I wanted to create a new table, but I have a syntax error somewhere.
However I do not see where, no matter how often I look over it.
Can anybody spot my error?
Dim cmdCreate As New MySqlCommand("CREATE TABLE inout (inout_seacher TEXT,inout_guid TEXT,inout_blob LONGBLOB,inout_inouttype INTEGER,inout_automaticallyparsed TINYINT(1)," & _
"inout_price DOUBLE,inout_companyguid TEXT,inout_datetime TEXT,inout_title TEXT,inout_catid INTEGER,inout_vat INTEGER,inout_banktype INTEGER," & _
"inout_banktransferprice DOUBLE,inout_expenseinvoiceexistsinguid TEXT,inout_orderguid TEXT,inout_inoutsubtype INTEGER,inout_outinvoicetype INTEGER)", g_CnWebDB)
Thank you for the help!
Bad luck. Believe it or not 'inout' is a reserved word in MySQL. Either wrap it in backticks (`) or (better) call it something else. Also, are you sure you want DOUBLE and not DECIMAL?
"inout" is reserved word. Try other name for the table.
You can also quote the table's name using (), so (inout`) becomes acceptable.
As Strawberry already said, is a reserved word used for procedures; directly from MySQL.com:
As of MySQL 5.0.30, stored procedures that take no arguments can be
invoked without parentheses. That is, CALL p() and CALL p are
equivalent.
CALL can pass back values to its caller using parameters that are
declared as OUT or INOUT parameters. When the procedure returns, a
client program can also obtain the number of rows affected for the
final statement executed within the routine: At the SQL level, call
the ROW_COUNT() function; from the C API, call the
mysql_affected_rows() function.
Related
I need to use dynamic SQL in a stored procedure.
That dynamic SQL will create SQL object, therefore I cannot parameterize it and execute it with sp_executesql.
Is there some SQL function which will check the stored procedure parameter variable and tell me if there are some illegal characters? Or remove them or there is a list of these characters?
Something like
DECLARE #variable = 'password OR 1=1'
IF IsSqlInjectionPossible(#variable)
BEGIN
RAISERROR('Illegal input characters',16,1)
RETURN
END
or
SET #variable = removePossibleSqlInjection(#variable)
How do you do that?
Is there some SQL function which will check the stored procedure parameter variable and tell me if there are some illegal characters ?
There is no such function and it just cannot be
Simply because there are NO "characters that can cause sql injection". All characters used in injection are perfectly legal. Your idea of SQL injection is wrong. It is not something alien to the query, like a virus or a bacteria, but just regular SQL. So all you can do is to forbade characters that are used in SQL queries, which will make this function effectively wipe your query.
What character from 'password OR 1=1' statement you consider illegal?
Let us consider you have a form where users can ask for public data of their friends. Let us suppose further that the form posts an ID and you use that as a numeric value in your query:
select public_details
from users
where ID = 5
ID is a value you get from the user. It is not safe at all to allow users to choose the ID they are searching for, but let us ignore that for now for the sake of the example. Now if the user sends a post as follows
5 or 1=1
There is no illegal character, not even apostrophe. The problem is therefore that this is a business-logic issue and should be addressed at application level.
I will make simpler than it is to get the answer I need without make you read a lot of code.
MySQL stored procedure:
CREATE PROCEDURE add_player
(IN name varchar(100),
IN isTrue boolean)
BEGIN
START TRANSACTION;
insert into tags (name,is_player) values (name,isTrue);
COMMIT;
END //
player_controller.rb
ActiveRecord::Base.connection.execute("call add_player('#{name}', #{is_player})")
Two problems I see(if you see more - say):
if name contains ' it breaks the call
sql injection - I don't use ? as parameters when I call the stored procedure. The reason is that it's just not working when I'm try with ?. I tried also change it to Player.where("add_player(?,?)",name,is_player)
Did you try something like this ?
ActiveRecord::Base.connection.execute("call add_player(#{ActiveRecord::Base.sanitize(name)}, #{is_player})")
There is another way suggested on the following SO link
using sanitize_sql_array to escape strings
The only problem is that sanitize_sql_array is not a public method
I am using Qt5 to access a MySQL database. It is easy to execute INSERT queries using QSqlQuery + prepare() + bindValue().
Now I noticed that bindValue() has an optional paramType parameter that can be set to QSql::Out and QSql::InOut.
Is it correct that the QSql::Out and QSql::InOut arguments are useful when CALLing procedures and that they have no use for lets say a SELECT statement? Are there other use cases than CALL?
It turned out that QSql::Out and QSql::InOut are actually intended for use with procedure calls only.
However it also turned out that Qt/MySQL parameter binding does not support the mentioned OUT and INOUT parameters types (see here).
Inside my stored function I have :
formula := "(10+10 * 1000)/12";
(a simple math formula, with numbers only, dynamically created as a string)
How do I eval this, and return the result ?
I can't use EXECUTE (not possible inside a stored function) and if I make it a stored procedure and call it from a stored function, I get "Dynamic SQL is not allowed in stored function or trigger" -as if I would have the eval directly inside the function.
I need a stored function, and not a procedure, because I need to call it inside a SELECT statement.
I don't see what using the formula is buying you. If you're writing a stored procedure, type in the formula and forget the string.
I don't think it's in your interest to make the stored proc that dynamic where the formula being evaluated has to be changing from call to call.
If you must, you'll have to write a parser to break that string up into its constitutive parts, create a parse tree, and then walk the tree to evaluate it. It's not a trivial problem. I'd rethink this.
Apparently there is no solution to this.
I have applied a "paintfull" workaround in PHP, which I will not display here as it is not the subject of the question.
I have a problem calling a stored procedure on my MySQL server using the C API.
I use mysql_query(&handle,"CALL myprocedure") but the function fails (returns 1) and error lookup gives
the following message "Procedure myprocedure can't return a result set in the given context."
I even tried to use mysql_real_query insted, but no better.
I've seen a few topics about this bug, but only PHP related. So there seems to be the same problem for C programs too.
The weird thing is that my stored procedure is not even supposed to return any result set. It just works with data in tables, doesn't really return anything.
Thanks for any advices.
Refer to functions:
mysql_set_server_option() &
mysql_real_connect()
here.
Multiple statements are only enabled(temporarily) using the MYSQL_OPTION_MULTI_STATEMENTS_ON and _OFF arguments
to mysql_set_server_option().
The problem here is that CLIENT_MULTI_STATEMENTS in
mysql_real_connects()
implicitly enables CLIENT_MULTI_RESULTS, too, but
MYSQL_OPTION_MULTI_STATEMENTS_ON only enables multiple statements,
not multiple results.
So add CLIENT_MULTI_STATEMENTS on connect and try again.
Did you try to call this procedure from 'mysql' command line client?
Are you able to call (another) empty procedure to test if problem is related to the procedure?