I am writing some reports code, which requires executing complex sql code and executing this using raw connection. I am good for the static paramteres but not sure how to handle the dynamic values.
I prepare the dynamic sql and then create a statement object
st = conn.prepare(dynamic_sql_string)
st.execute(dynamic values).
How do I create this dynamic values code?
In one it will be
st.execute(#first_name)
and in second case it will be
st.execute(#last_name).
How do I write this dynamic code?
Got it, you do this using
eval "st.execute(dynamic values").
Related
I am dynamically creating mysql statements in Node JS using the mysql2 library to retrieve and store data,
I recently began getting a bug 'Can't create more than max_prepared_stmt_count statements (current value: 16382)'
After doing some digging I realised I was not using placeholders within my statements and thus cached statements were not closed, as I begun changing my code to utilise the placeholders to prevent this I also realised that you can not use placeholders for the names of schema objects.
An example of many is:
let obj = await pool.execute(select * from + config_schema + .parameters);
Firstly I am unsure if this will be contributing to my prepared statements, and secondly if there is a better way to do what I am trying to achieve.
Any help/advice is greatly apricated!
Using .query() instead of .execute resolved this issue as .execute() in this library will prepare statements.
Is it possible to use JOOQ to form a simple string query without creating factory using connection as compile time check is not required?
I dont want to establish the connection first and generate the classes
Yes you can execute SQL as strings. But you will loose all benefits from code completion will writing queries and the type safety and this is the many advantage of jOOQ over using plain JDBC.
// Create a Query object and execute it:
Query query = create.query("DELETE FROM BOOK");
query.execute();
// Create a ResultQuery object and execute it, fetching results:
ResultQuery<Record> resultQuery = create.resultQuery("SELECT * FROM BOOK");
Result<Record> result = resultQuery.fetch();
Please also checkout the documentation. https://www.jooq.org/doc/3.13/manual-single-page/#sql-execution
I'm using a MySql database and was trying to find a MySQL alternative to tedious.js (a SQL server parameterised query builder).I'm using Node.js for my backend.
I read that the .raw() command from knex.js is susceptible to sql injection, if not used with bindings.
But are the other commands and knex.js as a whole safe to use to prevent sql injection? Or am I barking up the wrong tree?
Read carefully from knex documentation how to pass values to knex raw (http://knexjs.org/#Raw).
If you are passing values as parameter binding to raw like:
knex.raw('select * from foo where id = ?', [1])
In that case parameters and query string are passed separately to database driver protecting query from SQL injection.
Other query builder methods always uses binding format internally so they are safe too.
To see how certain query is passed to database driver one can do:
knex('foo').where('id', 1).toSQL().toNative()
Which will output SQL string and bindings that are given to driver for running the query (https://runkit.com/embed/2yhqebv6pte6).
Biggest mistake that one can do with knex raw queries is to use javascript template string and interpolate variables directly to SQL string format like:
knex.raw(`select * from foo where id = ${id}`) // NEVER DO THIS
One thing to note is that knex table/identifier names cannot be passed as bindings to driver, so with those one should be extra careful to not read table / column names from user and use them without properly validating them first.
Edit:
By saying that identifier names cannot be passed as bindings I mean that when one is using ?? knex -binding for identifier name, that will be rendered as part of SQL string when passed to the database driver.
I have an HTML form that I'm using to submit some SQL data. I'd like to pass the MYSQL function LAST_INSERT_ID() as a value but when I do this there are single tick marks that get added the the function upon insert and it fails, like this 'LAST_INSERT_ID()'.
I want to be able to use this function so I can call what that ID was.
Is it possible to pass this function successfully?
No, you can't pass SQL code instead of values and have it automatically executed on the server.
(Can you imagine how that could have been used by someone with not so good intentions...?)
You could send a special "magic" value, that the code on the server would recognise, and change the query to use last_insert_id() for the value. (You could use the function name as magic value, but you should probably use something less obvious.)
To insert code in a query like that, you need to create the SQL query dynamically. When you create queries dynamically, make sure to escape values properly so that the code isn't open to SQL injection attacks.
Is it possible to override the SQL generated by LINQ to SQL, for optimisation purposes?
You could use the ExecuteQuery method instead. This is useful if you want to leverage a function that's available in SqlServer but not in Linq (IE PIVOT, etc...)
For instance:
var query = db.ExecuteQuery<MyType>( #"SELECT ... FROM ... WHERE ...");
One way I have used:
Create a stored proc, use the linq to sql designer to drag the proc into the design surface. Call the resulting method instead.