I am going to write a bash script to manipulate user's data on mysql DB.
Here is the problem. I need to pass a variable's value into a Mysql query string:
read USERNAME;
echo "USE drupdb; SELECT uid FROM users WHERE name= '%USERNAME';" > /tmp/query.sql ;
Whatever combinations that I've used (including backslashs befor single-quotes to scape them) did not do the trick. I still get something other than the value of %USERNAME inside the query.sql.
I appreciate your hints.
You need to use $ to dereference a variable. Change %USERNAME to $USERNAME and everything should work fine:
read USERNAME;
echo "USE drupdb; SELECT uid FROM users WHERE name= '$USERNAME';"
Related
$ is used as root object for get_json_object. My json string has already $ in the name of json key, how can I extract it's value? I dont want to use json_tuple.
create external table testing_hive (records string);
insert into testing_hive values("{\"$num\":\"hey\"}");
select get_json_object(testing_hive.records, '$.$num') from testing_hive;
You can replace "$num" with something else without $ in it, for example "xx_num":
select get_json_object(regexp_replace(testing_hive.records,'\\"\\$num\\"','\\"xx_num\\"'), '$.xx_num') as num from testing_hive;
Result:
hey
Also you can replace $ for all keys with some other prefix in single regex_replace:
regexp_replace(testing_hive.records,'\\"\\$(.*?\\":)','\\"xx_$1')
I included ": in the pattern to make sure it will match keys only, not values. Use '$1' as a replacement instead of '\\"xx_$1' if you want to remove $ and leave key without $ as is.
Hope you got the idea. Modify regex pattern accordingly.
use DBI;
my $jobID = 1;
$dbh = DBI->connect("dbi:mysql:$database:$db_server", $user, $password) or die "Connection ERROR!";
$dbh->do('USE MultiRunScheduler');
$dbh->do('UPDATE Scheduler SET RequestStatus="CANCELED" WHERE ID="$jobID";')
print "Scheduled Jobs deleted";
I'm trying to change the RequestStatus field of a database based on ID but it's not working through the UPDATE statement. It prints out Scheduled Jobs deleted and the entire program runs successfully but it doesn't update the database RequestStatus field. If I remove ID="$jobID" and change it to ID=1 then the RequestStatus entry in the database changes.
Any idea how to get around this?
Perl does not expand variables inside single-quoted strings.
http://perldoc.perl.org/perldata.html#Scalar-value-constructors says in part:
String literals are usually delimited by either single or double quotes. They work much like quotes in the standard Unix shells: double-quoted string literals are subject to backslash and variable substitution; single-quoted strings are not (except for \' and \ ).
Also you should use single-quotes for string delimiters inside your SQL.
So this:
$dbh->do('UPDATE Scheduler SET RequestStatus="CANCELED" WHERE ID="$jobID";')
Should be this:
$dbh->do("UPDATE Scheduler SET RequestStatus='CANCELED' WHERE ID='$jobID'");
If you want to really use best practices, use bind parameters in your SQL instead of putting variables inside strings. Then you don't need to worry about what kind of quotes you use. Even if the parameter is a string type, you don't put the parameter placeholder in quotes in SQL.
Example:
$dbh->do("UPDATE Scheduler SET RequestStatus='CANCELED' WHERE ID=?", undef, $jobID);
I am having the following problem:
I have a table T which has a column Name with names. The names have the following structure:
A\\B\C
You can create on yourself like this:
create table T ( Name varchar(10));
insert into T values ('A\\\\B\\C');
select * from T;
Now if I do this:
select Name from T where Name = 'A\\B\C';
That doesn't work, I need to escape the \ (backslash):
select Name from T where Name = 'A\\\\B\\C';
Fine.
But how do I do this automatically to a string Name?
Something like the following won't do it:
select replace('A\\B\C', '\\', '\\\\');
I get: A\\\BC
Any suggestions?
Many thanks in advance.
You have to use "verbatim string".After using that string your Replace function will
look like this
Replace(#"\", #"\\")
I hope it will help for you.
The literal A\\B\C must be coded as A\\\\A\\C, and the parameters of replace() need escaping too:
select 'A\\\\B\\C', replace('A\\\\B\\C', '\\', '\\\\');
output (see this running on SQLFiddle):
A\\B\C A\\\\B\\C
So there is little point in using replace. These two statements are equivalent:
select Name from T where Name = replace('A\\\\B\\C', '\\', '\\\\');
select Name from T where Name = 'A\\\\B\\C';
Usage of regular expression will solve your problem.
This below query will solve the given example.
1) S\\D\B
select * from T where Name REGEXP '[A-Z]\\\\\\\\[A-Z]\\\\[A-Z]$';
if incase the given example might have more then one char
2) D\\B\ACCC
select * from T where Name REGEXP '[A-Z]{1,5}\\\\\\\\[A-Z]{1,5}\\\\[A-Z]{1,5}$';
note: i have used 5 as the max occurrence of char considering the field size is 10 as its mentioned in the create table query.
We can still generalize it.If this still has not met your expectation feel free to ask for my help.
You're confusing what's IN the database with how you represent that data in SQL statements. When a string in the database contains a special character like \, you have to type \\ to represent that character, because \ is a special character in SQL syntax. You have to do this in INSERT statements, but you also have to do it in the parameters to the REPLACE function. There are never actually any double slashes in the data, they're just part of the UI.
Why do you think you need to double the slashes in the SQL expression? If you're typing queries, you should just double the slashes in your command line. If you're generating the query in a programming language, the best solution is to use prepared statements; the API will take care of proper encoding (prepared statements usually use a binary interface, which deals with the raw data). If, for some reason, you need to perform queries by constructing strings, the language should hopefully provide a function to escape the string. For instance, in PHP you would use mysqli_real_escape_string.
But you can't do it by SQL itself -- if you try to feed the non-escaped string to SQL, data is lost and it can't reconstruct it.
You could use LIKE:
SELECT NAME FROM T WHERE NAME LIKE '%\\\\%';
Not exactly sure by what you mean but, this should work.
select replace('A\\B\C', '\', '\\');
It's basically going to replace \ whereever encountered with \\ :)
Is this what you wanted?
I'm getting the value of a field from a mysql database. The value has single quotes in both sides like this: 'foo'.
When I retrieve the data using a PHP method from the html template, I get this code:
'foo'
but I want it shows just 'foo' (with the quotes).
Any idea?
Javier
' is the ASCII code for apostrophe-quote.
If using PHP, use html_entity_decode() around the data being displayed from the database.
i.e. echo html_entity_decode($database_field_data);
http://www.php.net/manual/en/function.html-entity-decode.php
use str_replace.
echo str_replace("'" , "'" , $data['string']);
I am using MySQL with MATLAB, and I want to get a name from user, and pass it to the table in mySQL, but it is rejecting a variable name in place of string
var_name=input('enter the name:');
mysql('insert into table (name) values (var_name)');
Any suggestions?
FIRST read the comments to this question - you don't want to shoot yourself in the foot with a mysql injection security problem. You have been warned. Now, to solve your current problem, without addressing the security risk of the whole approach when it comes to building SQL queries, read on...
In principle Amro has already posted two solutions for you which work, but since you have not accepted it I'll explain further.
Your problem is that you are not telling MATLAB which parts of your query it should interpret as a literal string, and which parts it should interpret as a variable name. To solve this, you can just end the literal string where appropriate, i.e. after the opening brackets, and then start them again before the closing brackets.
In between those literal strings you want to add the contents of your variables, so you need to tell MATLAB to concat your literal strings with your variables, since the mysql command probably expects the whole query as a single string. So in essence you want to take the string 'insert into table(' and the string saved in the variable name and the string ') values (' and so on and glue them into one big string. Amro and Isaac have shown you two solutions of how to do this without much explanation:
horzcat('insert into table (', name, ') values (', var_name, ')')
uses the function horzcat, while
['insert into table (' name ') values (' var_name ')']
uses the fact that MATLAB treats strings as arrays of characters so that you can just use square brackets to form a large array containing the strings one after the other.
The third solution, offered by Amro, is a bit more sublte:
sprintf('insert into table (%s) values (%s)',name,var_name)
It tells the function sprintf (which is made for that purpose) "take the string which I supply as first parameter and replace occurences of %s with the strings I supply as the following parameters. This last technique is in particular useful if you also need to insert numbers into your string, because sprintf can also convert numbers to string and allows fine control over how they are formatted. You should have a close look at the help page for sprintf to know more :-).
Try this instead:
mysql(['insert into table (' name ') values (' var_name ')']);
or even:
mysql(sprintf('insert into table (%s) values (%s)',name,var_name));
I believe the problem you are having is the same as the one in this other question. It sounds like you want to create a command string that itself contains a ' delimited string, which would require you to escape each ' with another ' when you create your command string (note the first example in this string handling documentation). Note also you may want to use the 's' option for the INPUT function:
var_name = input('Enter the name: ','s'); %# Treats input like a string
commandString = sprintf('insert into table (name) values (''%s'')', var_name);
%# Note the two apostrophes --^
mysql(commandString);
If I were to enter Ken for the input, the string commandString would contain the following:
insert into table (name) values ('Ken')
And of course, as others have already mentioned, beware injection vulnerabilities.