Currently, I've been assisting someone to convert a site using classic ASP, from using MS Access to MySQL(mainly as a bridge until we get time to do a complete rebuild). The current table uses various protected keywords as column names(Datetime, Date, Order, etc). I'm trying to figure out the proper ways to do a few inserts on these columns. The current code is below:
Set oRSess = Server.CreateObject("ADODB.Recordset")
oRSess.AddNew
oRSess.Fields("Order") = CInt(xyz)
oRSess.Fields("SessionID")
oRSess.Update
Now normally, I'd try to just replace this with a standard SQL insert, but there's lots of code around, that breaks easily. Is there away to add a proper escape character for MySQL to recognize it properly?
Related
I'm trying to update numerous wordpress multisite pages.
I have an ajax script that is posting to a php file where, after the text is formatted, it updates the corresponding table cell.
However, I keep getting the "WordPress database error You have an error in your SQL syntax;" error.
$content = "[shortcode] text processed by shortcode [/shortcode]";
$table = "wp_".$_POST["blogid"]."_posts";
$wpdb->query(" UPDATE {$table} SET post_content={$content} WHERE posts_title='test'");
Is this an issue with the use of square brackets (shortcodes) in the string I wish to use to update the cell?
The syntax seems fine to me, but my SQL knowledge isn't that strong.
In greater detail, I have a mysql query that gets all multisites, then loops through them after making the edits with JS before posting to this php file.
Avoid using string templates directly for query building. You can too-easily include invalid syntax, and since you're reading content directly from the shortcode you're opening your entire database up to SQL-injection attacks. This could give attackers direct access to your database, meaning anyone who can post content could also gain total access to your WordPress.
Always prepare your query first. If you're using $wpdb, the usage is described here: https://developer.wordpress.org/reference/classes/wpdb/prepare/
This will also ensure that the shortcode content you query on is formatted properly.
I'm trying to build a Data Integration job uses pass through to extract data from a view in a MySQL database.
Wev'e been using pass through a lot in the project, mostly extracting data from Redshift,
however with MySQL I was not able to do make it work properly.
It keeps complaining a table is missing even though when pass through is off, view is found and data is extracted...
tried every trick I know, starting from enabling case-sensitive DBMS object names, to manually remove single/double quotes from the statement just in case MySQL confuses confuses it with something else...
No luck.
ODBC driver is [MySQL][ODBC 5.3(a) Driver][mysqld-5.5.53].
Ran on a Windows environment.
Any idea how to solve this?
Thank you in advance.
EDIT
So, first of all, one correction (even though not that important - I extract from a view, not a table).
This is the code generated by SAS Create Table transformation, pass through enabled. I only put an asterisk instead of the full list of columns:
proc sql;
connect to ODBC
(
READBUFF=10000 DATASRC="cmp.web_api" AUTHDOMAIN="MYSQL_CMP_Auth"
);
create table work."W7ZZZKOC"n as
select
*
from connection to ODBC
(
select
V_BI_ACCOUNT.ACCOUNT_NAME,
V_BI_ACCOUNT.ACQUISITION_SOURCE__C,
V_BI_ACCOUNT.ZUORA__ACTIVE__C,
V_BI_ACCOUNT.ADDRESS_LINE_1__C,
V_BI_ACCOUNT.ADDRESS_LINE_2__C,
V_BI_ACCOUNT.ADDRESS_LINE_3__C,
V_BI_ACCOUNT.AGREEMENT_DATE,
V_BI_ACCOUNT.AGREEMENT_LEGAL_CLAUSE_1__C,
V_BI_ACCOUNT.AGREEMENT_LEGAL_CLAUSE_2__C,
V_BI_ACCOUNT.PERSONBIRTHDATE,
V_BI_ACCOUNT.BLOCKED_REASON__C,
V_BI_ACCOUNT.BRAND__C,
V_BI_ACCOUNT.CPN__C,
V_BI_ACCOUNT.ACCCREATEDBYID,
V_BI_ACCOUNT.ACCCREATEDDATE,
V_BI_ACCOUNT.CURRENCY_PREFERENCE__C,
V_BI_ACCOUNT.CUSTOMER_FULL_NAME__PC,
V_BI_ACCOUNT.ACCOUNTID,
V_BI_ACCOUNT.ZUORA__CUSTOMERPRIORITY__C,
V_BI_ACCOUNT.DELIVERY_SALUTATION__C,
V_BI_ACCOUNT.DISPLAY_NAME,
V_BI_ACCOUNT.PERSONEMAIL,
V_BI_ACCOUNT.EMAILKEY__C,
V_BI_ACCOUNT.FACEBOOKKEY,
V_BI_ACCOUNT.FIRSTNAME,
V_BI_ACCOUNT.GENDER__C,
V_BI_ACCOUNT.PHONE,
V_BI_ACCOUNT.ACCLASTACTIVITYDATE,
V_BI_ACCOUNT.ACCLASTMODIFIEDDATE,
V_BI_ACCOUNT.LASTNAME,
V_BI_ACCOUNT.OTHER_EMAIL__C,
V_BI_ACCOUNT.PI_TYPE__C,
V_BI_ACCOUNT.ACCPARENTID,
V_BI_ACCOUNT.POSTCODE__C,
V_BI_ACCOUNT.PRIMARY_ACCOUNT_OF_THIS_CUSTOMER,
V_BI_ACCOUNT.ACCPRIMARY__C,
V_BI_ACCOUNT.ACCREASON_FOR_STATUS__C,
V_BI_ACCOUNT.ZUORA__SLA__C,
V_BI_ACCOUNT.ZUORA__SLASERIALNUMBER__C,
V_BI_ACCOUNT.SALUTATION,
V_BI_ACCOUNT.ACCSYSTEMMODSTAMP,
V_BI_ACCOUNT.PERSONTITLE,
V_BI_ACCOUNT.ZUORA__UPSELLOPPORTUNITY__C,
V_BI_ACCOUNT.X_CODE__C,
V_BI_ACCOUNT.ZUORA__ACCOUNT_ID__C,
V_BI_ACCOUNT.ZUORA__PAYMENTMETHODID__C,
V_BI_ACCOUNT.CITY,
V_BI_ACCOUNT.ORIGINAL_CREATED_DATE,
V_BI_ACCOUNT.SOURCE_SYSTEM_ID,
V_BI_ACCOUNT.STATUS,
V_BI_ACCOUNT.ZUORA__CONTACT_ID,
V_BI_ACCOUNT.ACCISDELETED,
V_BI_ACCOUNT.BILLING_ACCOUNT_NAME,
V_BI_ACCOUNT.ACZCREATEDDATE,
V_BI_ACCOUNT.ACZSYSTEMMODSTAMP,
V_BI_ACCOUNT.ACZLASTACTIVITYDATE,
V_BI_ACCOUNT.ZUORA__ACCOUNT__C,
V_BI_ACCOUNT.ZUORA__ACCOUNTNUMBER__C,
V_BI_ACCOUNT.ZUORA__AUTOPAY__C,
V_BI_ACCOUNT.ZUORA__BALANCE__C,
V_BI_ACCOUNT.ZUORA__CREDITCARDEXPIRATION__C,
V_BI_ACCOUNT.ZUORA__CURRENCY__C,
V_BI_ACCOUNT.ZUORA__MRR__C,
V_BI_ACCOUNT.ZUORA__PAYMENTTERM__C,
V_BI_ACCOUNT.ZUORA__PURCHASEORDERNUMBER__C,
V_BI_ACCOUNT.ZUORA__LASTINVOICEDATE__C,
V_BI_ACCOUNT.COUNTRY_NAME,
V_BI_ACCOUNT.COUNTRY_CODE,
V_BI_ACCOUNT.FAVOURITE_FOOTBALL_CLUB,
V_BI_ACCOUNT.COUNTY
from
web_api.V_BI_ACCOUNT as V_BI_ACCOUNT
);
%rcSet(&sqlrc);
disconnect from ODBC;
quit;
And again, when I extract data without pass through - works successfully,
I found out the problem was a column name exceeds 32 positions.
As SAS supports up column names up to 32,
the query fails to find PRIMARY_ACCOUNT_OF_THIS_CUSTOMER as the original column name is PRIMARY_ACCOUNT_OF_THIS_CUSTOMER__C.
EDIT
One more thing I found out is, MySQL doesn't like specifying schema name nor aliases.
Therefore,
From clause to only specify table name i.e : 'from v_bi_account' rather than 'web_api.v_bi_account'
and do not use aliases i.e use 'from v_bi_account' rather than 'from v_bi_account as v_bi_account'
Thank you guys so much for your help.
I am working on a big project with a lot of forms using BDE and ODBC to connect to MySQL Database.
I can compile it in Delphi 2009 and it works fine.
When i compile it in Delphi 2010, nothing works because TQuery can not pass parameter values correctly.
Here is an example :
txtUsername.Text = 'Admin';
Query1.Close;
Query1.SQL.Text = 'Select Count(*) From Tbl_User where Username = :username';
Query1.ParamByName('username').AsString = txtUsername.Text;
Query.Open();
The SQL will be sent to MySQL , looks like this :
Select Count(*) From Tbl_User where Username = 'A'
Only first character of parameter will be sent to the server : 'A' instead of 'Admin'
But if i use
Query1.ParamByName('username').AsAnsiString , then
it will works fine and parameter will be sent completely:
Select Count(*) From Tbl_User where Username = 'Admin'
There are huge number of TQuery and TTable in project and its not possible to change all calls of AsString to AsAnsiString.
Is there any solution for this? any settings to make it working fine? probably by making it to use Ansi as default instead of Unicode?
I tried finding some setting in compiling option, and changing ODBC parameters but none of them worked.
Any help would be appreciated.
Thanks
I understand the pressure for quick and cheap solutions, but sometimes they will be quick and cheap only at the first moment, and then will turn (in a near future) into a monster problem with no solution at all.
So, for the first move, I recomend you to read a post on Regex Replace. Use this to replace all your .AsString by .AsAnsiString and quickly get you application running as expected again.
But don´t get too comfortable with this, you have a long term work ahead of you. My suggestion to give your application a better design is:
Remove your datasets from your forms and put them in a DataModule, so you will not mix persistence and business code with presentation code;
Stop working with specific dataset on your business code, go for TClientDataset, which is better than any other dataset and will give you a better application design and complete database and middleware independence;
Create a new database layer, putting all the database and middleware specifics behind an interface, what will give you a incredible level of database abstraction.
This is a time consuming work, of course, so, not a quick and certainly not a cheap solution, but it will give you a lot of insights and improve your techniques. During the process, your application will evolve as never before.
We've just upgraded from Access 2003 to Access 2010 and string comparisons are failing with an invalid procedure call error when default conditions are used. I’ve recreated two presumably related problems in a new Access 2007 format database containing only the default table, a query with the SQL below and a module containing only the code below, so I seriously doubt that this is a corruption issue.
First the following sub fails on the If Then line with Run-time error 5: Invalid procedure call or argument
Option Compare Database
Option Explicit
Sub checkStrCmp()
Dim str As String
str = "s"
If str = "s" Then
MsgBox "works"
End If
End Sub
If I change Option Compare Database to Option Compare Text the sub works as expected, but this seems like a bad idea as I may want to preform text as well as numeric comparisons inside a single sub.
I’m also getting “Invalid procedure call” errors in string comparison functions inside of SQL. The Replace function is requiring the supposedly optional compare parameter.
Select replace("foo-bar-baz", "-", "|", 1,-1);
Generates the “Invalid procedure call” error
Setting the compare parameter to any of the available values (0 -3) works as expected:
SELECT replace("foo-bar-baz", "-", "|", 1,-1, 0);
produces “foo|bar|baz”
Has anyone else seen this? Is there a setting that needs to be tweaked? Any other ideas outside of “Database corruption” which is all I’ve been able to find via Google.
TIA
apoligies for the sloppy code blocks I can't for the life of me get them to work right.
UPDATE: I should have mentioned that I'm running XP Pro sp3.
The problem seems limited to databases I create on my box. When I opened the test database I created on my box from other workstations on our network I saw the issue, but was then unable to recreate it when creating a new database as described above on those workstations. The databases I created on the two other workstations (same OS and MS Office versions installed) also worked correctly when opened on my machine. I was also unable to recreate the issue when I inserted new modules in those DBs from my machine.
In short the problem seems to only exist on databases created on my machine (and in old 2003 format databases I've converted to 2007 format on my machine). My best guess is that my install is hosed but I’d like to have some idea of how and why before I approach IT with a request to reinstall Office. I’d also like to rule out a conflict with other software on my box.
Your code modules do not all need to share the same Option Compare setting. So you could place those procedures which should use text comparisons in a module which has Option Compare Text in its Declarations section.
However, I don't understand your statement, "I may want to preform text as well as numeric comparisons inside a single sub." According to Access' help topic, the Option Compare Statement is "Used at module level to declare the default comparison method to use when string data is compared". In other words, Option Compare has no effect on the comparisons of numeric values.
Edit: Since the problem is limited to Option Compare Database for database files created on only one machine, I'll suggest you check Access' "New database sort order" setting on that machine. Change it to a choice which starts with "General" if it is set to anything else. Then create a new database and see whether you still have the problem.
The reason for this suggestion is that Option Compare Database tells Access to use the database's codepage setting for sorting. And "New database sort order" can set the codepage to the one which never gives me such troubles. However, my understanding of codepage details is pretty shallow; I never change it and don't know what the consequences of other settings would be.
i have an tiny editor web page where my users can use this editor and i am saving the html into my database.
i am having issues saving this html to my database. for example if there is a name with a "'" or if there are other html character "<,",">" etc, my code seems to blow up on the insert.
Is there any best practices about taking any arbitrary html and have it persist fully to a db field without worrying about any specific characters.
I'm wondering if you are building the full query. Instead use a parameterized query and that should eliminate your data problems.
string sqlIns = "INSERT INTO table (name, information, other) VALUES (#name, #information, #other)";
SqlCommand cmdIns = new SqlCommand(sqlIns, db.Connection);
cmdIns.Parameters.Add("#name", info);
cmdIns.Parameters.Add("#information", info1);
cmdIns.Parameters.Add("#other", info2);
cmdIns.ExecuteNonQuery();
do you insert using SqlParameter? If yes, you should not have problems, check that.
You could just HtmlEncode the data.
You'll have a HttpContext.Current.Server object, so in pseudo code you'd just do:
Database.Save(HttpContext.Current.Server.HtmlEncode(myHtml));
and to retrieve it:
myHtml = HttpContext.Current.Server.HtmlDecode(DataBase.Load());
Just reading through this - is your problem actually on the insert statement or do you get a problem from the web server before it ever hits your controller? Noticing that you tagged the question with asp.net-mvc, you may need to make sure that you have decorated your controller method with the [ValidateInput(false)] attribute.