This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I am writing an application in JavaScript using Appcelerator's Titanium development platform to deploy to the Android mobile platform. I am trying to perform an INSERT to an SQLite database.
The strings whenever they have a single quote or an apostrophe entered by a user breaks the insert query. What am I doing wrong?
var db = Ti.Database.install('db/kewGarden.sqlite', 'kewGarden');
var driveByData = {
"notes" : $.row3.getValue() // User entered string
};
driveByData = JSON.stringify(driveByData);
dbLib.saveRecording(saveDriveByDetailsSuccess, saveDriveByDetailsError, {
ref_id : newdriveById,
tableName : tableName,
data : driveByData
});
saveRecording : function(onSuccessCallback, onErrorCallback, options) {
var strReplaceData = options.data.replace("'", "\'");
db.execute("INSERT INTO g_temp (ref_id, table_name, data, site) VALUES (" + options.ref_id + ",'" + options.tableName + "','" + strReplaceData + "','" + options.site + "')");
},
The docs for this database are here:
http://docs.appcelerator.com/platform/latest/#!/api/Titanium.Database.DB-method-execute
Use parameters, then you don't need to escape anything:
db.execute('INSERT INTO MyTable(ID, Name) VALUES(?, ?)', 123, name);
Your Query like this,
db.execute('INSERT INTO g_temp (ref_id, table_name, data, site) VALUES (?,?,?,?)',options.ref_id,options.tableName,options.data,options.site);
Related
I'm trying to create a Cosmo DB stored procedure to return the results of a relatively simple SQL statement. If it were purely SQL I would be fine but since I know nothing about JavaScript I'm struggling mightily. Any help would be very much appreciated. Here is the SQL query:
SELECT distinct cx.ID, cxa.FieldValue as PartNo, cx.TransactionDate, cx.TransactionStatus
FROM c
JOIN cx in c.File.Transactions
JOIN cxa in cx.AppDetails
JOIN
(
SELECT cx2.ID, cxa2.FieldValue as PartNo, max(cx2.TransactionDate) as TransactionDate
FROM c
JOIN cx2 in c.File.Transactions
JOIN cxa2 in cx2.AppDetails
WHERE c.File.Category= 'BatchParts' and cxa2.FieldName ='PartNo'
GROUP BY cx2.ID,cxa2.FieldValue
) B
WHERE c.File.Category= 'BatchParts' and cxa.FieldName ='PartNo'
You can try something like this:
function getItems(category,fieldName) {
var collection = getContext().getCollection();
var query = 'SELECT distinct cx.ID, cxa.FieldValue as PartNo, cx.TransactionDate, cx.TransactionStatus ' +
'FROM c ' +
'JOIN cx in c.File.Transactions ' +
'JOIN cxa in cx.AppDetails ' +
'JOIN ' +
'( ' +
'SELECT cx2.ID, cxa2.FieldValue as PartNo, max(cx2.TransactionDate) as TransactionDate ' +
'FROM c ' +
'JOIN cx2 in c.File.Transactions ' +
'JOIN cxa2 in cx2.AppDetails ' +
'WHERE c.File.Category= #Category and cxa2.FieldName = #FieldName ' +
'GROUP BY cx2.ID,cxa2.FieldValue ' +
') B ' +
'WHERE c.File.Category= #Category and cxa.FieldName = #FieldName';
var filterQuery =
{
'query' : query,
'parameters' : [{'name':'#Category', 'value':category},{'name':'#FieldName', 'value':fieldName}]
};
var isAccepted = collection.queryDocuments(
collection.getSelfLink(),
filterQuery,
function (err, feed, options) {
if (err) throw err;
if (!feed || !feed.length) {
var response = getContext().getResponse();
response.setBody('no docs found');
}
else {
var response = getContext().getResponse();
var body = feed;
response.setBody(JSON.stringify(body));
}
});
if (!isAccepted) throw new Error('The query was not accepted by the server.');
}
By the way, when you invoke stored procedure, you need to pass partition key value. And you can only get the data from this partition. You can refer to this doc and this.
This type of query, if timing out in a stored procedure or via SDK, is probably best handled using Synapse Link. Stored procedures are bad candidates for queries because they only operate on the master replica (there are 4 of them). Because throughput is allocated equally across all four replicas, stored procedures only get 1/4 of the provisioned throughput.
Synapse Link is designed to be used in this sort of scenario where you have large, complex, analytical type queries and want to visualize your data using Power BI. To learn more about Cosmos DB and Synapse see, What is Azure Synapse Link for Azure Cosmos DB (Preview)?
This question already has answers here:
How to get the insert ID in JDBC?
(14 answers)
Closed 4 years ago.
I'm using JDBC and google app script.
I need to insert rows created via an HTML interface, only problem is that rows contain 2 inputs that are represented in different tables of my MYSQL database.
My second table has a foreign key that references the first table (product_id references id from table product).
Here are my tables
product:
id, name
product_quantity:
id, product_id, quantity
Here is what I would like to achieve in pseudo-code:
function update(row){
insertProductSQL = "INSERT INTO products (name) VALUES (" + row.name + ")";
insertProductQuantity = "INSERT INTO products_quantity (product_id, quantity) VALUES (" + /*HERE IS THE PROBLEM*/ + ", " + row.quantity + ")"
var conn = getConnection(); //JDBC connection object
var stmt = conn.createStatement();
stmt.executeQuery(insertProductSQL)
stmt = conn.createStatement();
stmt.executeQuery(insertProductQuantity);
conn.close();
}
So problem I'm facing is that I don't know if SQL or JDBC gives a simple way to retrieve the auto incremented value id created on the first insert to use it for my second insert.
Help is greatly appreciated, don't hesitate telling me if unclear to you.
Use the LAST_INSERT_ID() function.
insertProductQuantity = "INSERT INTO products_quantity (product_id, quantity) VALUES (LAST_INSERT_ID(), " + row.quantity + ")"
Hollo,
I need to create a form text that sends the variable in URLEncoded format.
I need this for send SMS with API with this parameters (GET):
Username
APIKEY
Number
Text (URLEncoded)
How can I create this?
Thanks a lot for the collaboration :)
Assuming you are only missing the string generation part (and not the whole html + javascript stuff), you may have a function like :
function generateRequest(username, apikey, number, text) {
var baseUrl = "http://your.base.url/sms";
return baseUrl +
"?Username=" + username +
"&APIKEY=" + apikey +
"&Number=" + number +
"&Text=" + encodeURIComponent(text);
}
for more details about the encodeURIComponent, read this => https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
I hope it will help you.
My asp (and js) code works good but i don't know the exact command to INSERT a record into a DB. I'm able to "read", "update" and "delete" from db, but not insert!
(db server values are example)
var Cn = new ActiveXObject("ADODB.Connection");
Cn.Open("server=1.1.1.1;db=dbserver; DRIVER={MySQL ODBC 3.51 Driver};uid=login;pwd=password");
var value1 = new String(Request.Form("value1"));
var value1 = new String(Request.Form("value1"));
var value1 = new String(Request.Form("value1"));
Cn.Execte("INSERT INTO table (col1,col2,col3) VALUES (value1,value2,value3)");
Cn.Close();
Response.Redirect("home.asp");
Can someone help me?
thanks!
You will have concatenate the values into the sql string like :
Cn.Execute("INSERT INTO table (col1,col2,col3) VALUES ('" + value1 + "','" + value2 + "','" + value3 + "')");
The ' are used assuming the columns in the db are strings, otherwise you don't need it.
If value paramaters are string - nvarchar, text etc.
You must enclose them into quotes. Your statement must look like this.
Cn.Execute("INSERT INTO table (col1,col2,col3) VALUES (value1,'" + value2 + "','" + value3 + "')");
I assumed col2 and col3 are string types and col1 isn't.
I want to create a dynamic function to INSERT data into the webSQL Database. I cannot use indexed DB because Zetakey does not support it.
tx.executeSql("INSERT INTO " + table + "(" + formatfields + ")
VALUES (" + formatqm + ")",
[formatvalues],
webdb.onSuccess,
webdb.onError);
Ich übergebe an den Query:
formatfields = "one, two"; (up to an undefined number)
formatqm = "?, ?";
formatvalues = "123, 456"; (dynamic user entries for x fields)
Can someone tell me what do I have to do with the formatvalues? When I write 123, 456 directly its working fine.
Thanks in advance!
Instead of dynamically create or change table column fields, use JSON serialization of the record. Basically store stringify user given object data on INSERT and parse on retrieval. If you need query over column, initialize those columns only. It will be just like IndexedDB does.
/*array.push */
formatvalues = new Array;
formatvalues.push("123");
and so on!