I'm trying to save content to an XML data type to Microsoft SQL Server,
using Javascript code.
var sql = "INSERT INTO Screen_Template(template_xml, template_name, OpCo, env, language, id, title, role, UID) VALUES (N'" + XMLText + "',N'" + templateName + "',N'" + opco + "',N'" + env + "'" + ",N'eng'," + maxID + ",N'Hermes SMS message composer'," + "N'manag', N'10')";
connection.execute(sql);
But, I'm getting an error, what can be the problem?
Related
i have a select query to a local database and for some reason the following error shows up:
ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'FROM site WHERE name = OCC AND date_start = 2018-07-30 08:00:00 AND date_end = '' at line 1
here's my query:
connection.query("SELECT *, FROM shop WHERE name = " + shop_name + " AND date_start = " + myDate + " AND date_end = " + myDate2, function (err, result)
{
if (err)
{
console.log("Error Is:" + err);
}
else
{
console.log('DATA EXISTING IS =' + JSON.stringify(result));
}
});
am i missing something?
The usual mantra: use parameterized queries. They will prevent SQL injections and make your service more secure. Furthermore they will take care of the usual pitfalls when building a query using string concatenation.
Let's have a look at your query
"SELECT *, FROM shop WHERE name = " + shop_name + " AND date_start = " + myDate + " AND date_end = " + myDate2
Which spells out to something like
SELECT *, FROM shop WHERE name = myshop AND date_start = 2018-07-30 AND date_end = 2018-08-10
There are at least 3 errors
The , behind the SELECT * this is also the one the error tells you about. I suppose you had a column list and replaced it with *
The shop name column is most certainly some char column. So you have to enclose your values with quotes
Also the dates must be used with quotes, so the SQL engine will parse it to a date and do the comparison. For some SQL engines there is also a special annotation for dates. Have a look in the documentation.
This query should work
"SELECT * FROM shop WHERE name = '" + shop_name + "' AND date_start = '" + myDate + "' AND date_end = '" + myDate2 +"'"
depending on what myDate and myDate2 are.
At least problems 2 and 3 would not happen if you use parameterized queries. Consult the documentation of the library you are using.
I am trying to implement the signature generation for oauth in Typescript and I had it working, but then I changed something minor (I hardcoded the URI in my method and changed that for a test) and didn't really paid attention and now it is now it is broken for some reason I don't know. I am sitting here for two hours staring at my code but for the love of god, I can't get it to work again.
calculateSignatur(URI: string, nonce: string, timestamp: number): string{
let rawURL: string = "GET&" + encodeURIComponent(URI) + "&";
let parameterString: string = "exact=false" +
"&oauth_consumer_key=" + this.appToken +
"&oauth_nonce=" + nonce +
"&oauth_signature_method=" + this.oauth_signature_method +
"&oauth_timestamp=" + 1511003512399 +
"&oauth_token=" + this.accessToken +
"&oauth_version=" + this.oauth_version +
"&search=Black";
let signingString = rawURL + encodeURIComponent(parameterString);
let signingKey = encodeURIComponent(this.accessToken) + "&" + encodeURIComponent(this.accessTokenSecret);
let signatur: string = CryptoJS.HmacSHA1(signingString, signingKey).toString(CryptoJS.enc.Base64);
console.log("Signatur: " + signatur)
return signatur;
}
I hardcoded the parameter for now as well as the timestamp and the nonce to check the signature against the signature that as generated by postman. If I copy and paste the signature generated by postman into the OAuth header and get authorization. So the error must be in the signature part.
Of course, 5 minutes after posting I saw my mistake. The sginingkey need to be
let signingKey = encodeURIComponent(this.appSecret) + "&" + encodeURIComponent(this.accessTokenSecret);
and not
let signingKey = encodeURIComponent(this.accessToken) + "&" + encodeURIComponent(this.accessTokenSecret);
So i am storing my users 'freinds' in a database and i am currently using this to add there freind to it
socket.on('addFreind', function(username, freind) {
console.log("ADD FREIND " + freind + "TO " + username)
let query = 'update users set freinds="' + freind + '" where username = "' + username + '"';
connection.query(query, function(err) {
console.log(err)
});
});
but that just replaces the original value with the new one how can i add to the original value
i have tried querying the original value and adding it to an array and then adding the new value to that array then putting it in my database but that failed horribly and i was wondering if there was just a simple way to do this
I am trying to convert this:
var query_string = 'SELECT protein_A, protein_B, PIPE_score, site1_A_start FROM ' + organism + PIPE_output_table +
' WHERE ' + score_type + ' > ' + cutoff['range'] + ' AND protein_A = "' + item + '" ' +
'UNION SELECT protein_A, protein_B, PIPE_score, site1_A_start FROM ' + organism + PIPE_output_table +
' WHERE ' + score_type + ' > ' + cutoff['range'] + ' AND protein_B = "' + item + '";';
db.each(query_string, function (err, row) {
...
To this:
var query_string = "SELECT protein_A, protein_B, PIPE_score, site1_A_start FROM $table WHERE $score_type > $score AND protein_A = '$protein'" +
" UNION SELECT protein_A, protein_B, PIPE_score, site1_A_start FROM $table WHERE $score_type > $score AND protein_A = '$protein'";
var placeholders = {
$table: organism + PIPE_output_table,
$score_type: score_type,
$score: cutoff['range'],
$protein: item
};
var stmt = db.prepare(query_string, placeholders, function(err) {
console.log(err);
stmt.each(function(err,row) {
...
})
}
but I keep getting this error:
Error: SQLITE_ERROR: near "$table": syntax error
But I am not sure what is syntactically wrong here since the format is as I have seen it in the API documentation. I have tried '?', '#', and ':' before each variables but none seem to be recognized.
What's wrong in my code?
Bind parameters only work for values in the WHERE clause. Table and column names (collectively called "identifiers") won't work.
"SELECT foo FROM bar WHERE this = $that" # OK
"SELECT foo FROM bar WHERE $this = 'that'" # Not OK
Normally you'd work around this by escaping and quoting identifiers and inserting them into the query. A good database library has a method call for this...
var this = db.quote_literal(input_column);
'SELECT foo FROM bar WHERE ' + this + ' = ?'
Unfortunately, node-sqlite3 doesn't appear to have one. :(
SQLite does provide a quoting function, the %w operator, but node-sqlite3 doesn't appear to make it available.
You'll have to write your own. Follow the instructions from this answer in Python and convert them to Javascript.
Ensure the string can be encoded as UTF-8.
Ensure the string does not include any NUL characters.
Replace all " with "".
Wrap the entire thing in double quotes.
I'm not very good with Javascript, so I'll leave you to code that.
I am working on an application in Appcelerator Titanium. The application uses sqlite database. For inserting into the database, I have written a query with parameters like this:
db.execute("INSERT INTO formData (unique_id,form_xml_id,dateTime_stamp,data,user_id,status) VALUES ('" + Ti.App.mydata._guid + "'," + findex + ",'"+datetime+"','"+fdata1+"'," + Ti.App.information.user_id + ",'" + formstatus + "')");
I have another query to update the database for a different table. But the query is without parameters. Like this:
db.execute("UPDATE formData SET form_xml_id=" + findex + ",dateTime_stamp='" + datetime + "',data='" + fdata + "',user_id=" + Ti.App.information.user_id + ",status='"+ DataStatus +"' where unique_id='" + Ti.App.mydata._guid + "'");
I want to rewrite the update query, like the insert query. How can I do that?
I have a code which update Contacts... you can modify it accordingly:
public int updateContact(Contact contact) {
SQLiteDatabase db = this.getWritableDatabase();
ContentValues values = new ContentValues();
values.put(KEY_NAME, contact.getName());
values.put(KEY_PH_NO, contact.getPhoneNumber());
// updating row
return db.update(TABLE_CONTACTS, values, KEY_ID + " = ?",
new String[] { String.valueOf(contact.getID()) });
}