I have the following two YQL queries, each of which work fine on their own, but I'm pretty sure there's a way I haven't been able to find to fetch them both in a single more complicated query:
SELECT * FROM xml WHERE url="http://www.google.com/ig/api?weather=Tbilisi"
AND itemPath="//current_conditions/temp_c"
and
SELECT * FROM html WHERE url='http://amindi.ge/'
AND xpath="//*[#id='maincityholder']/h1"
The questions here with similar wording all turn out to be questions about subselects, use query.multi which doesn't seem to exist any more, or select something other than * which I couldn't get to work with either of my queries even in isolation.
It could be that the itemPath and the xpath clauses are the problem, but as I say I can't get either to work without these. Am I missing something or is this not possible with my particular queries?
The query.multi table exists in the same place it always has. Did you forget to load that table (or the usual env=store://datatables.org/alltableswithkeys)?
There's also a yql.query.multi table, which is used in exactly the same way as query.multi but exists in YQL proper, so does not require the data table to be loaded into the environment.
The following query, taking your individual queries (and changing/escaping quotes where necessary)
SELECT * FROM yql.query.multi WHERE queries='
SELECT * FROM xml WHERE url="http://www.google.com/ig/api?weather=Tbilisi"
AND itemPath="//current_conditions/temp_c";
SELECT * FROM html WHERE url="http://amindi.ge/"
AND xpath="//*[#id=\'maincityholder\']/h1"
';
Gives
<results>
<results>
<temp_c data="-2"/>
</results>
<results>
<h1>6°</h1>
</results>
</results>
(Try it in the YQL console)
Related
I have a Microsoft Access form that is being supplied (somehow) by a query. The query contains three tables linked together via their respective primary and foreign keys, and the form displays data quite happily.
The strange thing (as far as I'm concerned) is the ability of the form to then allow data entry using the query.
However, if the user creates a new record, the whole thing seems to have problems due to a required field in the [table2] table.
SELECT [table1].*
,[table2].JobNo
,[table2].PlannedDateOC
,[table3].DateJobStarted
,[table1].PlanNo
FROM (
[table1] LEFT JOIN [table2] ON [table1].PlanNo = [table2].PlanNo
)
LEFT JOIN [table3] ON [table2].JobNo = [table3].JobNo
ORDER BY [table2].PlannedDateOC
,[table1].PlanNo;
According to the users, this form worked perfectly prior to conversion from Access 97/2003 format to Access 2010 (2007 file format).
Could anyone clarify whether this (the fact that it should work) is legitimate, and if this process would work in either version of Access, if so? The concept of being able to use a query for data entry is quite alien to me.
Let me know if you need further clarification.
NOTE:
One thing of note, here, is that I did move some of the fields into the form header so that they were always visible as the rest of the form scrolls. I don't know if this will have any side effects on the performance of the form.
Above query will allow you to insert data into [table1] when all not null fields have their values and make sure only table1.fields are getting dirty when new record is inserted.
sorry for my noob question,
I'm currently writing a perl web application with sqlite database behind it.
I would like to be able to show in my app query results which might get thousands of rows - these should be split in pages - routing should be like /webapp/N - where N is the page number.
what is the correct way to query the sqlite db using DBI, in order to fetch only the relavent rows.
for instance, if I show 25 rows per page so I want to query the db for 1-25 rows in the first page, 26-50 in the second page etc....
Using the LIMIT/OFFSET construction will show pages, but the OFFSET makes the query inefficient, and makes the page contents move off when the data changes.
It is more efficient and consistent if the next page starts the query at the position where the last one ended, like this:
SELECT *
FROM mytable
ORDER BY mycolumn
WHERE mycolumn > :lastvalue
LIMIT 25
This implies that your links are not /webapp?Page=N but /webapp?StartAfter=LastKey.
This is explained in detail on the Scrolling Cursor page.
You should do something like this:
SELECT column FROM table ORDER BY somethingelse LIMIT 0, 25
and when the user clicks on page 2, you should do:
SELECT column FROM table ORDER BY somethingelse LIMIT 25, 50
and so on..
You'd most likely be using the LIMIT and OFFSET keywords, something like this:
$sth->prepare("SELECT foo FROM bar WHERE something LIMIT ? OFFSET ?");
$sth->execute($limit, $offset);
while ( my #row = $sth->fetchrow_array ) { # loop contains 25 items
The $limit and $offset variables would be controlled by the parameters passed to your script by html/cgi/whatever features.
Pagination is one of those problems a lot of CPAN modules have already solved. If you're using straight SQL, you could look at something like DBIx::Pager. You might also want to check out something like Data::Pageset to help you manage creating the links to your various pages. If you're using DBIx::Class (which is an excellent tool) for your SQL queries, then DBIx::Class::ResultSet::Data::Pageset will make this very easy for you.
Essentially handling the SQL is one end of it, but you'll also need to solve various problems in the templating aspect of it. I'd encourage you to have a look at these modules and maybe even poke around CPAN a little bit more to see where somebody else has already done the heavy lifting for you with respect to pagination.
I am building a very small website (with PHP) and I have 2 big issues
The first one is about my search form
I have build a really simple search form in order to retrieve my content, then I used an online security tool and show me that my search form was vulnerable to SQLi
I had no idea abut that so I started testing some attacks I found on some sites
As far as now only 'OR 'x'='x worked (it returns the entire content of my website, is this bad? How can an attacker hurt me?
The second issue is about my photos, I am using a folder called mywebsite.com/uploads/ to access my photos
Although /upload is protected the subfolders uploads/temp and uploads/thumbs are visible through the browser
May this be hurtful too?
Any advice?
SQL injection is really bad but i like it :)
there is many types of sql injection like
remote sql injecton
blind sql injection
auto bypass sql injection
**Remote sql injection**
its the easy way to get data from site hacker use it like coders
see this example
mysql_query("SELECT * FROM `table_name` WHERE id=".$_GET['id']." ) ;
There is no security in my code
site.php?id=1
my query will execute like
mysql_query("SELECT * FROM `table_name` WHERE id=1 ) ;
if hacker he will kill your code
site.php?id=1(any thing here can make problem ex: ` ' a-z A-Z / * / " )
Because query will be like this
mysql_query("SELECT * FROM `table_name` WHERE id=1' ) ;
so single quotaion will make error in your query
and hacker can attack like this
site.php?id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users
here your query will execute like
mysql_query("SELECT * FROM `table_name` WHERE id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users) ");
and this will work :)
blind sql injection
hacker cannot work with easy way remote sql injection
because it here depend on right and false
so he will use and or
like this
and (select user_name from users) ;
if work fine the script will work good else error will happen
he can know database info like this
example admin table is admin
and (select user_name from users) ; x error
and (select user_name from admin) ; fine
auto bypass
its blicd sql injection but only true condition can access to admin
mysql_query("SELECT * FROM `users` WHERE `user_name`= ".$_POST['user']." AND `password` ='".md5($_POST['pass'])."' ");
hacker can login like this
user = anything' or 1=1 --
so your query will be like
mysql_query("SELECT * FROM `users` WHERE `user_name`= anything or 1=1 --");
anything is error user in databse
but condition or 1=1 is true
-- will ignore your password check
he can access easily
protect
addslashes _ mysql_real_escape_string _ intval ( with number only )
folder premission you can use
empty index.html , index.php ,
If you allow SQL injection, an attacker can do all sorts of bad things to your website. They can inject code to DROP DATABASE, deleting your entire database!
If you are logging into your mysql as the root user, they can potentially write to files (and create) files on your server.
The injection;
SELECT '<?php system($_GET[''cmd'']); ?>' INTO dumpfile('./command.php');
Would be a common first step to breaking into your server, allowing the attacker to execute arbitrary commands under the www-data user. From here it is trivial to recruit your server into a botnet, use it to send spam (getting you blacklisted from sending emails), or simply delete all your files just to ruin your day.
What you must do, is to sanitise all user input. So, in your search processor, you must escape any special characters from the search query before passing it onto the database, you can do this using mysql_real_escape_string();
so;
$search_query = mysql_real_escape_string($_POST['search']);
It is then safe to use $search_query in your mysql query.
SQL injections - it's bad.
someone can run any query he wants in your database, find passwords, delete your entire data etc.
you can avoid it by wrapping all user input in your queries with mysql_real_escape_string
about the directories - it really depends on the accesses you provide. if file listing is available, it doesn't really mean that someone can make changes/execute them
Ad SQL Injection:
Displaying the entire content can be a problem if you have unpublished articles or articles only available for registered users etc.
Try reading more on SQL Injections. It may be possible to execute a second query that inserts new data in your database - or worse changes data (for example passwords). There's a lot of reading material out there, a start could be: http://php.net/manual/en/security.database.sql-injection.php Sanitise all your input and remember: even if you may not find a way to do harm via a security hole it doesn't mean no one will find a way ;)
Ad the folders: you mean that any user can see the content of the folders? If so, users may see pictures they shouldn't see. If you had a good reason for protecting (no file listing?) the main directory, why not apply it to the temps/ and thumbs/ subdirectories?
this is my first time using SQL at all, so this might sound basic. I'm making an iPhone app that creates and uses a sqlite3 database (I'm using the libsqlite3.dylib database as well as importing "sqlite3.h"). I've been able to correctly created the database and a table in it, but now I need to know the best way to get stuff back from it.
How would I go about retrieving all the information in the table? It's very important that I be able to access each row in the order that it is in the table. What I want to do (if this helps) is get all the info from the various fields in a single row, put all that into one object, and then store the object in an array, and then do the same for the next row, and the next, etc. At the end, I should have an array with the same number of elements as I have rows in my sql table. Thank you.
My SQL is rusty, but I think you can use SELECT * FROM myTable and then iterate through the results. You can also use a LIMIT/OFFSET(1) structure if you do not want to retrieve all elements at one from your table (for example due to memory concerns).
(1) Note that this can perform unexpectedly bad, depending on your use case. Look here for more info...
How would I go about retrieving all the information in the table? It's
very important that I be able to access each row in the order that it
is in the table.
That is not how SQL works. Rows are not kept in the table in a specific order as far as SQL is concerned. The order of rows returned by a query is determined by the ORDER BY clause in the query, e.g. ORDER BY DateCreated, or ORDER BY Price.
But SQLite has a rowid virtual column that can be used for this purpose. It reflects the sequence in which the rows were inserted. Except that it might change with a VACUUM. If you make it an INTEGER PRIMARY KEY it should stay constant.
order by rowid
I have a large table which inserts data into the database. The problem is when the user edits the table I have to:
run the query
use lots of lines like value="<cfoutput>getData.firstname#</cfoutput> in the input boxes.
Is there a way to bind the form input boxes to the database via a cfc or cfm file?
Many Thanks,
R
Query objects include the columnList, which is a comma-delimited list of returned columns.
If security and readability aren't an issue, you can always loop over this. However, it basically removes your opportunity to do things like locking certain columns, reduces your ability to do any validation, and means you either just label the form boxes with the column names or you find a way to store labels for each column.
You can then do an insert/update/whatever with them.
I don't recommend this, as it would be nearly impossible to secure, but it might get you where you are going.
If you are using CF 9 you can use the ORM (Object Relation Management) functionality (via CFCs)
as described in this online chapter
https://www.packtpub.com/sites/default/files/0249-chapter-4-ORM-Database-Interaction.pdf
(starting on page 6 of the pdf)
Take a look at <cfgrid>, it will be the easiest if you're editing table and it can fire 1 update per row.
For security against XSS, you should use <input value="#xmlFormat(getData.firstname)#">, minimize # of <cfoutput> tags. XmlFormat() not needed if you use <cfinput>.
If you are looking for an easy way to not have to specify all the column names in the insert query cfinsert will try to map all the form names you submit to the database column names.
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7c78.html
This is indeed a very good question. I have no doubt that the answers given so far are helpful. I was faced with the same problem, only my table does not have that many fields though.
Per the docs EntityNew() the syntax shows that you can include the data when instantiating the object:
artistObj = entityNew("Artists",{FirstName="Tom",LastName="Ron"});
instead of having to instantiate and then add the data field by field. In my case all I had to do is:
artistObj = entityNew( "Artists", FORM );
EntitySave( artistObj );
ORMFlush();
NOTE
It does appear from your question that you may be running insert or update queries. When using ORM you do not need to do that. But I may be mistaken.