I'm have a SSIS connection string that includes an escape character which is preventing the connection string from working. Does anyone know how to prevent the escape character from being applied?
Here is an example of my database connection: DatabaseServer\DInstanceName
If you're building connection string dynamically from variables or even if you don't, you can use Properties-> Expressions-> Connection string expression where you can test the resulting output of the expression. And use \ to escape any character.
Better approach would be to use SSIS XML Configuration so you don't need to edit your package everytime you need to make some changes in connection string.
the escaping will be "\" it will give you \ but for your connection string I alredy give a solution on you other ques . here also I am pasting the same thing. plz check it :)
I have taken the first parameter for connction string like : "anystaring
and the second parameter for the db is : newdb"
so now check the screenshot I have given the URL(not able to upload the image sorry):
http://tinypic.com/view.php?pic=2v3oj6x&s=8#.VHQ8aSjrbcs
Related
I know we have a similar question here
Passing a parameter via URL to SQL Server Reporting Services
My issue is if I have a parameter that contains the special character &, how can I pass it via URL?
In the following example (borrowed from the link above), if my UserID parameter has a value of "abc123", I will have the following syntax
http://server.domain.com/ReportServer?/ReportFolder1/ReportSubfolder1/ReportName&UserID=ABC123&rc:Toolbar=false
But the problem is if I have UserID = "abc&123", with the "&" as a special character, if I still use the previous format, it will fail out
http://server.domain.com/ReportServer?/ReportFolder1/ReportSubfolder1/ReportName&UserID=ABC&123&rc:Toolbar=false
So how should I handle this "&" in "abc&123" ?
Thanks a lot in advance for your time.
Jeff
I 'think' you'll need to encode the & to '%26'
http://server.domain.com/ReportServer?/ReportFolder1/ReportSubfolder1/ReportName&UserID=ABC%26123&rc:Toolbar=false
I am trying to add an initial underscore to a variable name like _user in VBA in ms access, but it is showing error as soon as the cursor is leaving that line. Please look at the error :
Can anybody tell me the reason and help me to do so?
As mentioned by #Wayne in the comments, it is not allowed to start the naming with an underscore: https://msdn.microsoft.com/en-us/vba/language-reference-vba/articles/visual-basic-naming-rules
I guess that the reason for this is that the _ is a special sign, that is used for initialization of Events in VBA. Thus, it is already taken.
A better guess - in VBA the underscore is used for line separator as well. https://stackoverflow.com/a/8515496/5448626
I am trying to understand a mysql injection not working as expected.
I have a php script that does a login based on username and password supplied on a webpage. The query string looks like this:
$querystr = "SELECT COUNT(*) FROM usertbl WHERE user='$user' and pass='$pass'";
Username and password are escaped before they are used in the querystr above. This means any apastroph(single quote) is escaped as well.
I found a blog describing this very issue here: mysql_escape_string-the-charset-vulnerability.
I tried to replicate what´s explained on that blog, but when I supply hexadecimal characters for user or pass on the website, php somehow doesn´t interpret them as hex it seems.
When I enter for the username on the webpage(password empty):
user\xbf\x27
the query logged by MySQL is:
SELECT COUNT(*) FROM usertbl WHERE user='user\xbf\x27 or 1=1--' and pass=''
So, to me it looks like the hexadecimal characters are not interpreted as such.
For some more debugging, I created the following php script, which I ran on the server:
<?php
header('Content-type: text/plain; charset=gbk');
$hex="\xbf\x27";
echo mysql_escape_string($hex);
?>
The output is:
�\'
Does anybody have an idea why it might not work for me?
Thank you
When you type $hex="\xbf\x27"; in a php script, PHP parses it and stores the string formed by the hexadecimal bytes BF 27.
When you type \xbf\x27 in a web page, it is sent verbatim to the server, so the query ends up with the literal text «\xbf\x27».
The way to exploit it would be to enter that character in the browser (eg. changing your browser encoding to iso-8859-1 and pasting a ¿), or sending a fake HTTP request where you directly insert in the wire any byte you wish. If you are performing the injection through HTTP GET, there's an easy way to insert which is using %-escapes, ie. "&user=user%bf%27%20or%201=1--&pass=".
I am concerned about inserting text in a MySQl table w.
I have to insert/update text that contains characters such as / " and '
The escape character / could be inserted only if the NO_BACKSLASH_ESCAPES SQL mode is enabled. wich interfere with the characters " and ' see this link http://dev.mysql.com/doc/refman/5.1/en/string-literals.html#character-escape-sequences
If anyone can explain to is in earth the mysql_real_escape_string() I don't came to understated
I would like to find a pure mysql solution
I am not using php. What I am trying to do here is to "simulate " Content Management System: I am about to write a C# coded solution that manage the content in its different forms(article, category ,tag, etc..) and generate .html files, the MySQl database is local in my computer next i will upload the .html files to the server.
I did this to ensure that all my html pages are html valid and because I don't trust any existent solutions (not only when it concerns coding but in life in general)
Please help
each php db connection extension (mysql, mysqli, pdo) has a special way to safe query against sql injections, when you are using mysql extension, it's strongly recommended to use mysql_real_escape_string() function to make safe all variables used in query, it's most widely used function. i think there isn't any pure solution (when you are using mysql extension in php).
from php.net:
mysql_real_escape_string()-Escapes special characters in the
unescaped_string, taking into account the current character set of the
connection so that it is safe to place it in a mysql_query().
Whatever string data can be inserted into SQL query, if formatted according to 2 rules
it is enclosed in quotes (preferably single ones)
it is passed through mysql_real_escape_string()
if both rules followed, there would be not a single problem with whatever characters, either slashes, quotes or anything.
According to your question, / has no special meaning in MySQL. It's \ that is escape character. It can be escaped by another backslash as well.
$str = 'slashes \ quotes \' or whatever " else symbols';
var_dump($str);
$str = mysql_real_escape_string($str);
$sql = "INSERT INTO table SET str='$str'";
Im trying to use an expression to a sub package in SSIS however it always errors out stating that it cannot find the dtsx file. Ive copied the path to explorer and it seems to be correct.
The error also states that expression cannot be written to the property. My code is below.
#[User::vRoot] + "\Employees.dtsx" with #[User::vRoot] being a variable stored in SQL
Any Ideas
Try to escape the backslash in the expression using an additional backslash.
#[User::vRoot] + "\\Employees.dtsx"
In such a scenario where I need to concatenate folder and file name, I always do it this way. I usually create two variables named FolderPath and FileName. Let's assume FolderPath contains C:\temp\ (make sure it ends with a back slash) and FileName contains Employees.dtsx.
I will create a third variable named FilePath and will set the EvaluateAsExpression property of this variable to true. I will set the following expression in this variable so it dynamically evaluates the value.
#[User::FolderPath] + #[User::FileName]
Hope that helps.
Backslash is an escape character here, so if you want to represent a literal backslash, it's "\\".
I also suggest, as a general rule, instead of hardcoding a backslash in the string concatenation, to use this method to consider potential trailing backslashes in the first variable:
#[User::vRoot] + (RIGHT(#[User::vRoot], 1) == "\\" ? "" : "\\") + "Employees.dtsx"