I am writing in intersystems cache object script.
I have a statement which has become very long.
Is there any way to continue a statement in the next line?
Thanks.
Can you post a sample?
If you have a long string you can concatenate it like this:
Set SQL = "SELECT * "_
"FROM Sample.Person "_
"WHERE Name [ 'a'"
This is equal to:
Set SQL = "SELECT * FROM Sample.Person WHERE Name [ 'a'"
Other types of statements can also be placed on several lines.
Related
I have a requets which giving me an ids. I need to iterate them into another request, so I have a sheme like this: scheme
In tPostgresqlInput I have this code rc.id = upper('18ce317b-bf69-4150-b880-2ab739eab0fe') , but instead of id I need to put smthn like globalMap.get(row4.id). How did I do this?
Apparently this is a syntax issue
Try with :
"select * FROM table LEFT JOIN table on parameter JOIN table on parameter
WHERE 1=1 AND
column = 'content'
AND upper(rc.id) = upper('"+((String)globalMap.get("row4.id")) +"')"
Expressions in tDBInput should always begin and end with double quotes.
Don't forget to cast globalMap.get() with the type of your element (here I put String)
.equals is not a DB function but a java function. I have replaced it with '='
Let me know if it's better
In my front end, the data display has only single spaces. However, when I filter my data in search bar, it yields no result. It turns out the data actually has double spaces. But when its being repo.all, the double spaces becomes single spaces. I need to search that data.
I have a regexp which i found which i tried in pgadmin which works. I need to replicate it in my elixir datatable, for specifically, integrating it in ilike function.
The regexp is
SELECT trim(regexp_replace(name, '\s+', ' ', 'g')) as col_name
FROM table where col_name = 'TEST DATA'
I think a better approach might be to use % in place of spaces when searching, I find that this gives me generally better results. Here are the docs for ILIKE in Postgres, but I'll explain with an example. The % character used in ILIKE matches any string of characters (including the empty string).
SELECT * FROM t1 WHERE col_name ILIKE '%test%data%';
The query above will match the example that you've given. Granted, it will also match strings like "testdata", "test data", "something test something data", but I think that in general this approach will return results that a user would expect when entering a search like "test data".
A helper function to do this transformation from user input to a string suitable for Ecto's ilike would look like this:
defmodule SearchHelpers do
def to_ilike_search_string(search_string) do
joined_string =
search_string
|> String.split()
|> Enum.join("%")
"%#{joined_string}%"
end
end
# SearchHelpers.to_ilike_search_string("test data")
# => "%test%data%"
And you could use it in a query like this:
ilike_search_string = SearchHelpers.to_ilike_search_string("test data")
query = from p in Post,
where: ilike(p.content, ^ilike_search_string)
results = Repo.all(query)
Good luck, hope this helps.
I have seen some answers already but my query is a little bit different:
Here is an original query:
cmd.CommandText = "select count(Table1.UserID) from Table1 INNER JOIN
Table2 ON Table1.ID = Table2.ID where Table1.Userid = " + UserID + " and
Table1.Number != '" + Number +"' and Table2.ID < 4";
Here is a modified query for SQL Injections:
cmd.CommandText = "select count(Table1.UserID) from Table1 INNER JOIN
Table2 ON Table1.ID = Table2.ID where Table1.Userid = #userId and
Table1.ID != #Number and Table2.ID < 4";
If you can notice, the first query has UserId surrounded by double quotes: ..." + UserID +"... and Number us surrounded by single and double quotes: ...'" + Number + "'...
Here is how I'm setting parameters:
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("#Number", Number);
cmd.Parameters.AddWithValue("#userId",UserID);
where UserID is an integer and Number is a string.
So, my question is, if the modified query formatted the right way? Is there any difference how to put #UserId and #Number parameters into a query considering the different ways they are specified in the original query?
I have been working on .net Mvc for a long time, and I can ensure you the parameters are correctly fixed by yourself in the second case, and you do not need to worry. By the way you can still debug and test if you can inject yourself. Briefly, your code looks great and invulnerable.
This is how i do it, which is similar and also as safe as yours:
string Query = #"select a1, a2, a3, a4 from table1 where a1 in
(select b1 from table2 where b2 = #start or b2 = #end)";
using (SqlCommand Comm = new SqlCommand(Query, Conn))
{
Comm.Parameters.Add("#start", SqlDbType.NVarChar).Value = start;
Comm.Parameters.Add("#end", SqlDbType.Int).Value = end;
}
In your initial query, the double quotes belonged to the actual text of the query, not the parameter. The single quotes you would add when appending a string into the sql query. I do not know why you would put single quotes around something called Number. If in fact that is a numeric type variable, it can go into the query without the single quotes. But if it has single quotes, the only thing that happens is that Sql sees it as a string, and then converts it to a number if it is going to use it as one. For example, if Table1.Number is numeric.
But, as you have noted, building your query string by appending your parameters into your query string is terrible practice as it opens the door, wide open, for sql injection attacks. So, you go with parameterized queries, as you have.
In parameterized queries, you do not worry about quotes. For parameters that are string values, the environment will worry about encasing them in quotes as it builds the command to pass to your sql db. For parameters that are numeric, quotes are not needed, and again, that is taken care of for you.
I think your 2nd version of the query is much better and from the looks of it, it should work just fine.
Adding parameters instead of concatenating your values is much safer against sql injection. And in this example, and I can't see any way to do a sql injection.
EDIT
When using parametrised queries, you dont need to add any quotes, just like when you declare a variable and use it in a query - you dont need to use quotes.
DECLARE #x CHAR(10) = 'abc'
SELECT #x
When using concatenation of values inside a query, if the value you're trying to add into the query is a CHAR, you need to wrap it between single quotes. If it's an INT, it shouldn't be wrapped between single quotes.
SELECT 'abc', 1
The double quotes you have in your first query dont have anything to do with the sql statement, they are used in your c# code to build the sql statement string you're trying to assign to CommandText.
string abcVar = "abc";
int intVar = 1;
string sqlCommand = "SELECT '" + abcVar + "', " + intVar;
Whenever I replace placeholders in the SQL query using on it surrounds the replacement with '', is there a way to prevent this?
It means I can't do things like
SQL("SELECT * FROM {table} blah").on("table" -> tabletouse)
because it wraps the table name with '' which causes an SQL syntax error.
you could certainly combine both approaches, using the format function for data you don't want to be escaped
SQL(
"""
select %s from %s
where
name = {name} and
date between {start} and {end}
order by %s
""".format(fields, table, order)
).on(
'name -> name,
'start -> startDate,
'end -> endDate
)
Just take into account that the data you are sending using the format function should NOT come from user input, otherwise it should be properly sanitized
You cannot do what you are trying. Anorm's replacement is based on PreparedStatements. Meaning all data will automatically be escaped, meaning you cannot use replacement for :
table names,
column names,
whatever operand, SQL keyword, etc.
The best you can do here is a String concatenation (and what is really a bad way in my opinion) :
SQL("SELECT * FROM " + tabletouse + " blah").as(whatever *)
PS : Checkout this question about table names in PreparedStatements.
I believe [ and ] are special characters when using with LIKE clause in TSQL( SQlserver 2005 if it matters). How do i escape the search term in the stored procedure, i did below but does not return valid records even while exists
SELECT * FROM Table WHERE Column LIKE '%['+ #searchedTerm +']'
So which is the valid thing to do, when searching like above??
You need to escape the opening (not the closing) bracket like this:
LIKE '%[[]' + #searchedTerm + ']'
The MSDN page for LIKE has a section "Using Wildcard Characters As Literals"
Edit, after comment
LIKE '[[]cap]%' searches for a name containing the string [cap]
LIKE '[wel]%' searches for a name containing one of the letters w, e or l
Try this:
DECLARE #searchedTerm as varchar(50);
SET #searchedTerm = 'TEST VALUE'
SELECT * FROM Table WHERE Column LIKE '%[[]' + #searchedTerm +']'
try this:
SELECT * FROM Table WHERE Column LIKE '%/['+ #searchedTerm +']' {escape '/'}