I want to print the number of rows retrieved from an updateQuery() statement in JDBC (mysql database). The code I have till now is this:
int rows=0;
//constructor sets this up like opening connection, etc...
String buildSelectQuery = buildSelectQueryForCode();
stmt = connection.createStatement();
rows= stmt.executeUpdate(buildSelectQuery); <---- mismatch
System.out.println(rows);
Where buildSelectQuery is CREATE VIEW viewName AS (SELECT * FROM tableName WHERE gen-congruence>1). There is a getRows method as well in the class:
public String getRows(){
return Integer.toString(rows);
}
Now, this query should ideally pull out over 2000 records and this is done in the view as well (in the database actually) but the getRows (which is being called in the GUI) prints out incorrect number of rows in the view (0) and I have no idea why. Is there another method to setup the result set? Am I doing something wrong? Please help me.
Your query is creating a view, not selecting from the view, so no rows are returned. You need to update rows when some rows are read.
Related
I would like to get the number of row affected / deleted / updated with a TMSSqlRow.
Here is how the job is:
the file use contains a lot of sql statement like DELETE ... INSERT ... UPDATE...
each row are separate by ";"
But now, I would like to get result of each statement (x rows updated, like results are display in management studio).
When I go to "advanced settings" tab of tmssqlrow, I select " Propagate QUERY's recordset" and select a column I created before (Object Type).
On execution, I have this error:
The executeQuery method must return a result set.
So, how I can get the result of each statement and insert it (by example) in a database / file?
The option "Propagate QUERY's recordset" must be used in combination with a tParseRecordSet in order to extract info from the returned recordset. However, that is not sufficent: you must explicitly write the query to return the number of records updated/deleted.
Here's what I did:
My tJDBCRow (same as tMSSqlRow) query looks like this (notice how I had to add 'set nocount on' before the update query, and 'select ##rowcount' after)
tParseRecordSet retrieves the number of lines from the column resultset (nbLines is the alias of my rowcount)
If you need the number of rows affected, a better option is to use the tMSSqlOutput component which can update,insert or delete rows. After execution, the component provides global variables to show how many rows were affected by the operation.
((Integer)globalMap.get("tMSSqlOutput_1_NB_LINE"))
((Integer)globalMap.get("tMSSqlOutput_1_NB_LINE_UPDATED"))
((Integer)globalMap.get("tMSSqlOutput_1_NB_LINE_INSERTED"))
((Integer)globalMap.get("tMSSqlOutput_1_NB_LINE_DELETED"))
In BIRT, When i try to fetch the records from my localhost, its working fine. But when i try to work with remote connection i am getting error as specified below:
Error :
org.eclipse.birt.data.engine.odaconsumer.OdaDataException: Cannot get the result set metadata.
org.eclipse.birt.report.data.oda.jdbc.JDBCException: SQL statement does not return a ResultSet object.
SQL error #1:Table 'test.TBLUSERS' doesn't exist ... 63 more
Caused by: com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: Table 'testbms.TBLUSERS' doesn't exist
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:936)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2985)
Note:
Tablenames are automatically changing to capital letters, is that because of it.
Because client server is linux and is it acting with case sensitive.
But it displays column names but not the records. As soon as i click
on finish, i get the error as specified in the below images.
Reference Image:
As you can see in the above image, it has populated the table columns in the second row
Is their any special configurations need to be done for remote connection or am i doing anything wrong?
As you stated, it is probably a case of case-sensitivity:
http://dev.mysql.com/doc/refman/5.0/en/identifier-case-sensitivity.html
Although database and table names are not case sensitive on some
platforms, you should not refer to a given database or table using
different cases within the same statement. The following statement
would not work because it refers to a table both as my_table and as
MY_TABLE: mysql> SELECT * FROM my_table WHERE MY_TABLE.col=1;
If your development box isn't case sensitive then when you change the case of your tablename to match that on production you'll still be able to test. There might also be a way in MySQL using system tables. (See the following query for an example of querying to see if a table exists.):
SELECT count(*)
FROM information_schema.tables
WHERE table_schema = <schema-or-db-name>
AND table_name = <table-or-view-name>
but more realistically, your target database should be passed to your report through a variable that you can check in the scripting of the dataset. Set the "this.query" value to equal the appropriate query based on that variable's value.
E.G.:
if ( params["source_db"].value == "Server=myProductionAddress;Database=myProductionDB;Uid=myUsername;Pwd=myPassword;" )
{
this.query = "SELECT .... prodTableName";
}
else
{
this.query = "SELECT .... devTableName";
}
Here's the story. I'm testing doing some security testing (using zaproxy) of a Laravel (PHP framework) application running with a MySQL database as the primary store for data.
Zaproxy is reporting a possible SQL injection for a POST request URL with the following payload:
id[]=3-2&enabled[]=on
Basically, it's an AJAX request to turn on/turn off a particular feature in a list. Zaproxy is fuzzing the request: where the id value is 3-2, there should be an integer - the id of the item to update.
The problem is that this request is working. It should fail, but the code is actually updating the item where id = 3.
I'm doing things the way I'm supposed to: the model is retrieved using Eloquent's Model::find($id) method, passing in the id value from the request (which, after a bit of investigation, was determined to be the string "3-2"). AFAIK, the Eloquent library should be executing the query by binding the ID value to a parameter.
I tried executing the query using Laravel's DB class with the following code:
$result = DB::select("SELECT * FROM table WHERE id=?;", array("3-2"));
and got the row for id = 3.
Then I tried executing the following query against my MySQL database:
SELECT * FROM table WHERE id='3-2';
and it did retrieve the row where id = 3. I also tried it with another value: "3abc". It looks like any value prefixed with a number will retrieve a row.
So ultimately, this appears to be a problem with MySQL. As far as I'm concerned, if I ask for a row where id = '3-2' and there is no row with that exact ID value, then I want it to return an empty set of results.
I have two questions:
Is there a way to change this behaviour? It appears to be at the level of the database server, so is there anything in the database server configuration to prevent this kind of thing?
This looks like a serious security issue to me. Zaproxy is able to inject some arbitrary value and make changes to my database. Admittedly, this is a fairly minor issue for my application, and the (probably) only values that would work will be values prefixed with a number, but still...
SELECT * FROM table WHERE id= ? AND ? REGEXP "^[0-9]$";
This will be faster than what I suggested in the comments above.
Edit: Ah, I see you can't change the query. Then it is confirmed, you must sanitize the inputs in code. Another very poor and dirty option, if you are in an odd situation where you can't change query but can change database, is to change the id field to [VAR]CHAR.
I believe this is due to MySQL automatically converting your strings into numbers when comparing against a numeric data type.
https://dev.mysql.com/doc/refman/5.1/en/type-conversion.html
mysql> SELECT 1 > '6x';
-> 0
mysql> SELECT 7 > '6x';
-> 1
mysql> SELECT 0 > 'x6';
-> 0
mysql> SELECT 0 = 'x6';
-> 1
You want to really just put armor around MySQL to prevent such a string from being compared. Maybe switch to a different SQL server.
Without re-writing a bunch of code then in all honesty the correct answer is
This is a non-issue
Zaproxy even states that it's possibly a SQL injection attack, meaning that it does not know! It never said "umm yeah we deleted tables by passing x-y-and-z to your query"
// if this is legal and returns results
$result = DB::select("SELECT * FROM table WHERE id=?;", array("3"));
// then why is it an issue for this
$result = DB::select("SELECT * FROM table WHERE id=?;", array("3-2"));
// to be interpreted as
$result = DB::select("SELECT * FROM table WHERE id=?;", array("3"));
You are parameterizing your queries so Zaproxy is off it's rocker.
Here's what I wound up doing:
First, I suspect that my expectations were a little unreasonable. I was expecting that if I used parameterized queries, I wouldn't need to sanitize my inputs. This is clearly not the case. While parameterized queries eliminate some of the most pernicious SQL injection attacks, this example shows that there is still a need to examine your inputs and make sure you're getting the right stuff from the user.
So, with that said... I decided to write some code to make checking ID values easier. I added the following trait to my application:
trait IDValidationTrait
{
/**
* Check the ID value to see if it's valid
*
* This is an abstract function because it will be defined differently
* for different models. Some models have IDs which are strings,
* others have integer IDs
*/
abstract public static function isValidID($id);
/**
* Check the ID value & fail (throw an exception) if it is not valid
*/
public static function validIDOrFail($id)
{
...
}
/**
* Find a model only if the ID matches EXACTLY
*/
public static function findExactID($id)
{
...
}
/**
* Find a model only if the ID matches EXACTLY or throw an exception
*/
public static function findExactIDOrFail($id)
{
...
}
}
Thus, whenever I would normally use the find() method on my model class to retrieve a model, instead I use either findExactID() or findExactIDOrFail(), depending on how I want to handle the error.
Thank you to everyone who commented - you helped me to focus my thinking and to understand better what was going on.
This is gonna be a dumb question, but I've been working with this code for years and never stopped to understand the what and why....
This is a very typical query I would copy and edit:
mysql_select_db($database_db, $db);
$query_qry_details = sprintf("Select * from table where id = %s", $KTColParam1_qry_details);
$qry_details = mysql_query($query_qry_details, $db) or die(mysql_error());
$row_qry_details = mysql_fetch_assoc($qry_details);
$totalRows_qry_details = mysql_num_rows($qry_details);
What do all these rows mean?
The first I know looks up the correct database. I have this line before each query on the page....do I need this?
The second row ($query_qry_details) is the query itself. I see that.
Rows 3 and 4 - no clue...
Row 5 is obviously a count of the number rows the query returns.
Thanks in advance as always.
EDITED
Shortly:
mysql_select_db(database_name, link_identifier) - Sets the cuurent active database on server that is associated with the specified link identifier.
sprintf - Return formatted string which acts as a query.
mysql_query or die - Sends a unique query to the database previously specified or exit from query.
mysql_fetch_assoc - Returns an associative array that corresponds to the fetched row and moves the internal data pointer ahead.
mysql_num_rows - Retrieves the number of rows from a result set.
I'm trying to use the prepareStatement function. The code is below. After it executes, it returns me a bunch of vlicense strings instead of the values.
When the code finishing the statement.setString(), the statement becomes:
select 'vlicense' from Vehicle
However, it needs to be:
select vlicense from Vehicle
without the quotation marks. Can anyone tell me what's the problem?
statement = oConnection.prepareStatement("select ? from Vehicle");
String tempString = "vlicense";
statement.setString(1, tempString);
resultSet = statement.executeQuery();
You can't use parameter markers for column names, table names, data type names, or basically anything that isn't data.
When you add a bind variable to a statement like this it is escaped, so that actual SQL string in your example would go to the database as "SELECT 'vlicense' FROM Vehicle', selecting a literal string instead of the column name you want.
You need to concatenate that variable column name into your SQL statement before you prepare it:
statement = oConnection.prepareStatement("SELECT " + vlicense + " FROM Vehicle");
Bind variables are really for query parameters as opposed to dynamic queries.
The ? can't be used to specify the fields, just to do some filters in your query like:
statement = conn.prepareStatement("select field from Vehicle where name=?");
In your case your query is built as:
select 'vlicense' from Vehicle
which means: GET ME A STRING 'vlicense' FOR EACH RECORD OF 'Vehicle'. And you'll get n repeated strings depending on the number of records in your table
It has nothing to do with jdbc, prepared-statements or mysql.
It's just a wrong sql statement.
If you type:
Select 'justanexample' from Vehicle
and the table contains 4 lines, you will get 4 times
'justanexample'
'justanexample'
'justanexample'
'justanexample'
as result.
You did not specify your the table structure, but I guess the
statement should somehow look like this:
select * from Vehicle where license = ?