We Keep Coding

Getting error for Input Validator for org.owasp.esapi.errors.ValidationException

I have expression of
Validator.Format=^(csv|excel|Csv|Escel|CSV|EXCEL)$
Getting error
org.owasp.esapi.errors.ValidatornException: Invalid input. Please conform to regex
^(csv|excel|Csv|Escel|CSV|EXCEL)$ with maximum length of 5
Can you please suggest

There is not enough information to go on here. You at least need to say what version of ESAPI you are using and show me the full exception message. In the latest version of ESAPI at least, this exception only shows up here, in StringValidationRules.java as:
throw new ValidationException( context + ": Invalid input. Please conform to regex " + p.pattern() + ( maxLength == Integer.MAX_VALUE ? "" : " with a maximum length of " + maxLength ), "Invalid input: context=" + context + ", type(" + getTypeName() + ")=" + p.pattern() + ", input=" + input + (NullSafe.equals(orig,input) ? "" : ", orig=" + orig), context );
So display the rest of that exception message for starters.

MySql Parameter must be defined mvc

i have this code here:
var sql = "select shr_id, shc_id " +
"from tbox_operational.shipment_ref " +
"inner join tbox_operational.shipment_collo_ref using (shr_id) " +
"where shr_insdtm between ?dateTimeFrom";
var parameters = new List<MySqlParameter> {
new MySqlParameter("?dateTimeFrom", dateTimeFrom.ToString("yyyy/MM/dd HH:mm:ss"))
};
var query = (from db in context.Database.SqlQuery<ShridsModel>(sql, parameters)
select db).ToList();
return query;
But it keeps me getting this error:
{"Parameter '?dateTimeFrom' must be defined."}
i have also in my connection string:
server=xxx;user id=runtime;password=xxxx;AllowUserVariables=True;
What am i doing wrong here?

I have solved...
Instead of passing a list of the parameters, i pass each one individual and he recognizes it all

Why Identifier Expected?

hi can you please help me what is missing or problem with my script? i keep on getting compiling error: Identifier Expected. It is in the character ".[i"
myRange.Value2 = GridView1.[i,j].Value + ";" == null ? "" : GridView1.[i,j].Text + ";";

It will be:
myRange.Value2 = GridView1.Rows[i].Cells[j].Text+ ";" == null ? "" : GridView1.Rows[i].Cells[j].Text + ";";
GridView.Rows[i].Cells[j]
where i = row index and
j = cell index

First, you have a typo: there is a dot after GridView1, which isn't allowed since it expects an identifier then (as the message says). GridView1.Rows would have been valid for example.
Another problem is that your logic is wrong.
This code will never yield true, since ";" is not null:
GridView1[i, j].Value + ";" == null
I think you should drop the + ";".

error in LIKE SQL syntax

I'm using nodeJs and mysql package.
I want to use LIKE sql statement with varibale.
this is source code :
var likemobile = '%'+mobile;
var query = "SELECT vtiger_contactaddress.contactaddressid as 'leadid',
vtiger_contactaddress.mobile,
vtiger_contactaddress.phone
FROM `vtiger_contactaddress`
INNER JOIN `vtiger_crmentity`
ON vtiger_crmentity.crmid=vtiger_contactaddress.contactaddressid AND
vtiger_crmentity.deleted=0 AND
vtiger_contactaddress.mobile LIKE "+likemobile+" OR
vtiger_contactaddress.phone LIKE "+likemobile;
and this is error that returns:
Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual th
at corresponds to your MySQL server version for the right syntax to use near '%8
8436500 OR vtiger_leadaddress.phone LIKE %88436500' at line 1

You need to enclose the like pattern in single quotes.
Two other suggestions:
Only use single quotes for string and date constants (not column aliases).
Use parameterized queries, so you are not putting user input into query strings.

If you indeed are using node-mysql, you should run queries as instructed in the documentation. Assuming you have a connection object already, querying with bind variables becomes simple:
connection.query({
sql : "SELECT vtiger_contactaddress.contactaddressid as leadid, "
+ " vtiger_contactaddress.mobile, "
+ " vtiger_contactaddress.phone "
+ "FROM `vtiger_contactaddress` "
+ "INNER JOIN `vtiger_crmentity` "
+ " ON vtiger_crmentity.crmid=vtiger_contactaddress.contactaddressid"
+ " AND vtiger_crmentity.deleted=0 AND "
+ " (vtiger_contactaddress.mobile LIKE concat('%', ?) OR "
+ " vtiger_contactaddress.phone LIKE concat('%', ?))",
values: [mobile, mobile]
}, function (error, results, fields) {
// error will be an Error if one occurred during the query
// results will contain the results of the query
// fields will contain information about the returned results fields (if any)
});
Things to note here:
Bind variables are used, preventing SQL Injection
The concat function is used for prefixing the (sanitized) input with the wildcard character (%)
The two query conditions that are ORed together are now separated with parenthesis from vtiger_crmentity.deleted=0, which is probably what you want
You need to write the resultset-handling code in the callback function, accessing the data through the results and fields variables

#Gordon Linoff is correct. Somelike this:
var likemobile = mobile;
var query = "SELECT vtiger_contactaddress.contactaddressid as 'leadid', vtiger_contactaddress.mobile, vtiger_contactaddress.phone FROM `vtiger_contactaddress` INNER JOIN `vtiger_crmentity` ON vtiger_crmentity.crmid=vtiger_contactaddress.contactaddressid AND vtiger_crmentity.deleted=0 AND vtiger_contactaddress.mobile LIKE '%"+likemobile+"%' OR vtiger_contactaddress.phone LIKE '%"+likemobile+"%'";

... AND vtiger_contactaddress.mobile LIKE '%" + likemobile + "%' OR vtiger_contactaddress.phone LIKE %" + likemobile + "%";

try this..
var likemobile = mobile;
var query = "SELECT vtiger_contactaddress.contactaddressid as 'leadid',
vtiger_contactaddress.mobile,
vtiger_contactaddress.phone
FROM `vtiger_contactaddress`
INNER JOIN `vtiger_crmentity`
ON vtiger_crmentity.crmid=vtiger_contactaddress.contactaddressid AND
vtiger_crmentity.deleted=0 AND
vtiger_contactaddress.mobile LIKE '% "+likemobile+"%' OR
vtiger_contactaddress.phone LIKE '%"+likemobile +"%'";

INSERT INTO error with mysql-node

This seems like it should be super easy, and I have been stuck for about two hours now. Four separate people have looked at and not found an obvious problem. So again I turn to the SO community.
Real simple - I am just trying to insert data in a mysql database via mysql-node. I am getting no connection errors, and SELECT works just fine. The code being used is:
exports.postNewCast = function(data, res) {
var query = "INSERT INTO cast (name, portrait, role, bio) VALUES ('" + data.name + "', '" + data.portrait + "', '" + data.role + "', '" + data.bio + "');";
console.log(query);
dbConnection.query(query, data, function(err, result) {
if (err) {
console.log(err);
} else {
sendResponse(res, "Cast Member Added", 201);
}
});
};
The error being logged is:
{ [Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'cast (name, portrait, role, bio) VALUES ('Jessie', 'images/cast/marissa.jpg', 'L' at line 1]
code: 'ER_PARSE_ERROR',
errno: 1064,
sqlState: '42000',
index: 0 }
The weird part (for me) is that I can copy from my terminal window (where the server is running) the console.logged query string, and paste it into the mysql command line, and it works just fine. I have tried using GRANT to make sure the user server is running has permissions, and this did nothing. I have tried copying / pasting INSERT INTO syntax straight from working sources, and only replacing my data-specific fields. I have tried using the VALUES ? option, followed by a data object, and got the same result.
So what stupid mistake am I making?
Thanks.

Ilya Bursov had it correct, adding this answer for posterity. I am not sure if 'cast' is a reserved word or what, but I needed back ticks (" ` ") around the table name to get it working.

Try to put `` around each column name like this
"INSERT INTO cast (`name`, `portrait`, `role`, `bio`) VALUES ('" + data.name + "', '" + data.portrait + "', '" + data.role + "', '" + data.bio + "');";