I have created a local table and inserted some data. As long as I don't use is secure for fields all works fine. But when I use is secure for some fields I only get encrypted text for these fields. It seems that a decrypt function is missing. How to solve this?
For accessing the fields I use:
var field_value = Data.execute("select f3 from Testtable where rowid = 3;");
alert("Row 3:" + field_value);
Actually, you should get encrypted values if you try this kind of sql execute statement, regardless from how many rows are selected as isSecure.
I mean, if there is an isSecure field, it should always be seen as encrypted. Selecting some rows as inSecure or all of them as inSecure, shouldn't change anything.
The new release of Smartface App Studio is available right now.
(http://account.smartface.io/Account/Login?ReturnUrl=%2F )
I tested your case, it works fine with this new release.
By the way, if you want to reach the actual value in table, try the below code :
Data.myDataset.move(2); //Lets reach the same row you wrote above with move
alert("Row 3 : " + Data.myDataset.f3);
You should write your dataset's name instead of myDataset.
Related
I'm trying to retrieve specific data from SQL Server via ADODB.recordset connection, and certain records are not found for some reason, (while they are found when running the same query in SQL SERVER itself) and I can't figure out why.
My code:
Dim adset As Object, cnct As Object
Set adset = CreateObject("ADODB.recordset")
Set cnct = thiscnn
adset.Open "SELECT prt FROM prt WHERE prt = 2204018", cnct, 1
While in other module:
Public thiscnn As Object
...
Set thiscnn = CreateObject("ADODB.Connection")
thiscnn.Open "DSN=...;Description=...;DATABASE=...;;UID=...;PWD=..."
thiscnn.CommandTimeout = 30
I'm talking here about code working well for years.
The thought that such a simple and useful part of my program which is in vast use, doesn't fetch the data loyally, drives me nuts. I need to give my customers proper, real and true information. I can't have such code sometimes returning and sometimes not returning data.
I know other ways of fetching data, but it is very important for me to understand why this simple way doesn't work all of a sudden in specific cases. It's so peculiar.
I would be greatful for any clue as to what could be happening in my case.
I tried fetching the same query in SQL SERVER itself, and worked fine - but that's the problem, it works in SQL SERVER, but not in VBA with this code above.
I tried looking for differences between records getting fetched and those which don't, and didn't see any special difference.
I tried refetching the same record a few times, but the fetching status for those specific records which don't get fetched (via ADODB.connection / recordset) stays the same.
I tried fetching the same records using the BETWEEN operator rather than the equals (=) operator, yet with no success.
I tried ordering by id column (prt), perhaps the problem is from certain id and up.
I tried ordering by the timestamp column thinking maybe from certain timestamp we have a problem - but that didn't give me any clue.
I thought to cast timestamp to date, but I found out that it's only rowversion and doesn't preserve a date or time.
I tried ordering by row size using this, thinking maybe certain ro size is to much for some odd reason, but that didn't help either.
Just a guess, but can it be some dirty data that isn't persisted?
Try selecting with nolock:
SELECT prt FROM prt (NOLOCK) WHERE prt = 2204018
And perhaps change cursor type:
adset.Open "SELECT prt FROM prt WHERE prt = 2204018", cnct, 2
Or you are looking into wrong database. Usually these errors are something stupid :D
(Opening the following on behalf of a Snowflake client...)
When I try to insert into the table it threw below error:
Numeric value 'abc_0011O00001y31VpQAI' is not recognized
Have check the table DDL and found only 3 columns defined as NUMBER and rest as VARCHAR.
I checked the SELECT query and didnot find any string value in those NUMBER Datatype columns. Also tried searching in all the Varchar columns for the value 'abc_0011O00001y31VpQAI' , I didn't find any
I know one thing Snowflake doesn't always shows correct error. Am I missing anything here? Is there any way to fix it?
Both COL4_MRR and COL5_QUANTITY are NUMBER
INSERT INTO TABLE
(COL1_DATE, COL2_CD, COL3_CUST_NAME, COL3_LOC_NAME,COL4_MRR,COL5_QUANTITY)
SELECT
'2019-10-03' AS COL1_DATE ,
'AE' AS COL2_CD
,CUSTOMER_NAME AS COL3_CUST_NAME
,LOCATION_NAME AS COL3_LOC_NAME
,MRR_BILLED as COL4_MRR
,QTY_BILLED as COL5_QUANTITY
FROM SCHEMA.V_TABLEA
union all
SELECT
'2019-10-03' AS COL1_DATE ,
'BE' AS COL2_CD
,CUSTOMER_NAME AS COL3_CUST_NAME
,LOCATION_NAME AS COL3_LOC_NAME
,NULL as COL4_MRR
,QTY_BILLED as COL5_QUANTITY
FROM SCHEMA.V_TABLEB
I created a table_D same as original TABLE and tried inserting into it , it worked fine . Then Inserted into Original TABLE from table_D , it worked again .
Deleted those rows from original TABLE and reran the job , it worked fine.
There was no issue with data as all was Number only, I even tried with TRY_TO_NUMBER too. It inserted the data without any changes to the code.
...............
Client is currently waiting on a next day run to re-test to determine if this is either a bug or an issue with their data. In the meantime, we are interested to see if anyone else has run into similar challenges and have a viable recommendation. THANK YOU.
The error typically means you are trying to insert non-numeric data (like 'abc_0011O00001y31VpQAI') into a numeric column. It seems like the customer did everything right in testing and TRY_TO_NUMBER() is a great way to verify numeric data.
Do the SELECT queries run fine separately? If so, then I would check whether there might be a potential mismatch in the datatype of the columns and make sure they are in the right order.
I would also check whether or not the header is being skipped in the file (that may be where the 'abc_0011O00001y31VpQAI' is coming from since the customer did not see it in the data).
SELECT queries work fine, I tried creating a new table with same DDL as original and tried loading into that new table, it worked fine. Not sure why it is not loading into the original table
There is a legacy application that uses a table to translate job names to filenames. This legacy application queries it as follows:
SELECT filename FROM aJobTable WHERE jobname = 'myJobName'
But in reality those jobnames always match the filenames (e.g. 'myJobName.job' is the jobname but also the filename) That makes this table appear unnecessary. But unfortunately, we cannot change the code of this program, and the program just needs to select it from a table.
That's actually a bit annoying. Because we do need to keep this database in sync. If a jobname is not in the table, then it cannot be used. So, as our only way out, right now we have some vbscripts to synchronize this table, adding records for each possible filename. As a result, the table just 2 columns with identical values. -- We want to get rid of this.
So, we have been dreaming about some hack that queries the data with the jobname, but just always returns the jobname again, like a copy/mirror query. Then we don't actually have to populate a table at all.
"Exploits"
The following can be configured in this legacy application. My hunch is that these may open the door for some tricks/hacks.
use of either MS Access or SQL Server (we prefer sql server)
The name of the table (e.g. aJobTable)
The name of the filename column (e.g. filename)
The name of the jobname column (e.g. jobname)
Here is what I came up with:
If I create a table-valued function mirror(a) then I get pretty close to what I want. Then I could use it like
SELECT filename FROM mirror('MyJobName.job')
But that's just not good enough, it would be if I could force it to be like
SELECT filename FROM mirror WHERE param1 = 'MyJobName.job'
Unfortunately, I don't think it's possible to call functions like that.
So, I was wondering if perhaps somebody else knows how to get it working.
So my question is: "How can you create a table (or other object) that always returns the value passed to its WHERE-clause, like a mirror."
It's kinda hard to answer not knowing the code that the application use, but if we assume it only takes strings and concatenate them without any tests whatsoever, I would assume code like this: (translated to c#)
var sql = "SELECT "+ field +" FROM "+ table +" WHERE "+ conditionColumn +" = '"+ searchValue +"'";
As this is an open door for SQL injection, and given the fact that SQL Server allows you two ways of creating an alias - value as alias and alias = value,
you can take advantage of that and try to generate an SQL statement like this:
SELECT field /* FROM table WHERE conditionColumn */ = 'searchValue'
So field should be "field /* ",
and conditionColumn should be "conditionColumn */"
table name doesn't matter, you could leave an empty string for it.
I have taken some search but ether the examples only use one parameter / columnname or they just add Strings together.
I have a table describing projets. There are unchangable columns like an id, projectnumber and such, and several 'dynamic' columns, which a user / admin can add through an interface in the application.
After that a user should see a List of all 'dynamic' Colums, and can decide to display them through checkboxes.
So what I need now, is a query as this
SELECT id, projectname, <LIST_OF_COLUM_NAMES> FROM project
I would like this to be safe from malicious Queries, like someone very clever naming a column
; DELETE TABLE projets --
and then displaying it.
I found several solutions where the querystring is just concatenated ether on the programm side or inside a stored procedure.
I found several examples for stored procedures which get one colum name and create a query statement from it.
I found this article
How to pass an array into a SQL Server stored procedure
on which I must admit I am not sure if it applies to my problem.
Is there a way to achive this without creating a security risk throug SQL-Injection?
There are several easy way to resolve this without risk of sql injection.
Write SELECT * FROM query and limit number of columns that are seen on application, this way all columns are returned and it is up to application to decide which ones to display.
Instead of passing string of columns to stored procedure, have user pass list of column indexes and based on integer value, you can have dynamic sql that generates SELECT statement only with columns that user wants back.
If you just want to display list of columns that exists in a table to the user you should select list of columns from Information Schema Views, this way you are sure which column exists in database.
In SQL-Server you can assign parameter datatype of sysname which has is how all system objects names are stored as, this could give you extra data validation.
No matter what you decide to do, you should never concatenate strings in application or stored procedures.
I tried to work with the Information Schema Views but I was not able to avoid conatenating Strings alltogether. This is what I came up with:
When the user wants to add a Column he can enter a display name, and select from a range of Datatypes. Then I create an internal unique internal column name (like DATETIME_67).
Then I create my query like this:
String querystring = "ALTER TABLE projects ADD " + internalname + " " + typestring;
Note that the String internalname and typestring are both generated inside my code, with no input from the user (so this should be safe against injection, I guess).
Then I write the internal name and the display name to a lookup table:
String querystring = "INSERT INTO lookup (tablename, displayname) " +
"VALUES (#tablename, #displayname)";
using (SQLCommand command = new SQLCommand(querystring, con)) { //con is a SQLConnection object
command.Parameters.AddWithValue("#tablename", internalname);
command.Parameters.AddWithValue("#displayname", displayname);
}
Here the actual Input from the user is inserted, but it is parameterized, so it should also be safe.
When I retrieve the columns I want to display I do also use the (hopefully) safe internal names:
List<String> selectedColumns; //the list of internal col names
String query = "SELECT id, projectnumber, projectname {0} FROM projects"; //projectnumer and name a mandatory fields
if (selectedColumns.Count > 0)
{
fieldstring = String.Join(",", selectedColumns);
fieldstring = ", " + fieldstring;
}
query = String.Format(query, fieldstring);
Please comment on this. Is is working exactly as I need it. The user can add (and remove) custom field to the datatabe and provide display names for them. He can also define, which of the present custom field are to be displayed, and he can enter data for the created fields. I am just not sure, if this save against malicious injections.
I've tried to add a new user with phpmyadmin of my host but it didn't work. After I
add a new record in user table (same of other users info) and tried to login with
my new username to the MediaWiki, the system said user doesn't exist.
Don't touch the database manually, if you need to do this server-side, there's a script for that called createAndPromote.php in maintenance/.
If you want to import many user at a time ,you can use ImportUsers extension, it allows you to import a CSV file (with user list) into the system.
You can not insert records in User table for it has a password field which being encrypted by a PHP function.But for other tables like tw_group or user_groups,you can change it directly in database.
Was evaluating BlueSpice (based on MediaWiki) and came to that point, too.
Problem in my case was: In table user, column user_name, entries must have capital first letter! E.g.
|user_name|
|test |
is not working.
|user_name|
|Test |
is working.
Also, regarding the "password" problem mentioned in the other answer: You can create it by yourself. Here's a quick and dirty solution using some webtools.
Create random hex for salt (32 bit)
https://www.browserling.com/tools/random-hex
Turn salt to base64
https://base64.guru/converter/encode/hex
Create key from password (30000 Iterations; dkLen 512; PBKDF2WithHmacSHA512)
https://8gwifi.org/pbkdf.jsp
Create Key String (replace >>XX<< with the values from above)
:pbkdf2:sha512:30000:64:>>SALT_IN_BASE64<<:>>KEY_STRING<<
Ps: For the user_token I used a random 32bit hex.
Be extremely careful when making direct changes to the database. Always test extensively. This is not for newbies who copy from StackOverflow without understanding what they are doing!