rs = stmt.executeQuery("select c1.itemname,c1.itemcalorie,p.restname,p.location from categorie1 c1 ,Place p
where p.pincode = '" + pincode1 + "' and c1.itemid IN
("select c1.itemid from categorie1 c1 where c1.itemcalorie <='" + cal1 + "' and c1.itemcalorie >='" + cal1-400 + "' and c1.restid = p.restid ") ");
You have too many extra quotes:
rs = stmt.executeQuery(
"
SELECT c1.itemname,
c1.itemcalorie,
p.restname,
p.location
FROM categorie1 c1,
place p
WHERE p.pincode = '" + pincode1 + "'
AND c1.itemid IN (SELECT c1.itemid
FROM categorie1 c1
WHERE c1.itemcalorie <= '" + cal1 + "'
AND c1.itemcalorie >= '" + cal1-400 + "'
AND c1.restid = p.restid)
"
);
Im not sure wihch language is this (I hope it is not javascript) but the code is not safe look into parametrized query.
Related
Here is the error message I get. Not sure what's missing
Execution error in stored procedure COMPARE_UPDATE_METADATA_BETWEEN_STAGES: SQL compilation
Error: syntax error line 1 at position 104 unexpected ' V'. At Statement.execute,
line 30 position 66
Actual dynamic SQL query I retrieve using .getSqlText()
"ALTER TABLE DEV2.SCHEMANAME.TBLNAME ADD COLUMN FAC_ID NUMBER(38,10); "
It works fine when I execute the SQL manually.
create or replace procedure Compare_Update_Metadata_Between_STAGES(
SRC_DBNAME string,
SRC_SCHEMANAME string,
TRGT_DBNAME string,
TRGT_SCHEMANAME string,
TBLNAME string
) returns variant
language javascript as $$
var stage_table_control = " SELECT DISTINCT UPPER(COLUMN_NAME) AS COL_NAME, UPPER(DATA_TYPE) AS DATA_TYP, "
stage_table_control += " CASE WHEN DATA_TYPE = 'TEXT' THEN 'VARCHAR(' || CAST(CHARACTER_MAXIMUM_LENGTH AS VARCHAR) || ')' "
stage_table_control += " WHEN DATA_TYPE IN ('TIMESTAMP_NTZ', 'DATE', 'TIMESTAMP_LTZ','TIMESTAMP_TZ') THEN DATA_TYPE || '(' || CAST(DATETIME_PRECISION AS VARCHAR) || ')' "
stage_table_control += " WHEN DATA_TYPE IN ('NUMBER', 'FLOAT') THEN 'NUMBER('||CAST(NUMERIC_PRECISION AS VARCHAR) || ',' || CAST(NUMERIC_PRECISION_RADIX AS VARCHAR) || ')' "
stage_table_control += " WHEN DATA_TYPE IN ('BOOLEAN','VARIANT','BINARY') THEN DATA_TYPE END AS CHAR_LEN "
stage_table_control += " FROM DEV.INFORMATION_SCHEMA.COLUMNS "
stage_table_control += " WHERE TABLE_SCHEMA = " + String.fromCharCode(39) + SRC_SCHEMANAME + String.fromCharCode(39)
stage_table_control += " AND TABLE_CATALOG = " + String.fromCharCode(39) + SRC_DBNAME + String.fromCharCode(39)
stage_table_control += " AND TABLE_NAME = " + String.fromCharCode(39) + TBLNAME + String.fromCharCode(39)
stage_table_control += " AND COLUMN_NAME NOT IN " + " ( SELECT UPPER(COLUMN_NAME) FROM DEV2.INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = " + String.fromCharCode(39) + TRGT_SCHEMANAME + String.fromCharCode(39)
stage_table_control += " AND TABLE_NAME = " + String.fromCharCode(39) + TBLNAME + String.fromCharCode(39) + ")"
var stage_sql_statement = snowflake.createStatement({sqlText: stage_table_control});
var stage_resultSet = stage_sql_statement.execute();
var stage_column_name_array = "";
while (stage_resultSet.next()) {
var stage_column_name = stage_resultSet.getColumnValue(1);
var stage_data_type = stage_resultSet.getColumnValue(2);
var stage_char_len = stage_resultSet.getColumnValue(3);
var alterSQL = "ALTER TABLE " + TRGT_DBNAME + "." + TRGT_SCHEMANAME + "." + TBLNAME + " ADD COLUMN " + stage_column_name + String.fromCharCode(160) + stage_char_len + ";"
var sql_statement1 = snowflake.createStatement({sqlText: alterSQL});
var resultSet1 = sql_statement1.execute();
// var resultSet1 = sql_statement1.getSqlText();
//alterSQL = "";
}
return alterSQL;
$$
// + " " + //this is what causing an error i believe in below alter
statement
var alterSQL = "ALTER TABLE " + TRGT_DBNAME + "." +
TRGT_SCHEMANAME + "." + TBLNAME + " ADD COLUMN " +
stage_column_name + " " + stage_char_len +
";"
Based on the error message and lack of actual argument(they were replaced by placeholders:
error: syntax error line 1 at position 104 unexpected ' V'. At Statement.execute,
It is possible that the name contains space in identifier that was not properly enclosed with "".
One possible place of such occurence is:
stage_table_control += " FROM DEV.INFORMATION_SCHEMA.COLUMNS "
stage_table_control += " WHERE TABLE_SCHEMA = " + String.fromCharCode(39) + SRC_SCHEMANAME + String.fromCharCode(39)
Instead of concatenating SQL String(which is prone to SQL-Injection attack) parameter binding should be preferred:
stage_table_control += " FROM DEV.INFORMATION_SCHEMA.COLUMNS "
stage_table_control += " WHERE TABLE_SCHEMA = :1 "
stage_table_control += " AND TABLE_CATALOG = :2 "
// ...
var stage_sql_statement = snowflake.createStatement({sqlText: stage_table_control
, binds: [SRC_SCHEMANAME , SRC_DBNAME , ...]});
I'm using railway API in my website and want the Train data in grid format. Please help me with the same.
I want all the variables (Train name, Train number, Departure Time, Arrival Time, Travel Time, Availability Status) in a table format. I'm calling two APIs to get the final result. How can I achieve this using AngularJs?
function between(trainData) {
var total = trainData.TotalTrains;
for (i = 0; i < total; i++) {
var source = trainData.Trains[i].Source;
var destination = trainData.Trains[i].Destination;
var name = trainData.Trains[i].TrainName;
var number = trainData.Trains[i].TrainNo;
var ttime = trainData.Trains[i].TravelTime;
var deptime = trainData.Trains[i].DepartureTime;
var arrtime = trainData.Trains[i].ArrivalTime;
$('.' + className + '').append("<br/>" + name + "(" + number + ")" + " " + ttime + " " + deptime + " " + arrtime + "<br/>");
}
}
}
you can append with the in the end like
$('.' + className + '').append("<table><tr><th>name</th><th>number </th><th>ttime </th><th>deptime </th><th>arrtime </th><th>classcode </th><th>status </th><th>jdate </th></tr><tr><td>" + name + "</td><td>" + number + "</td><td>" + ttime + "</td><td>" + deptime + " </td><td>" + arrtime + " </td><td>" + classcode + "</td><td>" + status + "</td><td>" + jdate + "</td></tr></table>");
I am passing certain values to a form which is loaded on webview to autofill it using JavaScript. It works perfectly till any one of the Strings passed has a single quote " ' " in it. When a single quote is encountered I get this error:
Uncaught SyntaxError: Unexpected identifier
And no data gets filled.
The code to autofill the form
public void onPageFinished(WebView view, String url) {
super.onPageFinished(view, url);
PageURL = view.getUrl();
PageTitle = view.getTitle();
actionBar = getSupportActionBar();
if (actionBar != null) {
actionBar.setTitle(PageTitle);
}
actionBar.setSubtitle(PageURL);
final String js = "javascript: " +
"var nameDoc = document.getElementsByName('name');" +
"nameDoc[0].value = '" + n + "';" +
"var checkOutDoc = document.getElementsByName('checkout');" +
"checkOutDoc[0].value = '" + btn_co + "';" +
"var noOFPaxDoc = document.getElementsByName('no_of_pax');" +
"noOFPaxDoc[0].value = '" + a + "';" + // a should be int based on ur HTML
"var noOFKidDoc = document.getElementsByName('no_of_kid');" +
"noOFKidDoc[0].value = '" + k + "';" + // a should be int based on ur HTML
"var noOFRoomsDoc = document.getElementsByName('no_of_rooms');" +
"noOFRoomsDoc[0].value = '" + r + "';" + // a should be int based on ur HTML
"var checkInDoc = document.getElementsByName('checkin');" +
"checkInDoc[0].value = '" + btn_ci + "';" +
"var email = document.getElementsByName('guest_email');" +
"email[0].value = '" + m + "';" +
"var resortName = document.getElementsByName('resort_name[]');" +
"resortName[0].value = '" + mail_list[0] + "';" +
"var distFrom = document.getElementsByName('distance_from[]');" +
"distFrom[0].value = '" + dist + "';" +
"var roomType = document.getElementsByName('room_category[]');" +
"roomType[0].value = '" + room_list[0] + "';" +
"var price = document.getElementsByName('package_price[]');" +
"price[0].value = '" + room_price_list[0] + "';" +
"var distance = document.getElementsByName('distance[]');" +
"distance[0].value = '" + distance + "';" +
"var ex = document.getElementsByName('excursions[]');" +
"ex[0].value = '" + ex + "';" +
"var act = document.getElementsByName('activities[]');" +
"act[0].value = '" + act_f + "';" +
"var dest = document.getElementsByName('destination');" +
"dest[0].value = '" + state + "';" +
"var days = document.getElementsByName('total_days');" +
"days[0].value = '" + d + "';" +
"javascript:(function(){" +
"l=document.getElementsByName('submit');" +
"e=document.createEvent('HTMLEvents');" +
"e.initEvent('click',true,true);" +
"l[0].dispatchEvent(e);" +
"})()";
if (Build.VERSION.SDK_INT >= 19) {
view.evaluateJavascript(js, new ValueCallback<String>() {
#Override
public void onReceiveValue(String s) {
}
});
} else {
view.loadUrl(js);
}
}
It happens because your strings are not escaped. When you insert data directly into JS as you're doing the computer doesn't know the difference between cod you entered and code that was added from the input field.
Thus, when your users input some text
nameDoc[0].value = '" + n + "';
becomes
nameDoc[0].value = 'My name is Norbs' and I'm breaking your code';
In the example above, the string is ended after "Norbs", and as what comes afterwards is not valid JS the script fails.
Possible solution
Change
nameDoc[0].value = '" + n + "';
To
nameDoc[0].value = '" + n.replace("'", "\'") + "';.
The below span tag containing an onclick event is not working
var test="<span onClick="gotoNode(\'' + result.name + '\',\'' + result.xaxis + '\',\'' + result.yaxis + '\',\'' + result.detail + '\',\'' + result.status + '\')" />"
the above escaped string has some problems with the method call.
How can I fix it?
If you're creating this in JavaScript to create an element, then the first single-quote needs to be escaped.
function gotoNode(name, xaxis, yaxis, detail, status) {
alert("name = " + name + "\r\nxaxis = " + xaxis + "\r\nyaxis = " + yaxis + "\r\ndetail = " + detail + "\r\nstatus = " + status);
}
var result = { name: "name", xaxis: "xaxis", yaxis: "yaxis", detail: "detail", status: "status" };
var htmlText = '<input value="Button" type="button" onclick="gotoNode(\'' + result.name + '\',\'' + result.xaxis + '\',\'' + result.yaxis + '\',\'' + result.detail + '\',\'' + result.status + '\')" />';
$("#lonely").append(htmlText);
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<div id="lonely"></div>
Generally speaking, whatever quote type you begin with (out of ' or "), you need to escape the same type that you want to use within the string and not escape the same type to terminate the string. You can leave the other type without escapes.
For your edited version, this should work if you want those result variables to be replaced with their values.
var test = "<span onclick=\"gotoNode('" + result.name + "','" + result.xaxis + "','" + result.yaxis + "','" + result.detail + "','" + result.status + "')\" />";
Do you use php to generate the output?
Then you should try
echo "<input type=\"button\" onClick=\"gotoNode(\" + result.name + \",\" +
result.xaxis + \",\" + result.yaxis + \",\" + result.detail + \",\" +
result.status + \")\" />";
I've got a silly error which I cant seem to fix some how. I'm simply looking to do the following:
onclick="CreatePro('x','y','z')"
I basically want to pass text to the CreatePro function. Now my values of x,y and z are json data. As such here is what I am using for the javascript:
var Provision = "'" + data[i].ProvisionID + "'";
var Title = "'" + data[i].Title + "'";
var Author = "'" + data[i].Author + "'";
var Edition = "'" + data[i].Edition + "'";
var Publisher = "'" + data[i].Publisher+ "'";
var ISBN = "'" + data[i].ISBN + "'";
var UserID = "'" +data[i].UserID + "'";
var Price = "'" + data[i].Price+ "'";
var Condition = "'" +data[i].Condition +"'";
Row = Row + "<td><input type='button' onclick='CreatePro(" + Provision + "," + Title+ "," + Author + "," + Edition + "," + Publisher +"," + ISBN + ","+ UserID + ","+ Price + "," + Condition + ")' value='Create'></td></tr>";
console.log(Row);
Now when I use console.log I get the following:
<td><input type='button' onclick='CreatePro('19','dfjeryj','ertj','0','tj','0000000000000','4','0','0')' value='Create'></td>
But when I inspect the element I have :
<input type="button" onclick="CreatePro(" 19','dfjeryj','ertj','0','tj','0000000000000','4','0','0')'="" value="Create">
The problem is suspect is the " on the above line. But I dont know why this is happening? As from the console log. My quotes seem to match up. So I'm not sure why the browser is mixing them up? Perhaps I've gone wrong somewhere? (Frankly I can;t see the error). Every time I click the create button the event doesn't call my CreatePro function. I'm really not sure what I'm doing wrong or perhaps a better way of doing what I'm doing
You have got your quotes wrong. It should be:
Row = Row + "<td><input type='button' onclick=\"CreatePro('" + Provision + "','" + Title+ "','" + Author + "','" + Edition + "','" + Publisher +"','" + ISBN + "','"+ UserID + "','"+ Price + "','" + Condition + "')\" value='Create'></td></tr>";