The DataApp included in the javafx demos example comes with an ant script to create and populate a database with MySQL. After configuring the MySql connector it is only a matter of calling an ant task:
<target name="-post-init" >
<input message="Please enter Mysql password for root#localhost:" addproperty="mysql.password"/>
<!-- first create user and database -->
<echo>Creating "dataapp" user and "APP" database...</echo>
<sql driver="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:4447/mysql"
userid="root"
password="mysql-connector-java-5.1.18.jar"
classpath="${libs.MySQLDriver.classpath}"
>
DELETE FROM user WHERE User = 'dataapp';
DELETE FROM db WHERE User = 'dataapp';
INSERT INTO user VALUES ('localhost','dataapp','*B974A83D18BB105D0C9186756F485406E6E6039B','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'',NULL);
INSERT INTO db VALUES ('localhost','APP','dataapp','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','N','Y');
DROP DATABASE IF EXISTS APP;
CREATE DATABASE APP;
FLUSH PRIVILEGES;
</sql>
<echo>Creating tables and views...</echo>
<sql driver="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/APP"
userid="dataapp"
password="dataapp"
classpath="${libs.MySQLDriver.classpath}"
src="${basedir}/create-database.sql"/>
<echo>Populating zip code table(this might take a little while)...</echo>
<sql driver="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/APP"
userid="dataapp"
password="dataapp"
classpath="mysql-connector-java-5.1.18.jar"
src="${basedir}/zip_code_inserts.sql"/>
</target>
However, I am getting this exception when I run it:
[sql] Failed to execute: INSERT INTO user VALUES ('localhost','dataapp','*B974A83D18BB105D0C9186756F485406E6E6039B','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'',NULL)
With this exception:
java.sql.SQLException: Column count doesn't match value count at row 1
I think that the number of fields is not what it should be, but I am no MySQL expert, so I don't know how to fix this. Any help would be appreciated.
The number of columns that the 'user' table has seems to change from one version of MySQL to the next one. I was able to find the correct number by logging into the MySQL console, and do:
SELECT count(*) FROM information_schema.`COLUMNS` WHERE table_name = 'user' AND TABLE_SCHEMA = 'mysql';
Then I used:
SELECT * FROM user;
to see what where the values for my own user and copy those, the correct command for:
Server version: 5.1.61-community-log
was:
INSERT INTO user VALUES ('localhost','dataapp','*B974A83D18BB105D0C9186756F485406E6E6039B','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','','0','0','0','0');
Related
I am doing an exercise in class to find web page vulnerabilities through a user/password form and we are suppouse to be able to modify columns of a table using SQL injection.
I know the tables of the database, for instance I am trying to modify the table users that has the colums id, password and email.
The problem is that for INSERT, UPDATE or DELETE the server code use the executeUpdate() method and for SELECT use the executeQuery() method which returns the ResultSet, so obviusly when I try someting like:
correctpassword'; UPDATE usuarios SET id='newname' WHERE id='oldname'; --
it returns an error because UPDATE does not return the ResultSet object.
I have also tried nested queries so the main consult would be a SELECT so it would actually return a ResultSet object but it doesnt work either. The query is:
correctpassword'; SELECT id FROM usuarios WHERE id = (SELECT id FROM usuarios WHERE id=?admin?; UPDATE usuarios SET id=?luciareina? WHERE id=?admin?); --
Do you know anyway to do this? Thank you very much in advance!
Depending on the database server you have, you can not have an update statement inside of a select statement.
you should close out the existing query and then do the update
Also, make sure the column you are updating is not an auto generated/key column that is not updatable.
SELECT id FROM usuarios WHERE id = 1; UPDATE usuarios SET id=1 WHERE id=2
You should test your injection directly on server to see if it is valid before testing it via the webpage.
I have a Spring services project that uses MyBatis and Liquibase.
I've made an audit table that has triggers for INSERT/UPDATE/DELETE.
With INSERT/UPDATE I'm already storing the user id so it's not a problem to do NEW.USER_ID, but with DELETE I only have OLD.USER_ID which obviously doesn't reflect the current user making the change.
Excluding some info, I have this in liquibase (putting *s around what should change):
<sql endDelimiter="|">
CREATE TRIGGER DELETE_TRIGGER
AFTER DELETE
ON TABLE_NAME
FOR EACH ROW
BEGIN
INSERT INTO TABLE_NAME_A (CHANGE_TYPE, CHANGE_ID, CHANGE_DATE)
VALUES ('DELETE', **OLD.USER_ID**, now());
END;
|
</sql>
So I'm not sure what to replace OLD.UPDATE_ID with.
The other examples I found often have to do with sql servers and mssql. So maybe I just failed as searching as I didn't find something that could work within spring/mybatis/liquibase/mysql.
Filling out how I solved this.
I changed the base trigger to be
<sql endDelimiter="|">
CREATE TRIGGER DELETE_TRIGGER
AFTER DELETE
ON TABLE_NAME
FOR EACH ROW
BEGIN
INSERT INTO TABLE_NAME_A (CHANGE_TYPE, CHANGE_ID, CHANGE_DATE)
VALUES ('DELETE', user(), now());
END;
|
</sql>
So that it fills the user field with something. Then after the deletion I wrote another mapper to go in and update the ID field to the current user calling my service.
<update id="updateAuditTableChangeIdAfterDeletion">
UPDATE TABLE_NAME_A
SET CHANGE_ID = #{1}
WHERE UNIQUE_IDENTIFIER = #{0}
AND CHANGE_TYPE = 'DELETE'
</update>
I'm using MyBatis as DB framework in JAVA and I'm trying to generate automatically two values when inserting rows in a table: the task id and another value. This is my query:
<insert id="insertTwoValuesSequentialluy" parameterType="com.example.autogenerated.Task" >
<selectKey resultType="java.lang.String" keyProperty="taskId" order="BEFORE" >
select MY_TASK_ID_SEQUENCE.nextval from dual
</selectKey>
insert into DYDA_D.TASK_TABLE (taskId, otherVariable, autogeneratedValue)
values ( #{taskId,jdbcType=VARCHAR},
#{otherVariable,jdbcType=VARCHAR},
MY_SECOND_SEQUENCE.nextval = #{autogeneratedValue,jdbcType=VARCHAR})
</insert>
The code works fine but I'm having the following problem: while at runtime the Task instance gets its member taskId setted, it doesn't happen the same with autogeneratedValue, although when I check the database I can see the column matching autogeneratedValue isn't null for this new row. How can I get autogeneratedValue setted at runtime with no need of making a select query?
PS: don't pay attention to commas and the like, I have lots of columns and I've deleted most of them and changed names on the rest for this snippet. My point with the code is for you to see how I've generated the values, tags I've used etc.
You can do this like this:
<insert id="insertTwoValuesSequentialluy"
parameterType="com.example.autogenerated.Task"
useGeneratedKeys="true"
keyProperty="taskId,autogeneratedValue"
keyColumn="taksId,autogeneratedValue">
insert into DYDA_D.TASK_TABLE (taskId, otherVariable, autogeneratedValue)
values (MY_TASK_ID_SEQUENCE.nextval,
#{otherVariable,jdbcType=VARCHAR},
MY_SECOND_SEQUENCE.nextval)
</insert>
i have a strange exception only when i try to select a sequence number from my database. If i run this query: SELECT MYSEQUENCE.NEXTVAL from DUAL directly in my DB it's work fine and give me the next value. When i run the same query on JAVA i have an SQLSyntaxErrorException.
statement = connection.prepareStatement(MY_SEQ);
resultSet = statement.executeQuery();
MY_SEQ= private static final String MY_SEQ="SELECT MYSEQUENCE.NEXTVAL from DUAL";
I try to execute another query SELECT ID from ANYTABLE to try if goes something wrong in my configuration but it run perfectly and return the result.
Any idea of my Exception?
Grant select problem. I do grant select on DB.MYSEQUENCE to MY_USER;, i have done a grant select but the commit seem's doesn't go ok. And SQLSyntaxErrorException was because i have to create a SYNONYM for that sequence, without synonym i have to do a DB.MYSEQUENCE. So the order to create sequence and than to use that in JAVA is:
Create Sequence
Create Synonym to use that sequence
Make a grant select for that sequence for the user that you have in your jdbc configuration
How select column names ,column data type, key column of a table in mysql by passing the table name.
I am using mysql 5.5
Pick the info you need from
SELECT *
FROM information_schema.columns
or
SELECT *
FROM information_schema.tables
Try this:
Get structure of table
DESCRIBE table;
SELECT * FROM information_schema.tables where table_name = 'table';
Get a list of the tables in your database.
SHOW TABLES;
Whole database structure
mysqldump database_name
Select database,
execute command using desc or SHOW FIELDS FROM.
Code:
`use testDB;`
``desc `testDB`.`images`;``
-- or
`SHOW FIELDS FROM images;`
See my previous answer How to show mysql table columns data type?, it solves your problem.
The results are shown in attached image file.