All of the examples I've found show how to use query by sql statement, as: 'connection.query("select * from my_table",...)', but I want to do it without sql statement, but with store procedure.
I found something about 'db-mysql' that supplies this option but I didn't success installing it.
I don't want to use sql statement in my code.
I want to select, update etc. by stored procedures in my mysqldatabase (like C#).
How can I do it?
Checkout http://sequelizejs.com/ it is a node compatible orm which allows you to easily interface with sql without needing to use sql statements.
Related
I have an insert query that I want to execute using the JavaScript V3 AWS client, against an AWS Aurora MySQL Serverless database. I am using the Data API of the database. I got the #aws-sdk/client-rds-data set up in my code and I can connect and execute arbitrary SQL queries using the ExecuteStatementCommand.
What I would like to know is that how I make SQL prepared statements and execute them. I have an INSERT query whose values are user provided. I cannot just concatenate those values into the SQL query as it would create an SQL injection vulnerability.
Unfortunatelly, I couldn't find how to make prepared statements and execute them in the #aws-sdk/client-rds-data package's documentation.
If somebody knows how to do it, could that someone please explain. Big thanks in advance!
I'm not a user of the AWS SDK for client-rds-data, but I'm inferring the following from the documentation, and my own knowledge of MySQL.
I see that interface ExecuteSqlCommandInput has a property sqlStatements, which allows multiple SQL statements separated by semicolons. This precludes the use of query parameters, because in MySQL you can't use prepare() on a string that includes multiple SQL statements.
Whereas ExecuteStatementCommandInput has a property sql (a single statement) and a property parameters which is an array of scalar parameters (i.e. each scalar corresponds to one parameter placeholder in the sql string). This should allow you to run a parameterized SQL query.
Re your comment: When you said you wanted to use prepared statements to avoid SQL injection vulnerabilities, I assumed you understood how prepared statements protect against those vulnerabilities.
In fact, using prepared statements alone is not a defense. You have to separate dynamic inputs from your SQL query by using query parameters. It just happens that using query parameters requires using prepared statements, so people say "use prepared statements" to defend against SQL injection, when they should say "use query parameters, which implies you must use prepared statements."
Tutorials about using SQL with query parameters are abundant. Here's one for Node.js: https://www.veracode.com/blog/secure-development/how-prevent-sql-injection-nodejs
The calling convention for the AWS SDK is different, but the concept is the same. I have only found reference documentation for AWS SDK, no code examples or task-oriented documentation. This is disappointing but unfortunately typical for AWS.
I am very new to mysql and I have I a situation where I need to update all my stored procedure in all my database. for example I have 10 database just say:
client_1,client_2,client_3,.....client_10.
Every database have same stored procedure just say:
proc_1,proc_2,proc_3,proc_4.
So if I made any changes to one of my stored procedure then it should get updated in all other database So that I don't have to do it manually.
I know the similar question have been asked but I am looking for some different approach. So what I want is some kind of mysql query or something like that in which we will pass the name of the database like:
client_1, client_3, client_8
and changes will only made to this databases.
I am using heidiSql- 10.2 with MySQL 5.6.
Thanks.
I am not entirely sure what you are wanting to do but I think you want something like this. First save the definition of your stored procedure to a file. Make sure it doesn't contain an schema references like client1.tableA. You want it to be able to run in any copy of your schema correctly. Be sure to follow the syntax rules defined by MySQL
Defining Stored Programs
Then once the stored procedure is saved you can use the mysql command line to run it for each client you want to update.
You would first connect to the database server using the mysql command line. Then issue a USE command to activate the first client database. Then run the script using the SOURCE command. See MySQL Batch Commands Then repeat for each client.
USE client1;
source c:\temp\storedProcedure.sql
USE client2;
source c:\temp\storedProcedure.sql
If this is not exactly what you needed hopefully it gives you some ideas to get you what you need.
Note that you could do the connection to the database and execute these commands via batch file instead of manually if you wanted to.
There are no statements in MySQL that create/drop/alter multiple procedures at once. You can only change one procedure at a time.
You can write an SQL script that includes a series of statements. But it's up to you to write that script.
You may write some script in Python (or other favorite language) that outputs the SQL script.
I don't know HeidiSQL, but I doubt it has any facility to apply the same change to many procedures. Nor does any other MySQL client that I'm aware of.
I use SQL tab in phpMyAdmin to test statements, but some queries does not work, like, USE query; But, for example, after running USE statement and then using USE DATABASE() to check, null value returned.
USE dbname;
USE dbname
USE `dbname`;
I want to be able to run SQL statements on specific database; and this is possible after selecting (after using USE statement) database. I can click on the database name on the left sidebar and then run SQL statements, I know; But why is not possible to use "USE" statement to select database directly?
The USE statement doesn't return anything. This is why you are seeing null. It is functioning correctly.
USE sets the connection to use the database in the statement for future statements.
Is there any way in mysql to determine of a sql statement is valid before executing it? (In other word rather than execute the stamens and deal with errors I simply want to know if it is a valid statement)
I notice in Mysql workbench that then I type a query it checks it for validity, so I assume there is a way to do that?
In essence I am trying to "precheck" the sql at runtime to see if it is even valid with actually executing it.
Perhaps using the NOEXEC statement?
You can use something called 'SQL Fiddle', you have to build a schema first and then start running your sql queries, see link below:
http://sqlfiddle.com/
I know with dynamic linq you can construct expressions dynamically in the same way that you might build and execute a dynamic SQL statement - e.g. a dynamic where clause or a dynamic select list. Is it possible to do this in cases where the schema is not known at compile time?
In a database I'm working with users can define their own entities which causes new tables/columns to be created in the back-end database. At run time I'll know the table & column names I need to work with but I won't know the schema at compile time hence I can't build a DBML to work with up front.
Is there any facility for the dynamic discovery of the schema at run time or is this a case where I need to stick with building dynamic SQL statements?
As far as we understand, you don't know neither schema name nor the full structure of your schema for sure.
In this case it seems that the strongly-typed ExecuteQuery method overload will be an option.
Just write the SQL queries and add the necessary parameters (like table and column names) either using string concatenation or as parameters.