Search Results

Search found 18566 results on 743 pages for 'query hints'.

Page 364/743 | < Previous Page | 360 361 362 363 364 365 366 367 368 369 370 371  | Next Page >

• Prevent SQL Injection in Dynamic column names

  - by Mr Shoubs

  I can't get away without writing some dynamic sql conditions in a part of my system (using Postgres). My question is how best to avoid SQL Injection with the method I am currently using. EDIT (Reasoning): There are many of columns in a number of tables (a number which grows (only) and is maintained elsewhere). I need a method of allowing the user to decide which (predefined) column they want to query (and if necessary apply string functions to). The query itself is far too complex for the user to write themselves, nor do they have access to the db. There are 1000's of users with varying requirements and I need to remain as flexible as possible - I shouldn't have to revisit the code unless the main query needs to change - Also, there is no way of knowing what conditions the user will need to use. I have objects (received via web service) that generates a condition (the generation method is below - it isn't perfect yet) for some large sql queries. The _FieldName is user editable (parameter name was, but it didn't need to be) and I am worried it could be an attack vector. I put double quotes (see quoted identifier) around the field name in an attempt to sanitize the string, this way it can never be a key word. I could also look up the field name against a list of fields, but it would be difficult to maintain on a timely basis. Unfortunately the user must enter the condition criteria, I am sure there must be more I can add to the sanatize method? and does quoting the column name make it safe? (my limited testing seems to think so). an example built condition would be "AND upper(brandloaded.make) like 'O%' and upper(brandloaded.make) not like 'OTHERBRAND'" ... Any help or suggestions are appreciated. Public Function GetCondition() As String Dim sb As New Text.StringBuilder 'put quote around the table name in an attempt to prevent some sql injection 'http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html sb.AppendFormat(" {0} ""{1}"" ", _LogicOperator.ToString, _FieldName) Select Case _ConditionOperator Case ConditionOperatorOptions.Equals sb.Append(" = ") ... End Select sb.AppendFormat(" {0} ", Me.UniqueParameterName) 'for parameter Return Me.Sanitize(sb) End Function Private Function Sanitize(ByVal sb As Text.StringBuilder) As String 'compare against a similar blacklist mentioned here: http://forums.asp.net/t/1254125.aspx sb.Replace(";", "") sb.Replace("'", "") sb.Replace("\", "") sb.Replace(Chr(8), "") Return sb.ToString End Function Public ReadOnly Property UniqueParameterName() As String Get Return String.Concat(":" _UniqueIdentifier) End Get End Property

  Read the article

• iPhone OSStatus -25308 or errSecInteractionNotAllowed SFHFKeychainUtils

  - by George Octavio

  Hi again guys. I'm trying to access my iPhone's device keychain. I want to access in order to create a simple user-password value intended for a log in function. This is the code I'm using from SFHFKeychainUtils NSArray *keys = [[[NSArray alloc] initWithObjects: (NSString *) kSecClass, kSecAttrService, kSecAttrLabel, kSecAttrAccount, kSecValueData, nil] autorelease]; NSArray *objects = [[[NSArray alloc] initWithObjects: (NSString *) kSecClassGenericPassword, serviceName, serviceName, @"TestUser", @"TestPass", nil] autorelease]; NSDictionary *query = [[[NSDictionary alloc] initWithObjects: objects forKeys: keys] autorelease]; OSStatus status = SecItemAdd((CFDictionaryRef) query, NULL); } else if (status != noErr) { //Output to screen with error code goes here return NO; } return YES; } The error code I'm getting is OSStatus-25308 or errSecInteractionNotAllowed. I'm guessing this means I don't actually have access to my iPhone's keychain? Is there a way to allow access? Thanks for your time.

  Read the article

• Does SQL Server Compact Edition (SqlCe) have a SNAPSHOT table like Oracle Lite?

  - by MusiGenesis

  In Oracle Lite, you can create a SNAPSHOT table which is like a normal table except that it tracks changes to itself. The syntax is CREATE SNAPSHOT TABLE tblWhatever ... and you can perform CRUD operations on it like a normal table. To get the change information, you query the table like this: SELECT * FROM tblWhatever + WHERE ... which returns all the rows in the table (including deleted ones) meeting the WHERE clause, and you can access each row's row_state column as a normal field (which is invisible to a normal SELECT * FROM tblWhatever WHERE ... query). Is there some way to do the same thing with Sql Compact Edition (3.5) - i.e. create a table that tracks changes without using RDA?

  Read the article

• Declarative JDOQL vs Single-String JDOQL : performance

  - by DrDro

  When querying with JDOQL is there a performance difference between using the declarative version and the Single-String version: Example from the JDOQL doc: //Declarative JDOQL : Query q = pm.newQuery(org.jpox.Person.class, "lastName == \"Jones\" && age < age_limit"); q.declareParameters("double age_limit"); List results = (List)q.execute(20.0); //Single-String JDOQL : Query q = pm.newQuery("SELECT FROM org.jpox.Person WHERE lastName == \"Jones\"" + " && age < :age_limit PARAMETERS double age_limit"); List results = (List)q.execute(20.0); Other then performance, are there any reasons for which one is better to use then the other or is it just about the one with which we feel more comfortable.

  Read the article

• default caching time when using hibernate

  - by cometta

  when using hibernate 2nd level cache and query cache and not specifying anything inside ehcache.xml .what is the default caching time?

  Read the article

• Insert multiple values using INSERT INTO

  - by Ben McCormack

  In SQL Server 2005, I'm trying to figure out why I'm not able to insert multiple fields into a table. The following query, which inserts one record, works fine: INSERT INTO [MyDB].[dbo].[MyTable] ([FieldID] ,[Description]) VALUES (1000,N'test') However, the following query, which specifies more than one value, fails: INSERT INTO [MyDB].[dbo].[MyTable] ([FieldID] ,[Description]) VALUES (1000,N'test'),(1001,N'test2') I get this message: Msg 102, Level 15, State 1, Line 5 Incorrect syntax near ','. When I looked up the help for INSERT in SQL Sever Management Studio, one of their examples showed using the "Values" syntax that I used (with groups of values in parentheses and separated by commas). The help documentation I found in SQL Server Management Studio looks like it's for SQL Server 2008, so perhaps that's the reason that the insert doesn't work. Either way, I can't figure out why it won't work.

  Read the article

• SQL joins "going up" two tables

  - by blcArmadillo

  I'm trying to create a moderately complex query with joins: SELECT `history`.`id`, `parts`.`type_id`, `serialized_parts`.`serial`, `history_actions`.`action`, `history`.`date_added` FROM `history_actions`, `history` LEFT OUTER JOIN `parts` ON `parts`.`id` = `history`.`part_id` LEFT OUTER JOIN `serialized_parts` ON `serialized_parts`.`parts_id` = `history`.`part_id` WHERE `history_actions`.`id` = `history`.`action_id` AND `history`.`unit_id` = '1' ORDER BY `history`.`id` DESC I'd like to replace `parts`.`type_id` in the SELECT statement with `part_list`.`name` where the relationship I need to enforce between the two tables is `part_list`.`id` = `parts`.`type_id`. Also I have to use joins because in some cases `history`.`part_id` may be NULL which obviously isn't a valid part id. How would I modify the query to do this?

  Read the article

• How do you properly organize a commercial game?

  - by Reactorcore

  For the past months I've been studying programming and I've finally learned how to code, but one thing that is confusing me is how to properly organize the design of a game project - code wise. The game I'm building is a pretty standard commercial game. It has the basic components of a normal game: A world, characters and items interacting with each other and all of this is run by game manager. Basically you play as a hero in a world and do stuff. Fight, explore and interact. Think of your standard adventure game that starts off with an intro, goes to the menu system, then gets into the game and back to the menu. Pretty much like 99% of any commercial game or otherwise serious game projects. Thats what I'm aiming at. The problem is: How do you properly code a commercial game architecture? How do you organize it? How do you make it not become unmaintainable spaghetti code? What specific things to keep in mind when building this, codewise? How you can help me: a) Please tell how do you code your own game projects. What is your thought-process when designing the architecture? b) Recommend books, blogs, tutorials, videos or anything else on how to organize a commercial video game. c) Give hints and tips on do's/don'ts when building a game, codewise. Please help!

  Read the article

• hibernate order by association

  - by Gary Kephart

  I'm using Hibernate 3.2, and using criteria to build a query. I'd like to add and "order by" for a many-to-one association, but I don't see how that can be done. The Hibernate query would end up looking like this, I guess: select t1.a, t1.b, t1.c, t2.dd, t2.ee from t1 inner join t2 on t1.a = t2.aa order by t2.dd <-- need to add this I've tried criteria.addOrder("assnName.propertyName") but it doesn't work. I know it can be done for normal properties. Am I missing something?

  Read the article

• Django DecimalField returns "None" instead of empty value

  - by Ed

  Is there a way to force django to display nothing instead of "None" for a Decimal Field that's been left blank? In my template, I show a list of all the values for a particular field. Each value is hyperlinked to a page that displays the results of a query filtered on that value. But because there are some entries with null value, my list includes actual DecimalField entries and "None" for all those that are empty. When a user clicks on None, django throws a validation error because you cannot query a DecimalField using a string. I could write if statements checking all instances of decimal fields for Nones and skipping them, but that is far from an elegant solution. Any advice? This is one part of the code, though there are other templates that derive the None value in slightly different manners: {% for item in choices %} <a href={% url app_views.field_choice item %}>{{ item }}</a><br> {% endfor %}

  Read the article

• SQL GROUP BY - also SELECT not-constant columns

  - by Michal Kosek

  can someone please help me with this query? I have 2 tables in my database: log_visitors: -------------------- id | host_id log_access: -------------------- visitor | document | timestamp "log_access.visitor" links to "log_visitors.id" Currently, I'm using this query: SELECT log_visitors.host_id , MIM(log_access.timestamp) AS min_timestamp FROM log_access INNER JOIN log_visitors ON (log_access.visitor = log_visitors.id) GROUP BY log_visitors.host_id; to get "MIN(timestamp)" for each "host_id" in the database. HERE'S MY QUESTION: I also need to get "document" for that access with that timestamp... I can't simply add "log_access.document" into SELECT list, since it's not constant and I am not grouping by document... Any ideas?

  Read the article

• dilemma about mysql. using condition to limit load on a dbf

  - by ondrobaco

  hi, I have a table of about 800 000 records. Its basically a log which I query often. I gave condition to query only queries that were entered last month in attempt to reduce the load on a database. My thinking is a) if the database goes only through the first month and then returns entries, its good. b) if the database goes through the whole database + checking the condition against every single record, it's actually worse than no condition. What is your opinion? How would you go about reducing load on a dbf?

  Read the article

• ORDER BY giving wrong order

  - by Cody Dull

  I have an SQL statement in my C# program that looks like: SELECT * FROM XXX.dbo.XXX WHERE Source = 'OH' AND partnum = '1231202085' ORDER BY partnum, Packaging, Quantity When running this query in SQL Server Management, the results are ordered as expected. My first 3 results have the same partnum and Packaging with Quantities of 32.0, 50.8, and 51.0. However, when I run the query from my program, the result set with quantity 50.8 is the first to be returned. The datatype of Quantity is decimal(18,9). I've tried cast, it doesn't appear to be a datatype problem. I cant figure out why its getting the middle quantity.

  Read the article

• Visual Studio error on valid SQL

  - by Sam

  I'm getting an annoying error in visual studio for SQL that executes fine. SELECT InvoiceLines.LineID, InvoiceLines.InvoiceID, InvoiceLines.Text, InvoiceLines.Rate, InvoiceLines.Count, InvoiceLines.Rate * InvoiceLines.Count AS LineTotal, ((InvoiceLines.Rate * InvoiceLines.Count) * (1 + Invoices.VatRate / 100)) * (1 - CAST(Invoices.Discount AS money) * InvoiceLines.ApplyDiscount / 100) AS LineTotalIncVat, InvoiceLines.ApplyDiscount FROM InvoiceLines LEFT JOIN Invoices ON Invoices.InvoiceID = InvoiceLines.InvoiceID What LineTotalIncVat is trying to do is compute the total for the invoice item while adding the vat and subtracting the discount, and yes, probably better to do this in code (would if I could) The error visual studio gives is: There was an error parsing the query [token line number =1, token line offset =14, token in error = InvoiceLines] Even though it will validate and execute without a problem in the query builder...

  Read the article

• SQL joining 3 tables when 1 table is emty

  - by AdRock

  I am trying to write a query that connects 3 tables. The first table is info about each festival The second table is the number of votes for each festival The third table is reviews for each festival I want to join all 3 tables so i get all the feilds from table1, join table1 with table2 on the festivalid but i also need to count the number of records in table 3 that applys to each festival. The first 2 tables give me a result becuase they both have data in them but table 3 is empty becuase there are no reviews yet so adding that to my query fives me no results SELECT f.*, v.total, v.votes, v.festivalid, r.reviewcount as count FROM festivals f INNER JOIN vote v ON f.festivalid = v.festivalid INNER JOIN (SELECT festivalid, count(*) as reviewcount FROM reviews) GROUP BY festivalid) as r on r.festivalid = v.festivalid

  Read the article

• Database solutions for storing/searching EXIF data

  - by webdestroya

  I have thousands of photos on my site (each with a numeric PhotoID) and I have EXIF data (photos can have different EXIF tags as well). I want to be able to store the data effectively and search it. Some photos have more EXIF data than others, some have the same, so on.. Basically, I want to be able to query say 'Select all photos that have a GPS location' or 'All photos with a specific camera' I can't use MySQL (tried it, it doesn't work). I thought about Cassandra, but I don't think it lets me query on fields. I looked at SimpleDB, but I would rather: not pay for the system, and I want to be able to run more advanced queries on the data. Also, I use PHP and Linux, so it would be awesome if it could interface nicely to PHP. Any ideas?

  Read the article

• An INSERT conditioned on COUNT

  - by Anders Feder

  How can I construct a MySQL INSERT query that only executes if the number of rows satisfying some condition already in the table is less than 20, and fails otherwise? That is, if the table has 18 rows satisfying the condition, then the INSERT should proceed. If the table has 23 rows satisfying the condition, then the INSERT should fail. For atomicity, I need to express this in a single query, so two requests can not INSERT at the same time, each in the 'belief' that only 19 rows satisfy the condition. Thank you.

  Read the article

• Resizing partition using Gparted gives "can't have overlapping partitions" error

  - by Marcus

  I just decided to install Ubuntu 12.04 alongside Windows 7 on my Dell laptop. However I didn't do this manually but instead used the "Run Ubuntu alongside Windows 7" option upon installation, and now the partition that Ubuntu runs on has very little space (It's giving me warnings). I'm trying to use Gparted 0.12.1-5 (via a live CD) to give Windows less space and give Ubuntu more. I've managed to remove 100GB from the Windows partition so I now have some unallocated space between Windows and Ubuntu. This is what it looks like inside Ubuntu (not using the live CD, since it won't let me mount a USB to save a screenshot): http://i.stack.imgur.com/0keQq.png So first I take sda4 (extended?) and resize it to the left so it takes up all the unallocated space. Then I resize sda5 (ext4) as well so it takes up all the new space. However, when I hit apply, it fails on the first action (resizing sd4), saying "can't have overlapping partitions". Any ideas as to why this happens? I also tried resizing sda4 by just a few MB so that it definitely didn't overlap anything, but I still got the same error message. To clarify, I am doing it using the CD, I just took the screenshot from Ubuntu. Any help would be greatly appreciated! And again, I can't mount any USB (I'm following the guide on the gparted website but it says "Invalid argument" or something like that) so I couldn't attach the details file from Gparted. If this is needed, I may need some hints on how to solve the USB issue as well. :) Thanks

  Read the article

• SQL Server Multiple Joins Are Taxing The CPU

  - by durilai

  I have a stored procedure on SQL Server 2005. It is pulling from a Table function, and has two joins. When the query is run using a load test it kills the CPU 100% across all 16 cores! I have determined that removing one of the joins makes the query run fine, but both taxes the CPU. Select SKey From dbo.tfnGetLatest(@ID) a left join [STAGING].dbo.RefSrvc b on a.LID = b.ESIID left join [STAGING].dbo.RefSrvc c on a.EID = c.ESIID Any help is appreciated, note the join is happening on the same table in a different database on the same server.

  Read the article

• How to combine two sql queries?

  - by plasmuska

  Hi Guys, I have a stock table and I would like to create a report that will show how often were items ordered. "stock" table: item_id | pcs | operation apples | 100 | order oranges | 50 | order apples | -100 | delivery pears | 100 | order oranges | -40 | delivery apples | 50 | order apples | 50 | delivery Basically I need to join these two queries together. A query which prints stock balances: SELECT stock.item_id, Sum(stock.pcs) AS stock_balance FROM stock GROUP BY stock.item_id; A query which prints sales statistics SELECT stock.item_id, Sum(stock.pcs) AS pcs_ordered, Count(stock.item_id) AS number_of_orders FROM stock GROUP BY stock.item_id, stock.operation HAVING stock.operation="order"; I think that some sort of JOIN would do the job but I have no idea how to glue queries together. Desired output: item_id | stock_balance | pcs_ordered | number_of_orders apples | 0 | 150 | 2 oranges | 10 | 50 | 1 pears | 100 | 100 | 1 This is just example. Maybe, I will need to add more conditions because there is more columns. Is there a universal technique of combining multiple queries together?

  Read the article

• Rendering a variable with erb.

  - by TZer0

  I've got the following problem: I have rhtml (html minced together with ruby inside <% % and <%= % tags) stored in a database which I want to render. The information is acquired through a query. I need to be able to evaluate the information I get from the database as though as it was normal content inside the .erb-file. What I currently have: <% @mymods.each do |mod| %> <%= render_text(mod["html"])%> <% end %> Where mod["html"] is the variable containing the rhtml-code and @mymods an array of objects from the query. I have currently no idea what function I should use (render_text does, of course, not work). Help is greatly appreciated. /TZer0

  Read the article

• Using multiple aggregate functions in an algebraic expression in (ANSI) SQL statement

  - by morpheous

  I have the following aggregate functions (AGG FUNCs): foo(), foobar(), fredstats(), barneystats(). I want to know if I can use multiple AGG FUNCs in an algebraic expression. This may seem a strange/simplistic question for seasoned SQL developers - however, the but the reason I ask is that so far, all AGG FUNCs examples I have seen are of the simplistic variety e.g. max(salary) < 100, rather than using the AGG FUNCs in an expression which involves using multiple AGG FUNCs in an expression (like agg_func1() agg_func2()). The information below should help clarify further. Given tables with the following schemas: CREATE TABLE item (id int, length float, weight float); CREATE TABLE item_info (item_id, name varchar(32)); # Is it legal (ANSI) SQL to write queries of this format ? SELECT id, name, foo, foobar, fredstats FROM A, B (SELECT id, foo(123) as foo, foobar('red') as foobar, fredstats('weight') as fredstats FROM item GROUP BY id HAVING [ALGEBRAIC EXPRESSION] ORDER BY id AS A), item_info AS B WHERE item.id = B.id Where: ALGEBRAIC EXPRESSION is the type of expression that can be used in a WHERE clause - for example: ((foo(x) < foobar(y)) AND foobar(y) IN (1,2,3)) OR (fredstats(x) <> 0)) I am using PostgreSQL as the db, but I would prefer to use ANSI SQL wherever possible. Assuming it is legal to include AGG FUNCS in the way I have done above, I'd like to know: Is there a more efficient way to write the above query ? Is there any way I can speed up the query in terms of a judicious choice of indexes on the tables item and item_info ? Is there a performance hit of using AGG FUNCs in an algebraic expression like I am (i.e. an expression involving the output of aggregate functions rather than constants? Can the expression also include 'scaled' AGG FUNC? (for example: 2*foo(123) < -3*foobar(456) ) - will scaling (i.e. multiplying an AGG FUNC by a number have an effect on performance?) How can I write the query above using INNER JOINS instead?

  Read the article

• How do I select the number of distinct days in a date range?

  - by isme

  I'm trying to use the T-SQL function DATEDIFF to select the number of distinct dates in a time period. The following query: SELECT DATEDIFF(DAY, '2012-01-01 01:23:45', '2012-01-02 01:23:45') selects 1, which is one less than I want. There are two distinct dates in the range: 2012-01-01 and 2012-01-02. It is not correct to add one to the result in the general case. The following query: SELECT DATEDIFF(DAY, '2012-01-01 00:00:00', '2012-01-02 00:00:00') selects 1, which is correct, because there is only one distinct date in the range. I'm sure there is a simple bit of arithmetic that I'm missing to calculate this. Can someone help me?

  Read the article

• how to store description in database?

  - by sribharanidharan

  hai i'm using MSAccess database i want to store the description upto more than 255 character please give me the query for inserting the record?in asp.net with c# coding

  Read the article

• Write a sql for searching with multiple conditions

  - by Lu Lu

  Hello everyone, I have a table Student with 2 fields: Name: nvarchar(256) Age: int User will use a WinForm application to input a Name and a Age for searching. If inputted Name is empty, sql will not query Name field. If inputted Age is 0, sql will not query Age field. If Name is Null and inputted Name is empty - record is matched. If Name is Null and inputted Name is not empty - record is not matched. And also similar for Age field. My problem is that how to write a sql like this. P/S: I use SQL Server 2005. Please help me. Thanks.

  Read the article

< Previous Page | 360 361 362 363 364 365 366 367 368 369 370 371  | Next Page >