#' or #0772348890# or "#0772348890#" I have tried gives the error "incorrect column" or "incorrect syntax near ..."
Any ideas on how to fix this error, or a better method of creating a simple websql query form?
A) the issue here is that db column will not under any conditions accept "0772348890" as a valid input because it is mismatched. The column is an "int" type (according to your first error), but your value has a padded 0 prependedto the front as in 0 772...
What is the purpose of this zero? Ordinarily prepended zeros appear in fixed length character fields where a space is not allowed. Should the value not be "772348890"?
B) Remember that ColdFusion will escape your single quotes in your query. In your second error example (where you use single quotes), this code:
<cfquery name="runsql" datasource="#Form.datasource#" timeout="30">
#Form.sql#
</cfquery>
Produces this SQL statement:
select * from news where id=''0772348890''
Which would give you your syntax error. If you wish to successfully test your second example you will need to alter your code to:
<cfquery name="runsql" datasource="#Form.datasource#" timeout="30">
#preservesinglequotes(Form.sql)#
</cfquery>
Preservesinglequotes() gets you past the second error issue and MSSQL's implicit conversion may strip off the prepended zero and allow the query to succeed - though I'm not sure will give you what you want.
C) Finally you should probably never do what you are trying to do - at least not in this fashion (sorry to be so direct!). Your opening up your DB to arbitrary queries from a web form. The resulting damage from even casual mistakes could be catastrophic to your data, let alone a malicious user bent on stealing or altering or using your site for malicious purposes. That's my take. :)
Related
I'm having difficulties in retrieving and displaying records from a table in a database. I'm using a MySql database and VB.NET 2012.
I'm getting the following error message
"End of statement expected"
Remove the space between Form2 and _Load. Your SQL statement is also broken, the AND being in blue shows this. You have your single and double quotes confusing it, the statement is being ended before the AND due to incorrect syntax. In any case, you should, probably, be using
"SELECT * FROM bigregdb WHERE regID = '"1"' OR regID = '"2"'"
I'm trying to excercise on BadStore, for those who don't know it's a fake online store site which can be run on VM box, and offers a lot of security vulnerabilities.
One thing i'm trying to do is to apply sql injection on the search query.
When searching for "book", for instance, we see this:
So, i'm trying to show all the store items trying to search for 1=1' --, which will result with the query of:
SELECT itemnum, sdesc, ldesc, price FROM itemdb WHERE '1=1' --' IN (itemnum,sdesc,ldesc)
however, this not giving the expected outcome as I get the following error:
Any suggestions?
You realize that -- in MySQL acts as a comment for the rest of the line?
If this is what you are trying to do, commenting out the rest of the line, then as per the MySQL documentation, you need a space after the --.
I understand you are trying out MySQL injection, so try to type your query, and then after the query type ; -- Notice that there IS a trailing space.
TL;DR
Change
'1=1' --' IN
TO
'1=1' -- ' IN
Assuming that all values of MBR_DTH_DT evaluate to a Date data type other than the value '00000000', could the following UPDATE SQL fail when running on multiple processors if the CAST were performed before the filter by racing threads?
UPDATE a
SET a.[MBR_DTH_DT] = cast(a.[MBR_DTH_DT] as date)
FROM [IPDP_MEMBER_DEMOGRAPHIC_DECBR] a
WHERE a.[MBR_DTH_DT] <> '00000000'
I am trying to find the source of the following error
Error: 2014-01-30 04:42:47.67
Code: 0xC002F210
Source: Execute csp_load_ipdp_member_demographic Execute SQL Task
Description: Executing the query "exec dbo.csp_load_ipdp_member_demographic" failed with the following error: "Conversion failed when converting date and/or time from character string.". Possible failure reasons: Problems with the query, "ResultSet" property not set correctly, parameters not set correctly, or connection not established correctly.
End Error
It could be another UPDATE or INSERT query, but the otehrs in question appear to have data that is proeprly typed from what I see,, so I am left onbly with the above.
No, it simply sounds like you have bad data in the MBR_DTH_DT column, which is VARCHAR but should be a date (once you clean out the bad data).
You can identify those rows using:
SELECT MBR_DTH_DT
FROM dbo.IPDP_MEMBER_DEMOGRAPHIC_DECBR
WHERE ISDATE(MBR_DTH_DT) = 0;
Now, you may only get rows that happen to match the where clause you're using to filter (e.g. MBR_DTH_DT = '00000000').
This has nothing to do with multiple processors, race conditions, etc. It's just that SQL Server can try to perform the cast before it applies the filter.
Randy suggests adding an additional clause, but this is not enough, because the CAST can still happen before any/all filters. You usually work around this by something like this (though it makes absolutely no sense in your case, when everything is the same column):
UPDATE dbo.IPDP_MEMBER_DEMOGRAPHIC_DECBR
SET MBR_DTH_DT = CASE
WHEN ISDATE(MBR_DTH_DT) = 1 THEN CAST(MBR_DTH_DT AS DATE)
ELSE MBR_DTH_DT END
WHERE MBR_DTH_DT <> '00000000';
(I'm not sure why in the question you're using UPDATE alias FROM table AS alias syntax; with a single-table update, this only serves to make the syntax more convoluted.)
However, in this case, this does you absolutely no good; since the target column is a string, you're just trying to convert a string to a date and back to a string again.
The real solution: stop using strings to store dates, and stop using token strings like '00000000' to denote that a date isn't available. Either use a dimension table for your dates or just live with NULL already.
Not likely. Even with multiple processors, there is no guarantee the query will processed in parallel.
Why not try something like this, assuming you're using SQL Server 2012. Even if you're not, you could write a UDF to validate a date like this.
UPDATE a
SET a.[MBR_DTH_DT] = cast(a.[MBR_DTH_DT] as date)
FROM [IPDP_MEMBER_DEMOGRAPHIC_DECBR] a
WHERE a.[MBR_DTH_DT] <> '00000000' And IsDate(MBR_DTH_DT) = 1
Most likely you have bad data are are not aware of it.
Whoops, just checked. IsDate has been available since SQL 2005. So try using it.
eg:
Table : user
column : user_id (type is int)
SELECT * FROM user WHERE user_id = '10xyz'
is giving same result of
SELECT * FROM user WHERE user_id = '10'
The input value is not integer but not giving an error in this case.
The reason why you are getting the same result is because MySQL automatically removes the trailing characters from the string and implicitly converts it to integer.
SQLFiddle Demo
SQLFiddle Demo (updated)
If you don't want to change all your code, but you have your database queries all going through one or a few subs, you can change those to check for warnings after using a statement handle (e.g. if ( $sth->{mysql_warning_count} ) ...).
Or you can create a DBI subclass that does that automatically for you, promoting warnings to errors. If you do, many others have use for such a thing. There are configuration settings to give an error instead of a warning when updating or inserting something like '10xyz' into an integer field, but not anything broader than that, and dear Oracle considers it Not a Bug. Maybe MariaDB does (or could do) better?
datatype of user_id is in database is INT
that why it giving same output and not error
In my Rails testing environment, I have a user_id that looks like 1234-567abc89. I'm getting inconsistent behaviour by querying this user in different tables. Most of the queries are working, but running one particular query fails:
ActiveRecord::StatementInvalid (Mysql::Error: Unknown column '1234' in
'where clause': SELECT * FROM `point_allocations` WHERE (user_id = 1234-567abc89) ):
So for some reason, everything beyond the hyphen is getting cut off. I realized that for the queries that work, it is looking up user 1234 instead of 1234-567abc89, but if all the others work, any idea why only this one would return an error?
You need to include quotations.
SELECT * FROM `point_allocations` WHERE (user_id = '1234-567abc89')
Because the user_id column expects character-typed data, it will take your value (1234-567abc89) and parse it as an integer, truncating the content after the hyphen. If you include it in quotations, it will accept it as a string and transfer properly.
Enjoy and good luck!