I have a simple Ms-Access database with one table named Student and it has two columns ID and Name.
When I the database in Access and enter the query
select * from Student where Name like 'J%'
in its SQL view, it gives an empty resultset.
But the table has a Name called John.
I tried with other databases and tables also with like-queries, but none works.
Can anyone please tell if there is any special reason for this???
Thank you
Edit:
The same query works with c sharp code
What you need is
select * from Student where Name like 'J*'
or possibly (because I don't have access handy to check, possibly either will work)
select * from Student where Name like "J*"
The * is the wild card character for MsAccess
From my experience in the past... yes access syntax has some minor difference that make even simple things a trouble.
I don't remember how but check around a way to make access show the sql from some results you retrieved in a graphical way, there must be some show sql button somewhere.
Once there examine carefully the sql syntax, then test your sql in access' editor.
So the main idea is let access show you the way!
Related
Basically if I want to see what the data in a table/view looks like I use
select top 1000 * from ...
But this isn't too efficient for complex views or badly indexed tables.
I really just want to see what the data in a table looks like, e.g. the format etc.
Is there a better way to do this?
I'm using SSMS 2017
*Edit for clarification:
Badly written views are endemic throughout our databases so whilst fixing these is the obvious answer it's not really a realistic one.
I suppose i was hoping for a trick i wasn't aware of, because i understand using TOP puts some sort of order into it
If you highlight a table/view object in code and then press ALT + F1 in SSMS IDE it will execute the equivalent command of sp_help ‘object_name’ where object_name is the name of the highlighted object. Maybe this can give some quick information about the object you are interested in.
I'm used to scripting in Python or Matlab, and my first couple hours with SQL have been infuriating. I would like to make a list of columns appear on the screen in any way, shape, or form; but when I use commands like
select *
from "2Second Log.dbo.TagTable.Columns"
I keep getting the error:
Invalid column name '[the first column in my table]'.
even though I never explicitly asked for [the first column in my table], it found it for me. How can you correctly identify the first column name, and then still claim it's invalid!? Babies will be strangled.
This db was generated by Allen Bradley's FactoryTalk software. What I would really like to do is produce an actual list of "TagName" strings...but I get the same error when I try that. If there were a way to actually double click the table and open it up and look at it (like in Matlab), that would be ideal.
Echoing juergen's suggestion in the comment above. It looks like you're running the query on the master database, not the 2Second Log database that actually has your table. (You can tell this by looking at the database in the dropdown in the top left of your screenshot). Two things you can do:
Change the dropdown in the top left to 2Second Log. This will target your query to a different database
Put your database name in brackets as suggested by juergen i.e. select * from [2Second Log].dbo.TagTable
As an side, if you're looking for a good SQL tutorial, I highly recommend the Mode SQL tutorial. It's a fantastic interactive platform to get your SQL feet wet.
always use brackets when names/field have spaces or dashes.
select * from [2Second Log].dbo.TagTable
I'm working with a new REST backend talking to a SQL Server. Our REST api allows for the caller to pass in the columns/fields they want returned (?fields=id,name,phone).
The idea seems very normal. The issue I'm bumping up against is resistance to dynamically generating the SQL statement. Any arguments passed in would be passed to the database using a parameterized query, so I'm not concerned about SQL injection.
The basic idea would be to "inject" the column-names passed in, into a SQL that looks like:
SELECT <column-names>
FROM myTable
ORDER BY <column-name-to-sort-by>
LIMIT 1000
We sanitize all column names and verify their existence in the table, to prevent SQL injection issues. Most of our programmers are used to having all SQL in static files, and loading them from disk and passing them on to the database. The idea of code creating SQL makes them very nervous.
I guess I'm curious if others actually do this? If so, how do you do this? If not, how do you manage "dynamic columns and dynamic sort-by" requests passed in?
I think a lot of people do it especially when it comes to reporting features. There are actually two things one should do to stay on the safe side:
Parameterize all WHERE clause values
Use user input values to pick correct column/table names, don't use the user values in the sql statement at all
To elaborate on item #2, I would have a dictionary where Key is a possible user input and Value is a correponding column/table name. You can store this dictionary wherever you want: config file, database, hard code, etc. So when you process user input you just check a dictionary if the Key exists and if it does you use the Value to add a column name to your query. This way you just use user input to pick required column names but don't use the actual values in your sql statement. Besides, you might not want to expose all columns. With a predefined dictionary you can easily control the list of available columns for a user.
Hope it helps!
I've done similar to what Maksym suggests. In my case, keys were pulled directly from the database system tables (after scrubbing the user request a bit for syntactic hacks and permissions).
The following query takes care of some minor injection issues through the natural way SQL handles the LIKE condition. This doesn't go as far as handling permissions on each field (as some fields are forbidden based on the log-in) but it provides a very basic way to retrieve these fields dynamically.
CREATE PROC get_allowed_column_names
#input VARCHAR(MAX)
AS BEGIN
SELECT
columns.name AS allowed_column_name
FROM
syscolumns AS columns,
sysobjects AS tables
WHERE
columns.id = tables.id AND
tables.name = 'Categories' AND
#input LIKE '%' + columns.name + '%'
END
GO
-- The following only returns "Picture"
EXEC get_allowed_column_names 'Category_,Cat%,Picture'
GO
-- The following returns both "CategoryID and Picture"
EXEC get_allowed_column_names 'CategoryID, Picture'
GO
here is something interesting that I have been asked. It has to do with the encryption of data in a non encrypted database.
The story has as follows. We have a database, not encrypted and also none column encrypted in any of its tables. Now, we'd like to control the trafic of the data depending on who is asking for this. Let me explain more clear:
We have a table with the name: table1
This table has one column with the name: SName
We'd like to reach the following result. A user connected to the SQL Server Management Studio if runs the following query:
select * from table1
to take no result or if he/she takes a result, this result to be scrambled.
Now from inside the application the table should exchange data from/to the application in the normal mode.
Do you know if there is a setting, or an implementation or an external tool that can provide this functionality?
I think that this is quite interesting case!
Thank you.
Use permissions to stop that person reading the table at all.
Or use a VIEW to hide the table and have a WHERE clause in that that applies a filter silently: this could refer to another table with a list of approved users.
This isn't really an encryption (well, obfuscation in this case) issue.
So Im new to databases and Im trying to learn the ropes. I have a DB2 database that Im getting familiar with. I was assigned a task where I need to write a method that does a search on the database. The search will take in two parameters, a username and a user id number. If the user and the user id number does not match or if one or the other turns out null then It needs to throw a error. If its valid then it will continue with spitting out information about the user.
I was told to use the findall() function or something similar to it. I was looking online and what I have found is examples that deal with like or ilike and im not sure how something like that will work in my situation. What would be a decent example of how I would start to go about this?
any help is appreciated. Ill post back if I make any progress.
note: Im using groovy/grails. Domain,Controller,View setup.
Is this some homework assignment from school?
findall() is usually a method in regular expressions which I don't think is relevant in here. If you have a SQL database, that means you have a RDBMS which uses SQL as query language. You need to learn about the SELECT command which can look daunting when you look the first the time to the manual but it's actually simple for your case. You need something like:
SELECT userfield1, userfield2,..
FROM myusertable
WHERE myusertable.username = 'uname' AND myusertable.userid = userid
uname and userid are your search parameters. Please note that this SQL query should be done with a PREPARED statement for security reasons.
When you run this query using your database library you get back an array of results which you have to analyze. If it is empty, no user found.
Edit: updated to take into account the use of hibernate
Hibernate uses HQL which is like SQL and has indeed a findAll method. See http://grails.org/doc/latest/ref/Domain%20Classes/findAll.html