i have a strange exception only when i try to select a sequence number from my database. If i run this query: SELECT MYSEQUENCE.NEXTVAL from DUAL directly in my DB it's work fine and give me the next value. When i run the same query on JAVA i have an SQLSyntaxErrorException.
statement = connection.prepareStatement(MY_SEQ);
resultSet = statement.executeQuery();
MY_SEQ= private static final String MY_SEQ="SELECT MYSEQUENCE.NEXTVAL from DUAL";
I try to execute another query SELECT ID from ANYTABLE to try if goes something wrong in my configuration but it run perfectly and return the result.
Any idea of my Exception?
Grant select problem. I do grant select on DB.MYSEQUENCE to MY_USER;, i have done a grant select but the commit seem's doesn't go ok. And SQLSyntaxErrorException was because i have to create a SYNONYM for that sequence, without synonym i have to do a DB.MYSEQUENCE. So the order to create sequence and than to use that in JAVA is:
Create Sequence
Create Synonym to use that sequence
Make a grant select for that sequence for the user that you have in your jdbc configuration
Related
I am doing an exercise in class to find web page vulnerabilities through a user/password form and we are suppouse to be able to modify columns of a table using SQL injection.
I know the tables of the database, for instance I am trying to modify the table users that has the colums id, password and email.
The problem is that for INSERT, UPDATE or DELETE the server code use the executeUpdate() method and for SELECT use the executeQuery() method which returns the ResultSet, so obviusly when I try someting like:
correctpassword'; UPDATE usuarios SET id='newname' WHERE id='oldname'; --
it returns an error because UPDATE does not return the ResultSet object.
I have also tried nested queries so the main consult would be a SELECT so it would actually return a ResultSet object but it doesnt work either. The query is:
correctpassword'; SELECT id FROM usuarios WHERE id = (SELECT id FROM usuarios WHERE id=?admin?; UPDATE usuarios SET id=?luciareina? WHERE id=?admin?); --
Do you know anyway to do this? Thank you very much in advance!
Depending on the database server you have, you can not have an update statement inside of a select statement.
you should close out the existing query and then do the update
Also, make sure the column you are updating is not an auto generated/key column that is not updatable.
SELECT id FROM usuarios WHERE id = 1; UPDATE usuarios SET id=1 WHERE id=2
You should test your injection directly on server to see if it is valid before testing it via the webpage.
Class.forName("oracle.jdbc.driver.OracleDriver").newInstance();
conn=DriverManager.getConnection(URL,username,password);
String sql="select * from test where user_id='abc'";
stmt=conn.prepareStatement(sql,ResultSet.TYPE_SCROLL_SENSITIVE);
ResultSet rs=stmt.executeQuery();
rs.afterLast();
getting exception in this line, afterLast operation not allowed .
Reading from the oracle documentation:-
To produce a scroll-sensitive result set: A query cannot use SELECT * .
However, there is a workaround for this.
As a workaround for the SELECT * limitation, you can use table aliases, as shown in the following example:
SELECT t.* FROM TABLE t ...
Change your query to select test.* from test where user_id='abc'
or use specific column names to retrive instead of *.
I have asked this question and wanted to edit it , however StackOverflow for some reason did not allow me to edit . So here is the edited version
For example a query :
create volatile table testTable as (select * from ... blah blah) ;
select top 10 * from testTable ;
drop table testTable ;
It executes perfect in sql assistance as one session. I am sure it is possible to execute it in Java in one session.
Goal : need to execute it in one session similar to sql assistant so that it is possible to refer to the volatile table in the subsequent select statement. Also the data from the select statement should be saved in the ResultSet
PS
I saw one answer to a similar question about mysql. The trick is to turn on allow multiple queries
String dbUrl = "jdbc:mysql:///test?allowMultiQueries=true";
For teradata specifically,
what is the solution ?
I tried
String dbUrl = "jdbc:odbc:dsn?allowMultiQueries=true";
What is exactly failing?
Is there an error message "testtable doesn't exist"? Then your program closes the connection after each request.
Is the table empty when you do the SELECT? Then you forgot to add ON COMMIT PRESERVE ROWS to the CREATE.
This question already has answers here:
Execute "sp_msforeachdb" in a Java application
(3 answers)
Closed 1 year ago.
I am executing the following query from Microsoft SQL Server Studio, which works fine and displays results:
SELECT *
INTO #temp_table
FROM md_criteria_join
WHERE user_name = 'tecgaw'
UPDATE #temp_table
SET user_name = 'tec'
WHERE user_name != 'tec'
SELECT *
FROM md_criteria_join
WHERE user_name = 'tec'
AND view_name NOT IN (SELECT view_name
FROM md_criteria_join
WHERE user_name = 'tecgaw')
UNION
SELECT *
FROM #temp_table
ORDER BY view_name,
user_name,
crit_usage_seq,
crit_join_seq
However, if I execute the same query in Java, an Exception is thrown stating
The statement did not return a result set.
Here's the Java code:
statement = conn.getConnection().createStatement();
resultSet = stmt.executeQuery(sql.toString());
Is that because I cannot do multiple SQL queries in one statement (I.e., Creating the #temp_table, updating it, and then using for it my select statement)?
JDBC is getting confused by row counts.
You need to use SET NOCOUNT ON.
Use execute statement for data manipulation like insert, update and delete and
executeQuery for data retrieval like select
I suggest you to separate your program into two statements one execute and one executeQuery.
If you do not wish to do that, try separating the statements with semi-colon. But I am not sure about this action if this gives you a resultset or not.
I have found similar question in StackOverflow here. You should enable connection to support multiple statements and separate them using ;. For concrete examples see that answer. However it is for MySql only.
Also I think you can rewrite your SQL into single query
SELECT columnA, columnB, 'tec' as user_name from md_criteria_join
WHERE (
user_name = 'tec'
AND view_name NOT IN (
SELECT view_name
FROM md_criteria_join
WHERE user_name = 'tecgaw')
)
OR user_name = 'tecgaw'
ORDER BY view_name, user_name, crit_usage_seq, crit_join_seq
Another option is to move your statements to stored procedure and ivoke it from JDBC using CallableStatement
Or maybe you should try executing it with multiple jdbc statements like this
Connection conn = conn.getConnection(); //just to make sure its on single connection
conn.createStatement("SELECT INTO #temp_table").executeUpdate();
conn.createStatement("UPDATE #temp_table").executeUpdate();
conn.createStatement("SELECT ...").executeQuery();
Note you have to close resources and maybe for better performance you could use addBatch and executeBatch methods
in ms sql you also have to do set nocount on right at the beginning of the stored procedure along with terminating select / update/ insert block statement with ";"
My program executes INSERT query. When I run it, I get an error
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO words(lang1, lang2, category, lang2_code, user) SELECT 'ahoj', 'hell' at line 1
I tried to print the actual statement to the stdout:
SET #lang:='Angličtina', #categ:='Nová';
INSERT INTO words(lang1, lang2, category, lang2_code, user)
SELECT 'ahoj', 'hello', c.id, l.id, 1 FROM categories c, languages l
WHERE c.name = #categ AND l.name = #lang;
As you can see, the statement is altered in the log. 'hell' instead of 'hello'. When I copy that into the mysql command line and execute, it works just fine so I assume the problem is in the JDBC somewhere.
That's not one statement. If you want to use more than one statement at a time, don't use a PreparedStatement but for example addBatch but it seems that here you should simply issue 2 JDBC statements, one after the other.