Hallo all.
I need to run the 'replace([column], [new], [old])' in a query executing on n Access 2003 DB. I know of all the equivalent stuff i could use in SQL, and believe me I would love to, but i don't have this option now. I'm trying to do a query where all the alpha chars are stripped out of a column ie. '(111) 111-1111' simply becomes '1111111111'. I can also write an awsum custom VBA function and execute the query using this, but once again, can't use these functions through JET. Any ideas?
Thanx for the replies guys. Ok let me clarify the situation. I'm running an .NET web application. This app uses an Access 2003 db. Im trying to do an upgrade where I incorporate a type of search page. This page executes a query like: SELECT * FROM [table] WHERE replace([telnumber], '-', '') LIKE '1234567890'. The problem is that there are many records in the [telnumber] column that has alpha chars in, for instance '(123) 123-1234'. This i need to filter out before i do the comparison. So the query using a built in VBA function executes fine when i run the query in a testing environment IN ACCESS, but when i run the query from my web app, it throws an exception stating something like "Replace function not found". Any ideas?
Based on the sample query from your comment, I wonder if it could be "good enough" to rewrite your match pattern using wildcards to account for the possible non-digit characters?
SELECT * FROM [table] WHERE telnumber LIKE '*123*456*7890'
Your question is a little unclear, but Access does allow you to use VBA functions in Queries. It is perfectly legal in Access to do this:
SELECT replace(mycolumn,'x','y') FROM myTable
It may not perform as well as a query without such functions embedded, but it will work.
Also, if it is a one off query and you don't have concerns about locking a bunch of rows from other users who are working in the system, you can also get away with just opening the table and doing a find and replace with Control-H.
As JohnFx already said, using VBA functions (no matter if built in or written by yourself) should work.
If you can't get it to work with the VBA function in the query (for whatever reason), maybe doing it all per code would be an option?
If it's a one-time action and/or not performance critical, you could just load the whole table in a Recordset, loop through it and do your replacing separately for each row.
EDIT:
Okay, it's a completely different thing when you query an Access database from a .net application.
In this case it's not possible to use any built-in or self-written VBA functions, because .net doesn't know them. No way.
So, what other options do we have?
If I understood you correctly, this is not a one-time action...you need to do this replacing stuff every time someone uses your search page, correct?
In this case I would do something completely different.
Even if doing the replace in the query would work, performance wise it's not the best option because it will likely slow down your database.
If you don't write that often to your database, but do a lot of reads (which seems to be the case according to your description), I would do the following:
Add a column "TelNumberSearch" to your table
Every time when you save a record, you save the phone number in the "TelNumber" column, and you do the replacing on the phone number and save the stripped number in the "TelNumberSearch" column
--> When you do a search, you already have the TelNumberSearch column with all the stripped numbers...no need to strip them again for every single search. And you still have the column with the original number (with alpha chars) for displaying purposes.
Of course you need to fill the new column once, but this is a one-time action, so looping through the records and doing a separate replace for each one would be okay in this case.
Related
I'm trying to write some VBA code that will export an MS Access query.
I'd like it to be run it all from within Excel to source from a database I don't understand and don't want to tamper with. I just know I have to run a query and export it.
That's easy enough if the query doesn't rely on a user-input value to run (EG beginning/end dates) but if it needs input I can't find a good way to make that be set automatically.
I've seen some clever options here:
https://bytes.com/topic/access/answers/466248-can-i-pass-parameters-macro-query
A) Putting the SQL underlying the query within the VBA, but that can get very unwieldy, especially with big queries that I'm unfamiliar with. And TBH I don't quite understand the coding behind it- but that's just me being lazy...
B) Use a form on which to record the desired value- again unwieldy and also I can't change the query code.
But I'd rather something along the lines of: cmdRun(QueryX,PARAM1,PARAM2). Is that wishful thinking?
I want to detect possible SQL injection atack by checking the SQL query. I am using PDO and prepared statement, so hopefully I am not in the danger of getting attacked by someone. However, what I want to detect is the possibility of input/resulting query string that may become a dangerous query. For example, my app--properly--will never generate "1=1" query, so I may check the generated query string for that, and flag the user/IP producing that query. Same thing with "drop table", but maybe I can check only by looping the input array; or maybe I should just check to the generated query all over again. I am using MySQL, but pattern for other drivers are also appreciated.
I have read RegEx to Detect SQL Injection and some of the comments are heading in this direction. To my help, I'm developing for users that rarely use English as input, so a simple /drop/ match on the query may be enough to log the user/query for further inspection. Some of the pattern I found while researching SQL injection are:
semicolon in the middle of sentence -- although this may be common
double dash/pound sign for commenting the rest of the query
using quote in the beginning & ending of value
using hex (my target users have small to low chance for inputting 0x in their form)
declare/exec/drop/1=1 (my app should not generate these values)
html tag (low probability coming from intended user/use case)
etc.
All of the above are easier to detect by looping the input values before the query string is generated because they haven't been escaped. But how much did I miss? (a lot, I guess) Any other obscure pattern I should check? What about checking the generated query? Any pattern that may emerge?
tl;dr: What pattern to match an SQL query (MySQL) to check for possible injection? I am using PDO with prepared statement and value binding, so the check is for logging/alert purposes.
In my shop we have two rules.
Always use parameters in SQL queries.
If for some reason you can't follow rule one, then every piece of data put into a query must be sanitized, either with intval() for integer parameters or an appropriate function to sanitize a string variable according to its application data type. For example, a personal name might be Jones or O'Brien or St. John-Smythe but will never have special characters other than apostrophe ', hyphen -, space, or dot. A product number probably contains only letters or numbers. And so forth.
If 2 is too hard follow rule 1.
We inspect code to make sure we're doing these things.
But how much did I miss?
You guess right. Creating a huge blacklist wouldn't make your code immune. This approach is history. The other questions follow the same idea.
Your best bets are:
Validating input data (input doesn't necessarily come from an external party)
Using prepared statements.
Few steps but bulletproof.
Not possible.
You will spend the rest of your life in an armament race -- you build a defense, they build a better weapon, then you build a defense against that, etc, etc.
It is probably possible to write a 'simple' SELECT that will take 24 hours to run.
Unless you lock down the tables, they can look, for example, at the encrypted passwords and re-attack with a root login.
If you allow any type of string, it will be a challenge to handle the various combinations of quoting.
There are nasty things that can be done with semi-valid utf8 strings.
And what about SET statements.
And LOAD DATA.
And Stored procs.
Instead, decide on the minimal set of queries you allow, then parameterize that so you can check, or escape, the pieces individually. Then build the query.
Can anyone explain me meaning of this query?
-999.9 and(select 1 from(select count(*),
concat((select (select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e))
from `information_schema`.tables limit 0,1),floor(rand(0)*2))x
from `information_schema`.tables group by x)a)--
I found that required fields in form are filled by 1 and email id was field by this particular query. In form, I have sequence like name, mobile nu, email id and other details. After email id whatever fields are there, were filled by blank or 'null' and before email id all fields were filled by '1'.
It is a blind SQL injection. It is used when the site is not vulnerable to normal SQL injection. Your site validates the input data, probably not correctly but well enough to not let information leak through SQL injection.
Blind SQL injection does not attempt to get information directly; if a leak is found then there is no need for blind injection in the first place.
How it works: it injects strange embedded queries like the one mentioned in the question and it checks the behaviour of the page. A page that checks the result of its queries produces a different content when a query fails. It displays an error message or redirects to some page or, sometimes, it doesn't produce any output (when the "handling" of the query failures is like "or die()").
The blind SQL injection makes an assumption then produces and injects a query that either runs correctly or fails. It checks the page content to know if the injected part made the query succeed or fail. Depending on the result (success or failure), the injection script knows if its assumption was true or false then it takes a decision and tries again with a different assumption.
I cannot tell what is testing this injection fragment. It makes the query fail on the MySQL version I am using because of the group by x part. Maybe it succeeds on other versions (MySQL 4?); in this case it is used only to detect the version of the MySQL. It's not about the exact version but the major version. There are small things changed here and there on major MySQL versions and it's important for the attacker script to know what version is running. This way it knows what language features it can use. If it does not use the correct syntax then all its queries fails and its goal cannot be accomplished. :-)
One of the legacy websites I am maintaining was attacked a couple of months ago in a similar fashion. We thought all the input data was correctly checked and there is no way to inject something into it. It happened that a small hole still existed, somebody decided to attack the site (to extract email addresses probably) and the tool they used found the hole and started injecting queries through it.
The inject query was something like 2 RLIKE (SELECT ...) where ... stands for a complicated query that selects the name of the Nth object (table or column) from information_schema (using LIMIT), uses function MID(name, K, 1) to extract the Kth character from the selected name then compares that character with a specified character (using IF() or CASE) to eventually produce 2 or something that was not a valid regular expression.
Each request is checking a single character of a single table or field name against a certain character from the ASCII set. If the checked character is smaller than the one provided by the injector then the injected part evaluates to 2 RLIKE 2 and the query run normally. Otherwise it evaluates to something 2 RLIKE ( and the query fails. This way, the injector script divides in half the range of potential values for the character it is testing. The next queries shrinks it again and again until it founds the exact character. It requires up to 7 injected requests to find a single character of a single name of table of field.
Then it starts over with the character at position K+1 and so on. Using the same technique but with a different query, the script finds first how long is the name it wants to find.
The process is tedious but that's why the computers were invented in the first place: to do tedious work for humans.
For example, say I'm creating a table which stores promo codes for a shipping site. I want to have the table match a promo code with the code's validator, e.g.
PROMO1: Order must have 3 items
PROMO2: Order subtotal must be greater than $50
I would like to store the query and/or routine in a column in the table, and be able to use the content to validate, in the sense of
SELECT * FROM Orders
WHERE Promo.ID = 2 AND Promo.Validation = True
Or something to that effect. Any ideas?
I wouldn't save the query in the database, there are far better possibilities.
You have to decide, which best fits your needs (it's not clear for me based on your question). You can use
Views
or
Prepared Statements
or
Stored Procedures
There's probably a better way to solve the issue, but the answer to your question is to write stored procedures that return the results you want. Where I work (and I hate this design), they actually store all queries and dml used by the application in stored procedures.
You can also dynamically build your queries using dynamic sql. For MySql, see the post below which might be of some help to you.
How To have Dynamic SQL in MySQL Stored Procedure
Otherwise, you can also store your queries in a string format in the database, and retrieve them and execute them using the EXECUTE statement, such as that post points out.
I'd personally keep away from designs like that though. Storing queries in XML isn't a bad alternative, and have your app be written to be extensible and configurable from XML, so you don't need to make code changes to add new validation logic, and instead just have to configure it in XML.
I have been using an application I have made to distribute around my company which gives an average non-techie user(accountant, marketing type, mgmt) the ability to query any size DB with fast and friendly results. It uses the Dynamic.cs class to
Select all tables in a given DB
Select some filtered columns/fields in any Table
At runtime it figures out what the type is and then chooses which operators the user
can enter to aid their query
It gives the ability to only display the fields the user selects.
and Finally it gives the ability to Order and Group By
People, especially my superiors, LOVE it as it is incredibly useful. I can put this application on any DB and in 5 minutes they are able to query and export to Excel Worksheets in seconds.
Now, here is my issue, when I generate my select clause, if I have the field named "Object" I get a parse error from Dynamic.cs "Expecting a "(" or a "." - I am quite sure this is a keyword issue, and when the Parser hits the word Object it gets confused.**
One of my developers thinks, oh just write a partial class to get around the issue, but I think this is a serious enough bug, that I would like to fix the Dynamic.cs class -
Can anyone help me on this??? I have researched but have not found anything to point me in the right direction. I am pretty sure I could fix this but time is not on my side
Thanks in advance!!
First of all you are making a syntax error i guess, secondly even if you remove that syntax error it wont work because you are trying to create a dynamic select statement I guess, which is not as simple as you guess.
Dynamic linq library or regular expression can help you.