need to add string in between a SQL statement using TCL -


i have sql statement stored inside variable:

i "statement" ".sql" file using file operations

set statement "select build_package, replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substring(build_package, length(build_package) - position('/' in reverse(build_package)) + 2), '-bsd',''),'-lnx',''),'-esxi',''),'.repo',''),'.vmdk',''),'.qcow2',''),'.rpm',''),'.tbz',''),'-version',''),'.el7.x86_64','') ,'-nr',''),'-kvm',''),'-x86_64',''),'ptsvpl','svpts'),'spbvpl','svspb'),'sdevpl','svsde'),'-amd64',''),'.noarch',''),'.el6',''),'.x86_64',''),'tsevpl','svtse') scheduler_jobs id = '1617075' order id desc"

here clause e.g.: where id = 1617075 id dynamically generated.

so need first store sql without where id = 1617075 clause , add clause later when inside 'statement' variable.

basically add data called $id in statement.

use prepared statement bound variables.

the example documentation:

set statement [db prepare {     select phone_num directory     first_name = :firstname , last_name = :lastname }] set firstname fred set lastname flintstone

as documentation explains,

the prepare object command against connection accepts arbitrary sql code executed against database. sql code may contain bound variables, strings of alphanumeric characters or underscores (the first character of string may not numeric), prefixed colon (:). if bound variable appears in sql statement, , not in string set off single or double quotes, nor in comment introduced --, becomes value substituted when statement executed. bound variable becomes single value (string or numeric) in resulting statement.
drivers responsible ensuring mechanism binding variables prevents sql injection.

in other words, while is driver's responsibility, should protected against sql injection. in other words, if id isn't 1617075 rather 1617075; drop table scheduler_jobs;--, should still okay, because driver has escaped (instead of you having this, missing edge case leaves vulnerable).

for example, leaving out replaces, become

set statement [db prepare {     select build_package      scheduler_jobs     id = :scheduler_job_id     order id desc }] set scheduler_job_id 1617075

Comments

Post a Comment

Popular posts from this blog

asynchronous - C# WinSCP .NET assembly: How to upload multiple files asynchronously -

i using winscp .net assembly uploading files. want upload multiple files asynchronous way. have created method works single upload. public class uploadingdata { private sessionoptions _sessionoptions; private session _session; //connection etc private void onconnected() { foreach (var fileinfo in localfileslist) { var task = task.factory.startnew(() => uploadfilesasync(fileinfo)); } } private async task uploadfilesasync(string file) { string remotefilepath = _session.translatelocalpathtoremote(file, @"/", "/test_data_upload"); var uploading = _session.putfiles(file, remotefilepath, false); //when done await task.run(() => thread.sleep(1000)); } } please suggest me correct way. thanks you can use backgroundworker class this: string[] images = new string[50]; foreach (var path in images) { backgroundworker
Read more

aws api gateway - SerializationException in posting new Records via Dynamodb Proxy Service in API -

i getting "__type": "com.amazon.coral.service#serializationexception" as reply in postman & in test console in api gateway trying post record directly dynamodb using api proxy services.. referring aws article - https://aws.amazon.com/blogs/compute/using-amazon-api-gateway-as-a-proxy-for-dynamodb/ here's mapping { "tablename": "tablenamegoeshere", "item": { "id" : "$context.requestid" "eventname" : "$input.path('$.eventname')", "timestamp" : $input.path('$.timestamp'), "answers": "$util.parsejson($input.path('$.answers'))" } } update: did asked ... , worked if try add array of json objects gives me above same error - here's trying now. please - couldnt find on google well #set($inputroot = $input.path('$')) { "tablename": "answer", "item": {
Read more

asp.net - Problems sending emails from forum -

i have been redesigning site has message board, has been written guy looked after site. it has few problems , written in .asp , uses .mdb files database. you can see whole thing here . feel free post if helps, test thing have set using original files , new database. the basic problem when posts message, supposed email sent them, have posted it. when replies, originator supposed message, replier has been posted. i’d have thought @ point in process there should script/file in postmessage.asp? the postmessage.asp page below. <% option explicit %> <!-- #include virtual="common/adovbs.inc" --> <html> <head> <meta http-equiv="content-type" content="text/html; charset=windows-1252"> <meta name="generator" content="microsoft frontpage 4.0"> <meta name="progid" content="frontpage.editor.document"> <title>new page 2</title> <base target="_self"
Read more