In MS Access, how do I insert a row which has one column that takes an SQL statement (SELECT) as value? In other words, how to I tell the SQL interpreter not to try to parse that statement and give me errors?
Wrap it in quotes like any other character.
INSERT INTO myTable
('MySQLColumn')
VALUES
('SELECT * FROM MyOtherTable')
Related
I am using ADO.NET and Parametrized Queries (unnamed parameters and ExecuteNonQuery method) to write to both SQL Server and MySQL dBases (the application has to work agnostically with both). With both, the primary keys of all tables are auto-incrementing.
With SQL Server I am able to set "CommandText" to the following in which case the parametrized query and the SELECT execute in an atomic fashion:
INSERT INTO myTable (param1, param2, param3) VALUES (?, ?, ?);SELECT MAX(ID) FROM myTable;
This ensures that the ID (primary key) that is returned is the one corresponding to the parametrized query.
Unfortunately, with MySQL the ";SELECT..." generates a syntax error. How can I execute a parametrized query atomically with a SELECT query using ADO.NET and MySQL?
Thanks in advance for your help!
Thanks a lot for everyone's help! As per everyone's suggestion I am no longer using Select Max(ID).
Instead with SQL Server I am adding an OUTPUT clause in the INSERT statement as suggested here:
How do I use an INSERT statement's OUTPUT clause to get the identity value?
With MySQL I am using select last_insert_id() as suggested. It works!
I need to do batch MYSQL insert/updates. I got batch insert statement to work, but when the insert comes as multiple one liners it does not.. Similarly I have not been able to generate a batch update. Please see examples below.
Batch insert statement works
$sql = "INSERT INTO `test` (`somefield`) VALUES ('test', 'test');";
db::statement($sql);
Multiple separate insert statements NOT working
$sql = "INSERT INTO `test` (`somefield`) VALUES ('test'); INSERT INTO `test` (`somefield`) VALUES ('test');";
db::statement($sql);
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO test (somefield) VALUES ('test')' at line 1 (SQL: INSERT INTO test (somefield) VALUES ('test'); INSERT INTO test (somefield) VALUES ('test');)
Batch update statement not working
$sql = "INSERT INTO 'flights' (`id`, `airline`) VALUES ('142832', 'BA') ON DUPLICATE KEY UPDATE `airline`=VALUES(`airline`);"
db::statement($sql);
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''flights' (id, airline) VALUES ('142832', 'BA') ON DUPLICATE KEY UP' at line 1
Reviewed multiple Stackoverflow posts - but I am getting something wrong
Multiple insert statements - Multiple SQL Update Statements in single query
Batch update statement - Multiple Updates in MySQL
Would appreciate help on this - thanks!
This is weird. at a quick glance it appears that the batch statement is wrong, which is supposedly working.
A semantically correct batch statement would have the brackets separate each row of data, ie. like this:
INSERT INTO test
VALUES
('test1')
, ('test2')
, ('test3');
The separate insert statements look fine, however, your database driver might not support multiple statements in its statement method (most don't, AFAIK). The work around would be to start a transaction from your client, loop through the array of statements and execute. Then when all the statements execute, commit if there were no errors, or roll back the transaction. The first option is faster though.
The update statement doesn't work because the tablename flights is quoted using single-quotes. If you want to quote schema / table / column identifiers, use back-ticks, and reserve single-quotes for string values & dates, as you have done elsewhere in the same query. It is only necessary to escape a database element name if it is a reserved word, but naming database elements things like 'into', 'user', etc. is bad practice and should be avoided.
INSERT INTO flights (`id`, `airline`)
VALUES
('142832', 'BA')
ON DUPLICATE KEY UPDATE
airline=VALUES(`airline`)
Try to unquote flights, or quote it with back ticks in your last query (the batch update statement).
Maybe my question above may be could be stupid , but I just want to know if is it possible to have insert query inside select or where.
The reason that I want to know that is if someone hack website or any application database, can the hacker input data to hacked database without my knowledge ?
the following example of SQL injection I see in other sites
http://www.example.com/empsummary.php?id=1 AND 1=-1 union select 1,group_concat(name,0x3a,email,0x3a,phone,0x2a),3,4,5,6,7,8,9 from employee
I know what exactly that above query does, but can the hacker input (use insert query) on the database or on any table ?
Yes, it can happen, if the database interface is configured to allow multiple statements in a query.
An INSERT can't run as part of a SELECT statement. But it's possible that the exploit of a vulnerability could finish a SELECT and then execute a separate insert.
Say you have a vulnerable statement like this:
SELECT foo FROM bar WHERE fee = '$var'
Consider the SQL text when $var contains:
1'; INSERT INTO emp (id) VALUES (999); --
The SQL text could be something like this:
SELECT foo FROM bar WHERE fee = '1'; INSERT INTO emp (id) VALUES (999); --'
If multi-statement queries are enabled in the database interface library, it's conceivable that an INSERT statement could be executed.
See: https://www.owasp.org/index.php/SQL_Injection
This is mostly an academic problem as I try to learn SQL better. Is there a way to do this in a single SQL statement, without first doing a row count, then another statement to insert?
Traditionally I'll do this:
SELECT COUNT(*) FROM mytable;
Then in PHP's result object I'll know the number of rows. let's say I call it $totalrows. Then I'll do
INSERT INTO mytable (`rows`) VALUES ($totalrows);
This of course requires separate queries and PHP.
I wonder if there is a way to accomplish the same using a single SQL statement? I'm using mysqli.
Of course:
INSERT INTO mytable (`rows`)
SELECT COUNT(*)
FROM mytable;
I'm trying to insert records on multiple mysql tables with similar entities(a normalized table)
I tried to do this but I get an error. I've also seen joins but it seems to work only when retrieving data.
insert into t1(pnum, hospnum) values('117', '656')
insert into t2(TELNUM, HOSPNUM) values('9981235', '676')
If you are executing these statements in a batch, you may need a semicolon to separate/terminate them:
insert into t1(pnum, hospnum) values(117, 656);
insert into t2(TELNUM, HOSPNUM) values(9981235, 676);
I suspect your fields are numbers not strings, try this:
insert into t1(pnum, hospnum) values(117, 656)
insert into t2(TELNUM, HOSPNUM) values(9981235, 676)
No need to use quotes for numbers otherwise you will get an error.
MySQL does not support a statement that inserts into two different tables.
The only option is to use a trigger on t1 that inserts to t2, but of course you don't have access to the telnum value in a trigger; you only have the columns of t1. So this won't work in your situation.
You must execute the two inserts as separate SQL statements.