I have a insertion statement that will insert the values from text boxes. It working fine now i want to check the text box must not be empty by using sql query.
My insertion statement is like this:
INSERT INTO guestpasstypes(guestPasstype_Name)values('" + tbPassType.Text + "')"
I also agree that you should avoid calling that SQL, due to the potential for injection attacks, but if for some reason, your really need to do it, then this should do the trick:
"INSERT INTO guestpasstypes(guestPasstype_Name)
select '" + tbPassType.Text + "' from dual where '" + tbPassType.Text + "' <> '';"
Use whatever language that you using to get the text from the text box to see if it's empty or null. Most languages have these checks. (ex: php; isempty()) Also, if you don't want spaces, use trim as well.
Make guestPasstype_Name to be NOT NULL and ensure that MySQL runs in SQL conformance mode. Following might work:
INSERT INTO guestpasstypes(guestPasstype_Name)values(
IF('" + tbPassType.Text + "'='', NULL,'" + tbPassType.Text+"')"
I can see two solutions
Check 'tbPassType.Text' before you generate sql query (recommended)
Create check constraint in the 'guestpasstypes' table like this:
ALTER TABLE dbo.guestpasstypes ADD CONSTRAINT
CK_guestPasstype_Name CHECK ((LEN(guestPasstype_Name])>(0)))
(the given example is for MSSQL but I hope MySQL has constrainrs too)
Related
I'm trying to update a database in JavaFX using JDBC and Textfields ,
The first textfields, but I keep getting SQL syntax errors.
It's a simple update syntax , but I have to use the textfield.getText() in order to fill up the data.
I tried this as the query I'll execute:
UPDATE intervention
set "+update_textfield2.getText()+" = "+update_textfield3.getText()+"
WHERE ( Numdemande ="+update_textfield.getText()+"
To explain the code above : set the database field the user entered (update_textfield2) as the value the user entered (update_textfield3) where the "Numdemande" number is x (update_textfield)
While your code is unsafe, as explained in the comments, I'll answer on the assumption that your class has not yet covered SQL injection attacks.
As for your SQL statement itself, there are several problems.
First of all, you are using double quotes " instead of single quotes '. It is unclear which dialect of SQL you are using, but most, if not all, require single quotes when passing through Strings like this.
Secondly, you are wrapping your calls to the textField.getText()
methods in quotes, meaning you're telling SQL to use that text
literally.
You have not added a closing parentheses ()) at the end of your WHERE clause. The parentheses in this case, however, are not necessary.
In essence, you're trying to pass the following statement to SQL:
UPDATE intervention
set +update_textfield2.getText()+ = '+update_textfield3.getText()+'
WHERE ( Numdemande = '+update_textfield.getText()+'
Unless you have a field called +update_textfield2.getText()+ in your table, this statement will fail.
The following String would produce the correct statement:
String statement = "UPDATE intervention " +
"SET " + update_textfield2.getText() + " = " + update_textfield3.getText() +
"WHERE Numdemande = " + update_textfield.getText() + ";";
Side Note: Please learn the Java Naming Conventions and stick to them. In your code, you've used Snake Case when naming your TextField, but should be using Camel Case instead. An appropriate name for your TextField might be something like this instead: updateTextField1
I am using jQuery in conjunction with X Editable in a web project. The backend file that edits the database table basically builds an SQL string with the cell name and value to be updated, as such:
string mysqlstring = "UPDATE SOMETABLE SET " + field + " = '" + value + "';";
I'm not an SQL expert, but it does not feel good from an SQL Injection perspective. I would much rather prefer a procedure where I can set the table name (if possible), field name and the value using Parameters somehow. Does anyone know how to do this?
Using .Net, and database is MySql.
I can not seem to get this to work as expected.
"SELECT event_positions.id as ep_id, event_positions.pos_prefered_tech, event_positions.assigned_tech_id, "
. "event_schedule.id as es_id, event_schedule.event_id, event_schedule.event_day, event_schedule.event_stime,"
. "event.id as eid, event.crewer_id as cid, event.event_title, event.crewed_by,"
. "crewer.crewer_company"
. "FROM event_schedule "
. "INNER JOIN event_positions "
. "ON event_schedule.id = event_positions.event_sched_id"
. "INNER JOIN event "
. "ON event_schedule.event_id = event.id"
. "INNER JOIN crewer "
. "ON event.crewer_id = crewer.id "
. "WHERE event_schedule.event_day >= NOW() "
. "AND event.crewer_id = ?"
If i remove the AND statement it will pull all data as expected. But I need to filter for the specific crewer_id
When I try to do this I get an empty result set. No errors.
It seems like there's some spaces missing in the generated SQL text, for example, before FROM and before INNER JOIN crewer. Are you sure this SQL statement is working?
The question mark character ? doesn't look like valid SQL. So it's likely (and we're going to assume) that this SQL text is for a prepared statement, and that the question mark is intended as a placeholder for a bind variable.
If that's the case, I suspect there's a problem with the parameter bind.
I recommend you verify that the value you are providing for the bind parameter is a value that would return rows, that is, one of the values for crewer.id that's returned by the query when this predicate is omitted.
I also suggest you test using a hardcoded literal value, in place of the question mark. Choose a literal value, again, that you know will return rows.
I suspect that when you debug this, you will find the problem is with the bind parameter. (It's only a suspicion, because there's not enough information provided for me to make a determination.)
I apologise in advance for asking what I'm sure will prove to be a very simple question.
I have a MySQL (5.5) database that includes, amongst other things, a field for telephone numbers. I'm trying to create a statement that will search that field, stripping out any spaces. So searching for '0208' will return '020 8', '02 08', '0 208', ' 0208', etc.
And this is in Delphi XE2, in case that makes a difference.
'SELECT * FROM sales_ledger WHERE REPLACE(telephone, " ", "") LIKE "%' + SearchEdit.Text + '%"'
...gives me an error...
Invalid filter in WHERE clause
...and...
'SELECT REPLACE(telephone, " ", "") FROM sales_ledger WHERE REPLACE(telephone, " ", "") LIKE "%' + SearchEdit.Text + '%"'
...gives me...
Invalid field name. General SQL error. Column not found.
...and I do actually need all fields returned anyway.
May I ask for some assistance in correcting the syntax please. If you need more information, don't hesitate to ask. Thanks very much for your time.
EDIT: One potentially critical piece of information I missed out. The table is actually a Sage database that I'm accessing through ODBC. As nothing I try is working that may well be the root problem. Apologies for not saying that earlier.
Your Query Seems Working Fine see the demo
First try this query to you DB Client
SELECT * FROM sales_ledger
WHERE REPLACE(telephone, " ", "") LIKE "%0208%"
EDIT:
if you query is still not working. fellow step by step process.
try to run a simple select query (SELECT * FROM sales_ledger)
if the first query run try adding simple where condition.
so step by step you can make your query similar to original one and find where is the actual error from.
Try this ::
SELECT
REPLACE(telephone,' ', '') as replacedColumn
FROM sales_ledger
WHERE REPLACE(telephone,' ', '') LIKE '%"+ SearchEdit.Text +"%'"
OR
Select temp1.*
from
(
SELECT
REPLACE(telephone,' ', '') as replacedColumn
FROM sales_ledger
) as temp1
WHERE temp1.replacedColumn LIKE '%"+SearchEdit.Text+"%'"
When should i use mysql_real_escape_string?
Is it only when i'm inserting rows into a database? Or only when i have user input?
Thanks
You should use mysql_real_escape_string() whenever you're building a query that will be run against the database. Any user input that is being used to build a database query should be run through this function. This will prevent sql injection attacks.
User inputs are your big area of concern when it comes to this.
You should use mysql_real_escape_string when you are inserting the value of a string into an SQL statement, and you are using the MySQL API.
$sql = "SELECT * FROM student WHERE foo = '" . $foo . "'";
Should be:
$sql = "SELECT * FROM student WHERE foo = '" .
mysql_real_escape_string($foo) . "'";
However you should also consider using PDO with prepared statements and bind parameters instead of mysql_real_escape_string. This reduces the risk of errors.
always, apart from integers, there you use intval()
It will simply filter all special character which included in form data to prevent from SQL injection(SQL injection is a hacker tool for hacking website through some queries with form data}