I need to sync a cosmosdb container to sql database. The objects in cosmosdb are like so :
[
{
id: "d8ab4619-eb3d-4e25-8663-925bd33b9b1e",
buyerIds: [
"4a7c169f-0642-42a9-b5a7-214a646d6c59",
"87a956b3-2aef-43a1-a0f0-29c07519dfbc",
...
]
},
{...}
]
On the SQL side, the sink table contains 2 columns: Id and BuyerId.
What I want is to convert the buyerIds array to a string joined by coma for instance, to then be able to pass it to a SQL stored procedure.
The sql stored procedure will then split the string, and insert as many lines in the table as there are buyerIds.
In azure adf, I tried using a stringify activity in a dataflow but I have this error and don't understand what I need to change: Stringify expressions must be a complex type or an array of complex types.
My stringify activity take the buyerIds column in input and perform the following to create the string :
reduce(buyerIds, '', #acc + ',' + #item, #result)
Do you know what I am missing or another way to do it more simply ?
Because your property is an array, you'll want to use Flatten. That will allow you to unroll your array for the target relational destination. Use stringify to turn structures into strings.
I have a Mapping Data Flow, where I want to use a custom SQL query for the Source, but I cannot break it on multiple lines, I get an error stating:
token recognition error at: ''
If I remove the newline and put the whole query on a single line it works, but it looks bearly readable. I would like to preserve the query formatting.
Does anyone have an idea how to do this?
LE the same happens with a simple statement like
select
1
This is how it looks in ADF:
You can enter a query directly into the SQL Query box as multi-lines (see image). You only need to use the expression builder or dynamic content if you are going to use expressions or parameters.
You cannot use CTEs in ADF data flow source queries, that's the issue.
I have found in my Script this 2 Problems, SQL Injection and Cross-Site Scripting.
SQL Injection:
$cate = mysqli_real_escape_string($connection, #$_REQUEST['cat']);
$categ = mysqli_query($connection, "SELECT * FROM articles WHERE category='$cate'");
Where the category='$cate' is the Problem.
XSS:
echo''.$catego.'';
But i dont understand why is $cate wrong?
Anyone an Example for the Correct solution?
Thanks all
Your problem is that you take a value from a request directly to a SQL query.
The best way to prevent SQL injection is to use prepared statements. Prepared statements solve the SQL Injection problem. You must
Validate the $_REQUEST['cat'] value
Use (for example) PDO to prepare the statement (http://php.net/manual/en//pdo.prepared-statements.php)
Read : https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
I just saw this come up in our request logs. What were they trying to achieve?
The full request string is:
properties?page=2side1111111111111 UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45) -- /*
Edit: As a google search didn't return anything useful I wanted to ask the question for people who encounter the same thing.
This is just a test for injection. If an attacker can see xQs in the output then they'll know injection is possible.
There is no "risk" from this particular query.
A developer should pay no attention to whatever injection mechanisms, formats or meanings - these are none of his business.
There is only one cause for for all the infinite number of injections - an improperly formatted query. As long as your queries are properly formatted then SQL injections are not possible. Focus on your queries rather than methods of SQL injection.
The Char() function interprets each value as an integer and returns a string based on given the characters by the code values of those integers. With Char(), NULL values are skipped. The function is used within Microsoft SQL Server, Sybase, and MySQL, while CHR() is used by RDBMSs.
SQL's Char() function comes in handy when (for example) addslashes() for PHP is used as a precautionary measure within the SQL query. Using Char() removes the need of quotation marks within the injected query.
An example of some PHP code vulnerable to an SQL injection using Char() would look similar to the following:
$uname = addslashes( $_GET['id'] );
$query = 'SELECT username FROM users WHERE id = ' . $id;
While addslashes() has been used, the script fails properly sanitize the input as there is no trailing quotation mark. This could be exploited using the following SQL injection string to load the /etc/passwd file:
Source: http://hakipedia.com/index.php/SQL_Injection#Char.28.29
I am using JPA native query to call a stored procedure and map the return result to a class
createNativeQuery(String sqlString, Class resultClass);
Here sqlString is a stored procedure in this format:
{call storeProcedureName parameter1, paramter2, parameter3}
I noticed that when one of the parameter contains a forward slash (/), the result result will be wrong. Has any body encountered this problem before and how to solve it? thanks
I am using EclipseLink and glassfish server.
Are you in-lining the parameters into your SQL, or using parameters on your query? You should use parameters on your query, in-lining parameters into SQL is very bad (can lead to SQL injection attacks).
See,
http://wiki.eclipse.org/EclipseLink/UserGuide/JPA/Basic_JPA_Development/Querying/Native#Parameters