I am trying to enter some value in text box using Karate UI automation using the below command
And input("textarea[class=ace_text-input]", 'index = "int_rtrapp-dev_k8s" container_name="rr-hebeat-inbound" "' + tracID + '"')
In the above command karate is ignoring the Hyphen between the "int_rtrapp-dev_k8s" and also "rr-hebeat-inbound"
Can someone guide me how to fix this issue, i tried few things like assigning those two words to a variable and use the variable same as i use for tracID but that is also not working
I was able to tackle the issue using the below command
* def query = 'index="<indexName>" container_name="<containerName>"' * replace query.indexName = 'int_rtrapp-dev_k8s' Then print query * replace query.containerName = 'rr-hebeat-inbound' Then print query * script("document.querySelector('.ace_editor').env.editor.setValue('"+query+"')")
Related
I am doing a project for my school and I am task to debug all of the issues found using the application call HPE Fortify. The report generated by the application only indicates the code below prone to SQL injection:
String sql = " select Distinct p1.desc1,p2.desc2 from parameter p1"
+" inner join parameter p2"
+" on p1.ParaCode1='CR_DERIVE' and p1.ParaCode2=p2.Desc2"
+" inner join parameter p3"
+ " on p2.ParaCode3=p3.ParaCode1 and p3.ParaCode3=p2.Desc2"
+" where p2.paracode1='ATTRIBUTE'"
+ " and p2.ParaCode2='" + ddl_attribute.SelectedValue + "'";
But not the codes below:
strSQL = "SELECT Paracode2 FROM Parameter WHERE Paracode1 = 'PROGMGR' AND Desc1 = '" + login + "' AND Status = 'A' ";
I would like to know the reason why as I am unclear regarding SQL injection and I am new to this. Thanks for the response
You're concatenating some application variables into your SQL query string, so the safety depends on how those variables' values were set. Did they come from some untrusted input? Or were they set from some safe application data?
If HPE Fortify has analyzed your code and knows how your login variable was assigned its value, it may be able to tell that it's safe to use in an SQL expression. Whereas it may not be able to make that conclusion about the SelectedValue variable, so it assumes it's unsafe and therefore could cause an SQL vulnerability.
The Perl language does something similar, without the use of a tool like HPE Fortify. Every Perl variable is either "tainted" or "untainted" depending on where it got its value. So you can tell whether a variable is safe to use in SQL, or in eval() or other possible code-injection situations. It's a pity more languages don't support something similar.
But I agree with other commenters that you should learn to use query parameters. It's easy and it's safe. And you can stop getting eyestrain figuring out if you've balanced your quotes-within-quotes correctly.
Your code sample looks like it might be Java. Here's an example in Java:
strSQL = "SELECT Paracode2 FROM Parameter"
+ " WHERE Paracode1 = 'PROGMGR' AND Desc1 = ? AND Status = 'A' ";
Notice the ? placeholder for the parameter has no single-quotes around it within the SQL string. You must not put SQL quotes around the placeholder.
PreparedStatement stmt = con.PreparedStatement(sql);
stmt.setString(1, login);
ResultSet rs = stmt.executeQuery();
For more information to help you understand SQL injection, you might like my presentation SQL Injection Myths and Fallacies, or the video of me delivering that talk: https://www.youtube.com/watch?v=VldxqTejybk
I am considering using RCP to run a generic datastage job, but the initial SQL changes each time it's called. Is there a process in which I can use a User Activity Variable to inject SQL from a text file or something so I can use the same datastage?
I know this Routine can read a file to look up parameters:
Routine = ‘ReadFile’
vFileName = Arg1
vArray = ”
vCounter = 0
OPENSEQ vFileName to vFileHandle
Else Call DSLogFatal(“Error opening file list: “:vFileName,Routine)
Loop
While READSEQ vLine FROM vFileHandle
vCounter = vCounter + 1
vArray = Fields(vLine,’,’,1)
vArray = Fields(vLine,’,’,2)
vArray = Fields(vLine,’,’,3)
Repeat
CLOSESEQ vFileHandle
Ans = vArray
Return Ans
But does that mean I just store the SQL in one Single line, even if it's long?
Thanks.
Why not just have the SQL within the routine itself and propagate parameters?
I have multiple queries within a single routine that does just that (one for source and one for AfterSQL statement)
This is an example and apologies I'm answering this on my mobile!
InputCol=Trim(pTableName)
If InputCol='Table1' then column='Day'
If InputCol='Table2' then column='Quarter, Day'
SQLCode = ' Select Year, Month, '
SQLCode := column:", Time, "
SQLCode := " to_date(current_timestamp, 'YYYY-MM-DD HH24:MI:SS'), "
SQLCode := \ "This is example text as output" \
SQLCode := "From DATE_TABLE"
crt SQLCode
I've used the multiple encapsulations in the example above, when passing out to a parameter make sure you check the ', " have either been escaped or are displaying correctly
Again, apologies for the quality but I hope it gives you some ideas!
You can give this a try
As you mentioned ,maintain the SQL in a file ( again , if the SQL keeps changing , you need to build a logic to automate populating the new SQL)
In the Datastage Sequencer , use a Execute Command Activity to open the SQL file
eg : cat /home/bk/query.sql
In the job activity which calls your generic job . you should map the command output of your EC activity to a job parameter
so if EC activity name is exec_query , then the job parameter will be
exec_query.$CommandOuput
When you run the sequence , your query will flow from
SQL file --> EC activity-->Parameter in Job activity-->DB stage( query parameterised)
Has you thinked to invoke a shellscript who connect to database and execute the SQL script from the sequential job? You could use sqlplus to connect in the shellscript and read the file with the SQL and use it. To execute the shellscript from the sequential job use a ExecCommand Stage (sh, ./, ...), it depends from the interpreter.
Other way to solve this, depends of the modification degree of your SQL; you could invoke a routine base who handle the parameters and invokes your parallel job.
The principal problem that I think you could have, is the limit of the long of the variable where you could store the parameter.
Tell me what option you choose and I could help you more.
I am working on some legacy code that is written in Classic ASP / VBSCript.
The code handles the data submitted via a HTML form, and breaks on the following line.
' Get all input questions
Set inputQuestions = getListOfInputQuestionsForPage("additional")
The function getListOfInputQuestionsForPage(pageName) is defined as follows:
Function getListOfInputQuestionsForPage(pageName)
' Instantiate Command
Set objCommand = Server.CreateObject("ADODB.Command")
' Inform Command what Connection to use.
Set objCommand.ActiveConnection = myConn
' SQL Query to run
objCommand.CommandText = "SELECT QUESTION_TABLE.PK_QUESTION AS ""QUESTION_ID"", QUESTION_TABLE.QUESTION AS ""QUESTION"", QUESTION_TABLE.INPUT_TYPE AS ""TYPE"", QUESTION_TABLE.IS_FOR_ALL_CUSTOMERS AS ""FOR_ALL_CUSTOMERS"" FROM QUESTION_TABLE WHERE QUESTION_TABLE.DISPLAY_PAGE = '" & pageName & "' ORDER BY PK_QUESTION ASC"
' Execute SQL and return result
Set getListOfInputQuestionsForPage = objCommand.Execute()
End Function
I find it strange that I am getting the following error:
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'getListOfInputQuestionsForPage'
/site/path_to_file/edit_additional.asp, line 110
All I am doing is trying to grab some data from the database. And I know the data exists and a RecordSet is returned.
The error threw me off. The reason why it wasn't working was because the function getListOfInputQuestionsForPage(pageName) did not exist on the same page, and I had to include the file that contained the function definition, which now is very obvious, but because the error is so weird for what I'm trying to do (type mismatch) ... I did not think of that reason at all.
So in short, make sure your classic asp file knows about that function, ie has a link to the file containing the function, or the function is defined in the same file.
I am dealing with a whole load of Word documents that make heavy use of fields and cross-references (internally and between documents).
To update these and make everything consistent again after a change I have to open each file, select the entire file's content (equivalent of hitting Ctrl-A) and update all fields (the equivalent of hitting F9). And I have to do this twice for all files, so that also all inter-file cross-references are also updated properly.
Since this is a rather tedious and lengthy process I wanted to write me a little PowerShell-script that does that for me. The relevant function to update a file looks like this:
...
function UpdateDoc([object]$word, [object]$fileHandle) {
Write-Host("Updating: '" + $fileHandle.Name + "' ('" + $fileHandle.FullName + "'):")
# open the document:
$doc = $word.Documents.Open($fileHandle.FullName)
# select the entire document:
???
# update it:
???
# then save it:
$doc.Save
$doc.Close
Write-Host("'" + $fileHandle.Name + "' updated.")
}
...
But I am stuck on how to select the file's content and update it all, i.e. what has to go into this code instead of the two ???-markers to achieve what I want?
Did you try:
$doc.Fields | %{$_.Update()}
That should update all the fields
I know this has been asked earlier.
Most of the answers were not relevant.
Google, shows that the solution is to configure the expression in the "data flow task" and set the query.
However in the ADO .NET source, when I try to preview the output I keep getting "Must declare the variable '#'"
It does not show the full variable in this error - "#[User::GLOBAL_PARAMETER]"
I think that's because "[USER::" isn't the correct syntax inside a SQL; but then how does one set it ?!
From your description it seems like you are having an error due to using the variable name inside the query string as opposed to the processed variable value. In other words:
"SELECT * FROM #[User::TABLE]" in the expression builder would be WRONG
"SELECT * FROM " + #[User::TABLE] would be CORRECT
It would help if you shared the expression you are using as a query