SugarCRM Querying Database - sugarcrm

In SugarCRM, using SOAP API, imagining i have lots of accounts populated in the database, and i want to find the account that has 'phone_work' = '00352254856987'. How can i make a query to accomplish that? It would be something like this:?
$query = "phone_work = '${myPhone}'";
For what i have tried, it seems the compiler finds an error in the XML document, which means the query is not well executed. What is the best way to do this kind of queries?
I'm using magento and creating a module to connect to sugar, so it is PHP

It turned out the field 'phone_work' is wrong. You can access at: http://apidocs.sugarcrm.com/schema/6.3.0/pro/tables/accounts.html and get all the fields related to that module. In the module 'Accounts', the field name is called 'office phone', but in the database, the name is 'phone_office'. Because the query is for the database, we need to use database field names.

Could you post the error that you get? Take also a look at the sugarcrm.log and maybe increase the logging level to see if the sql that gets created from your query is wrong.
By the way I switched to REST Json to get rid of soap related problems.

Related

Batch download of contact address records via REST?

Using Acumatica ERP 2018R (V18.112.0019) which is the latest version as of this question.
I've been trying to find a way to download contact address records in batch -- not one at a time, and it seems that everything I try, I get an error from the optimizer about a BQL delegate.
I've tried using the Default/17.200.001 endpoint to go after the Contact entity and use the $expand=Address parameter.
Often suggested as a workaround is to create a Generic Inquiry, so I've also tried extending the endpoint and get the results from a GI, but no matter how basic I make that GI, I get the same BQL delegate error. For the DAC, I've tried using PX.Objects.CR.Address, PX.Objects.CR.ContactExtAddress, PX.Objects.AR.ARAddress, and went so far as to return just the AddressID field. No other tables, relations, parameters, conditions, etc. Just a very basic GI to try and get to an address. Even if the GI worked, there's issues with being able to page the results (I get a method not allowed error when trying to do a Put to a GI, but that could just be me doing it wrong).
Looking that differences between the old endpoint Contract versions, it looks like V1 was more forgiving with sub-optimal queries than V3? Maybe the REST API needs to have a URL parameter or a way to specify to allow a non-optimized query to run? Or if it has that feature, I can't seem to locate it.
Any insight or examples that anyone could add would be greatly appreciated. I can't imagine having to download contacts and/or contact address records one at a time - that would be a ridiculous number of round trips/requests and would be much slower and more of a resource hog than a single non-optimized query.
I think I was able to solve my own problem by expanding the Contacts in the following manner:
Customer?$expand=ShippingContact/Address,MainContact/Address,Contacts,Contacts/Contact/Address
You should be able to do PUT to a Generic Inquiry entity, and in that way you should not get a delegate-related optimization error.

Unable to practice Sql Injection (blind) on DVWA 1.10

I am practicing for Security Testing. I came across DVWA and I started practicing for Sql Injection. I was doing fine till I started with SQL Injection (blind). No matter which query I try I am not getting the desired result.
For eg :
1' and 1=0 union select null,table_name from information_schema.tables#
simply returns User ID exists in the database.
I have set the DVWA Security to Low. Also made sure there are no errors on setup page of the application under Setup Check section.
Following are environment details:
Operating system: Windows
Backend database: MySQL
PHP version: 5.6.16
I think the answer is here and the behavior is expected
https://github.com/ethicalhack3r/DVWA/issues/12
Someone complained of the opposite behavior and the developer agreed, and a contributor named g0tm1lk fixed it. He made the exercise really "blind" and we have to use blind injection methods to test the vulnerability.
Showing the SQL error messages to the user is just: a SQL injection vuln + a misconfiguration issue.
A blind SQL injection might occur when the columns of the results returned by a query are not shown to the user. However, the user can tell somehow if the query returned any records or none.
E.g.: Suppose the url "http://www.example.com/user?id=USER_ID" returns:
200 if USER_ID exists
404 if USER_ID not exists
But it won't show any information from the query results (e.g. username, address, phone, etc)
If the page is vulnerable to SQLi [blind], an attacker won't be able get info from the DB printed in the result page, but he might be able to infer it by asking yes/no questions.

Cannot use folder-name field to filter resources in HP QC REST API

I don't expect to get an answer on this but if anyone can help it would be greatly appreciated.
We're using HP Application Lifecycle Management 12.2 (ALM or QC/QualityCenter as it's called). I'm trying to retrieve test resources from the project using the REST api but I suspect I've come across a defect in the API.
I'm trying to filter the response by using a query, and any other query works fine but when I try to use the 'folder-name' field it fails with the following message:
Failed to set params in the parametrized query
It doesn't matter what format I try to escape the query with, I've tried the following:
/resources/?query={folder-name[%27folder%27]}
/resources/?query={folder-name['folder']}
/resources/?query=%7bfolder-name%5b%27folder%27%5d%7d
I've also reproduced this on an 11.52 QC instance so it's not just our environment. I've double checked the customization collection using the ?can-filter=true param and folder-name is supposed to be filterable.
I'm currently using the parent-id for filtering instead which works but it requires me to do another request to get the parent-id first which I would like to refrain from.
Any suggestions, patches?
Thanks
As I wrote in the comments, the error is reproducable here, and I agree that it is strange. The folder-name exists as a field in resource, and should be filterable. It seems to be a bug.
But there is another approach that I offer as a substitute solution. The resource entity offer a relation directly to the folder entity, and you can get the exact result you were looking for, by using a cross join with that table:
/resources/?query={resource-folder.name['folder']}
This is probably too late to help you with your work, but it might help others.

Querying Raven Db

I have an instance of Raven Db at localhost:8081. I made sure to change raven's config file to allow anonymous access. I created a database named AT. Inside AT I have a collection named Admins. Inside of Admins I have two documents. I'm trying to retrieve some data via Rest using RestClient. I try to hit the db using:
http://localhost:8081/docs/admins/7cb95e9a (last bit is the id of the document I want).
and
http://localhost:8081/docs/at/admins/7cb95e9a.
With both I receive a 404. I'm not sure what I'm missing here. Can someone point me in the right direction?
The URL has the following format:
http://localhost:8081/databases/{{database-name}}/docs/{{document-id}}.
Collection is a virtual thing. get a document only by its ID, there no nothing on collection here. The document ID can be anything you set, but if you let RavenDB to generate it, it will probably be admins/1.

How to inspect every query going to DB from Zend Framework

I have a complex reporting application that allows clients to login and view reports for their client data. There are several sections of the application where there are database calls, using various controllers. I need to make sure that client A doesn't get client B's information via header manipulation.
The system authenticates, and assignes them a clientID and roleID. If your roleID >1, that means you work for the company hosting the data, and you can see all client info. I want to create a catch-all that basically works like this:
if($roleID > 1) {
...send query to database
}else {
if(...does this query select a record with clientID other than my $auth->clientID){
do not execute query
}else {
execute query
}
}
The problem is, I want this to run for every query that goes to the server... how can I place this code as a "roadblock" between the application and the DB? I already use Zend_Profiler to look at queries, so I know it is somehow possible, but cannot discern this from the Profiler code...
I can always write an authentication function and pass selected queries that way, but this catch-all would be easier to implement across all of the calls and would be future proof. Any help is appreciated.
it's application design fault.
you shoud use 'service architecture' - the only one entry point for queries would be a service. and any checks inside it.
If this is something you want run on every query, I'd suggest extending Zend_Db_Select and overwrite either the query() or assemble() functions to add in your logic. You'll also want to add a way for it to be aware of your $auth object.
Another option is to extend your database adapter so you can intercept the queries directly. IMO, you should try and do this at the application level though.
Depending on your database server, you can put a trace on the DB side.
Here's an example for Oracle:
http://orafaq.com/wiki/SQL_Trace