I have a small test to insert some values in a table (Oracle) from C# the thing is that I have a sql sentence (all types are numbers except for the date):
insert into historicos values (2,1,1,to_date('01/08/2013','dd/mm/yyyy'), 0,1,25,25,36);
I've tried many forms to insert (switching commas, changing functions, etc...)
I can insert with that sql command if I paste it in the SQLDeveloper, but when I try to execute that command from C# i get an ORA-00911 Invalid character
Do you know where's the problem? Thank you so much
Do not forgot removing " ; " at end of the query...
Related
I want to learn how SQLInjection is working with the PostgresqlDb. I am using the Npgsql in C#.
So this is my Query, which is called, when I rename a folder:
cmd.CommandText = "UPDATE allfolder.folder SET folder_name = '" + foldernamenew + "'";
cmd.ExecuteNonQuery();
I now tried to pass the following value into the textfield:
abcdef; INSERT INTO allfolder.folder (id, folder_name) VALUES (56,"aaaaaaa");
Then AJAX is fired.
The output I assumed is, that all folders in the table has the folder_name "abcdef" and that I have a new folder with the id "56" called "aaaaaa". This is not the case, because the semicolon is not recognized as delimiter and so the name of each folder_name are "abcdef; INSERT INTO ....". I do not want to change it on DB side that multiqueries are allowed.
So my questions are:
How do I need to prepare the SQL statement, that I achieve a Injection?
Is an injection even possible, when you are not allowed to execute a second qry because the semicolon isn't recognized?
I am only talking about Npgsql and postgres.
As Laurenz mentioned above, this should work:
abcdef'; INSERT INTO allfolder.folder (id, folder_name) VALUES (56,'aaaaaaa'); -- test
Make sure, that you don't mix single and double quotes. A common mistake in SQL. You need the single quote before the semicolon, otherwise it is in the textstring, because you have no delimiter.
“Multiqueries” (several queries in one line, separated by semicolon) are always allowed in PostgreSQL.
Your problem are the multiple errors in your SQL:
Missing single quote after abcdef.
Double quotes instead of single quotes around aaaaaaa.
No single quote or line comment at the end of the statement.
Speaking pointedly: you have to learn SQL before you can learn SQL injection.
My C# application is able store the data into a SQL Server database. Currently I have to problem when user insert symbol ' in their string/sentences:
Example: I want to 'test' your system
So, when inserting into db the ' symbol will return an error while inserting by using sql query.
My query example :
INSERT INTO TABLE_NAME (POST_BODY)
VALUES ('i want to 'test' your system')
and then my plan here is to change that check the string if contains that ' symbol it will change to " symbol.
I have try using this code, but cannot:
void ChangeSymbol(String str)
{
Console.WriteLine("\"{0}\"", str);
Console.WriteLine("\"{0}\"", str.Replace(''', '"'));
}
Please anybody help to give some idea to face this problem. Thanks in advance.
There is no problem inserting a single quote into a database using SQL code. If you want to insert a text literal then you simply escape the single quote with another single quote, e.g.
INSERT INTO MyTable (GivenName, FamilyName) VALUES ('James', 'O''Connell')
If you're inserting a separate value into a SQL statement then you should be using parameters no matter the data type, so an issue with single quotes never arises, e.g.
mySqlCommand.CommandText = "INSERT INTO MyTable (GivenName, FamilyName) VALUES (#GivenName, #FamilyName)";
mySqlCommand.Parameters.AddWithValue("#GivenName", givenName);
mySqlCommand.Parameters.AddWithValue("#FamilyName", familyName);
Use parameter binding. I don't have a sample code to put in since we dont use MSSQL
here's a sample
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters(v=vs.110).aspx
You escape single quotes by doubling them. So try this:
string example = "I want to ''test'' your system";
I'm using the C# .NET Mysql Connector, and when running this query:
INSERT INTO convos (`userid`,`time`,`from`,`content`,`read`,`deleted`, `ip`, `source`, `charname`, `to`) VALUES ('3', '1347396787', 'Chára', '........', '0', '0', '0.0.0.0:0000', 'C', 'óóóíííí', 'óóóíííí');
I get the following error:
Incorrect string value: '\xE1ra' for column 'from' at row 1
I understand my encoding, everything was configured for utf8, utf8_general_ci. Database, table and columns are configured for utf8. The data is sent from the client in utf8.
If i use a 3rd party tool like, Workbench to insert the query or use the mysql command line it works fine. I don't know if there is a bug with the connector or i need to be doing something else with the values before insert?
Any idea?
Thanks
Is there any in mysql to covert to the correct type?
I believe you need to alter the column's char set:
use below code for those columns which is using UTF-8.
ALTER TABLE database.table MODIFY COLUMN col VARCHAR(255)
CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;
Unicode string prefix with N
First see your table convos and make sure columns data types is either one of nchar, nvarchar and You must precede all Unicode strings with a prefix N when you deal with Unicode string constants in SQL Server
Tyr:
insertQuery = "INSERT INTO convos (`userid`,`time`,`from`,`content`,`read`,`deleted`, `ip`, `source`, `charname`, `to`) VALUES
(N'3', N'1347396787', N'Chára', N'........', N'0', N'0', N'0.0.0.0:0000', N'C', N'óóóíííí', N'óóóíííí')";
I figured this out, its taken a while but it seems i was setting the charset too often. The database, tables, columns are all in UTF8. When i made a connection i had "CHARSET=UTF8" in the connection string. I was also running "SET NAMES 'utf8' COLLATE 'utf8_general_ci'" everytime i made a connection. I dropped the CHARSET=UTF8 and "SET NAMES 'utf8' COLLATE 'utf8_general_ci'" and its all working now.
Update it
INSERT INTO convos (`userid`,`time`,`from`,`content`,`read`,`deleted`, `ip`, `source`, `charname`, `to`) VALUES ('3', '1347396787', 'Chara', '........', '0', '0', '0.0.0.0:0000', 'C', 'óóóíííí', 'óóóíííí');
I think for "chara"in your 3rd value gives it
For someone who has tried all the suggestions, and nothing has worked (like myself), it is worth checking what MySQL types are your fields mapped to in C#. My text fields were automatically mapped as MySqlDbType.Blob and that was causing the error. I changed the type to MySqlDbType.Text, and I don't see the error any more.
Here is my original response to a similar thread:
https://stackoverflow.com/a/16989466/2199026
config mysql like below. it will solve the unicode error when insert into mysql from java or C#
enter image description here
I have a problem with inserting into a MSSQL CE database,
locCon.Open();
SqlCeCommand locCmd = locCon.CreateCommand();
locCmd.CommandText = "INSERT INTO user (ID,FName,LName,Email) VALUES('"+this.id+"','"+this.fName+"', '"+this.lName+"','"+this.email+"')";
locCmd.ExecuteNonQuery();
When running this I get
There was an error parsing the query. [Token line number = 1, Token line offset = 13, Token in error = user]
Now i cant see anything wrong with the query although this is the firsr time ive used MS SQL of examples ive seen the syntax for mysql and msssql are identical well for inserts anyway. Is there soemthing obviously wrong with this?
Thanks
I think "user" is a reserved word in the database. Try replacing this:
INSERT INTO user (ID,FName,LName,Email) VALUES (
with this:
INSERT INTO [user] (ID,FName,LName,Email) VALUES (
(I think it' square brackets for MSSQL CE, since it is for other MSSQL engines.)
The square brackets basically tell the query engine, "This is an identifier for an object in the database." They're commonly used to wrap the names of database objects which contain spaces, since those otherwise wouldn't parse correctly. But it's also useful for objects which are reserved words.
You may have to put brackets around the user part like so:
INSERT INTO [user]
this is because user can be a reserved word. putting [] around reserved words in SQL allows them to be used as field and table names.
One other major point is that you are constructing your query from some text inputs. This exposes you to SQL injection attacks. To avoid this I would highly recommend that you use Sql Parameters instead which help to prevent this. See this link:
http://msdn.microsoft.com/en-us/library/ff648339.aspx
I have Paradox 5.x tables I need to connect to in order to select and update.
I am using OLEDBConnection.
selecting from the tables I have no problem.
while trying to insert into the tables I met a problem when I entered hardcoded the fields names I got an error:
The INSERT INTO statement contains the following unknown field name: ...
so I used OleDbDataReader.GetName(...) to get fields names.
now I use the fields names received from table in order to insert into table and I still get the same error.
I think the problem is with the field name: 'Truck #1 Serial Number'
Table name: 'Vehicles'
I tried using [], ."", .[] and
.[""].
I have read about the need of Borland engine but I'm not sure this is the issue.
Thanks upfront.
-=Noam=-
p.s I cannot change name of tables since its a customer DB I need to connect.
Im adding the C# code I use:
private static string createInsertQueryVehicle(string i_VehicleNumber, string i_VehicleMFG, string i_Truck1SerialNo, string i_Truck2SerialNo, string i_Truck3SerialNo)
{
string tryout = string.Format("INSERT INTO {0} ([{6}], [{7}], [{8}], [{9}], [{10}]) VALUES(RIGHT('{1}',10),'{2}','{3}','{4}','{5}')",
TableName, Vnum, Vinfo, T1Serial, T2Serial, T3Serial, VnumFieldName, VinfoFieldName, T1SerialFieldName
T2SerialFieldName,T3SerialFieldName);
return tryout;
}
at end tryout holds:
INSERT INTO Vehicles ([Vehicle Number], [Vehicle Mfg], [Truck #1 Serial Number], [Truck #2 Serial Number], [Truck #3 Serial Number]) VALUES(RIGHT('000000010001525',10),'קרונות משא','ר40011_1','ר40011_2','')
EDIT:
Just wanted to add my solution at end:
At the end the best solution I could get was to use accesses as the connection point using linked tables to the paradox tables, at end handling it as an accesses DB.....
Hope it helps someone.
You need to use the quoted identifiers while having special character in field or table names. The double-quote (") should be what you're looking for.
Besides, I do believe that the Borland Database Engine is required in order to work against a Borland database such as Paradox. At least, that what I have always been told to, though I have never yet experienced such architecture, since I was using Delphi when working with Paradox.
As you founda (somewhat convoluted) solution...
Might be worth putting an ODBC trace on and seeing how Access is passing the field name that's causing the issue. It may just be an escape sequence that paradox accepts for the hash (#) or something similar. Just a thought.
I was able to reproduce the problem by creating a table (Table1) with a column that has number sign (col#). Like:
INSERT INTO `Table1.db` (`col#`) VALUES ('a')
Where I run this SQL I get this Error:
The INSERT INTO statement contains the following unknown field name: 'col#'. Make sure you have typed the name correctly, and try the operation again.
This seems to be a bug Microsoft JET provider. The only workaround is found is to insert the value into another column like
INSERT INTO `Table1.db` (`col1`) VALUES ('a')
And then update the col# column:
UPDATE `Table1.db` SET `col#` = col1
I found other problems with the JET provider. For example, you will get this wrong error if the table is does not have a primary key or password protected:
Operation must use an updateable query.