using an update query inside a select SQL injection (oracle) - oracle

I got an SQL injection point which allows me to insert anything after a Select keyword , such as :
Select ID FROM %INJECTION POINT%
is there anyway to complete this query to make an update for a table ? without using a ";" ?

It's not possible to do this in oracle , unless you use an existing user function to do so

Related

Logic app oracle get rows select query provide alias to columns

I need to execute a Oracle query in Logic app. The query has some columns with alias. How do i configure this in Oracle get rows action.
I checked the Microsoft doc, but i did not find any info on this.
Below is the query i'm trying to execute
SELECT
id,
employee_num EMPLOYEE_ID,
employee_number ORAC_EMPLOYEE_NUMBER,
DECODE(employee_type,
'Employee',
'Employee_ID',
'Worker_ID') EMPLOYEE_TYPE
FROM person_stg
WHERE
id_reference IS NULL AND
process_flag ='PROCESSED' AND
mode_flag ='CREATE' AND
employee_number IS NOT NULL
I'm not sure if there is a solution which can help us to select from the table with some columns alias. But I can provide a workaround for your reference, you can use "Select" action in logic app to implement it. Please refer to my logic app below:
Since I don't have oracle server, so here I use sql server(but I think it doesn't matter).
My table looks like:
And my logic app show as:
After running the logic app, we can find the result show as(the columns' name show with new name):

SYS_B_x in Oracle query result column name

I've faced with some weird behaviour of Oracle 11 DB.
I have a simple query selecting data from a view:
select
(case when exists(select 1 from MY_VIEW v where v.func_name = 'NAME') then 1 else 0 end)
from dual
MY_VIEW looks like:
CREATE OR REPLACE VIEW MY_VIEW
AS
SELECT a.object_name AS func_name, NULL AS func_desc
FROM USER_ARGUMENTS a
In the result set, I receive result with columnName: (CASEWHENEXISTS(SELECT:"SYS_B_0"FROMMY_VIEWVWHEREV.FUNC_VALUE=:"SYS_B_1")THEN:"SYS_B_2"ELSE:"SYS_B_3"END)
And when I'm trying to execute this query by Hibernate, it falls with error
SQL Error: 17133 "Invalid identifier or literal"
while extracting column alias.
Error causes when I'm using ojdbc8 driver, with ojdbc6 driver all is OK.
Strange thing is that I have problems only when I'm querying from this particular view.
When I made same query from another View, created from simple table, everything was ok.
Furthermore, I have another Oracle 11 DB and there result set column name for this query looks common:
(CASEWHENEXISTS(SELECT1FROMMY_VIEWVWHEREV.FUNC_VALUE='NAME')THEN1ELSE0END)
My question is: why and when Oracle replaces values in query string on :"SYS_B_x" ?
First of all, you need to add an alias for that column.
You get :SYS_B_x because of the parameter cursor_sharing=force on that database.

getting error while executing same query in Oracle

This query working as expected in postgres but same query we need to write in Oracle could you please suggest how to write query in Oracle
delete from need_entl_status_history
using need_entitlement
where need_entitlement.need_entitlement_uuid=need_entl_status_history.need_entitlement_uuid
and need_entitlement.user_guid='b8e06968-2839-4fc1-a987-5ea81678d9ge’;
That would be something like this; I used table aliases as they improve readability.
delete from need_entl_status_history h
where h.need_entitlement_uuid in (select e.need_entitlement_uuid
from need_entitlement e
where e.user_guid = 'b8e06968-2839-4fc1-a987-5ea81678d9ge’
);

PHP PDO Is there a way to disable named placeholders ( Oracle AUTOINCREMENT issue )

i am creating table in oracle ( odbc connection - has to be ). And i want to create auto increment column. That is not problem. The query i need to perform is following :
CREATE TRIGGER TBIUR_FOLDER_FOLDER_ID
BEFORE INSERT OR UPDATE
OF
FOLDER_ID
ON FOLDER
REFERENCING NEW AS NEW OLD AS OLD FOR EACH ROW
BEGIN
IF :NEW."FOLDER_ID" IS NULL
THEN SELECT "SQ_FOLDER_FOLDER_ID".NEXTVAL INTO :NEW."FOLDER_ID" FROM dual;
END IF;
END;
The problem is in :NEW keyword , PDO takes it as named parameter so i am unable to create the trigger properly . When i check in the database the create query is :
IF :1."FOLDER_ID" IS NULL
so :NEW is replaced by :1 :/ and i do not know what to do ...
Yes.
You can disable prepared statements parsing at all.
Just don't use them for this query, as it obviously don't need them. Just run it using query() or exec()

Nhibernate Generate wrong SQL for Oracle with locking

yesterday I've been trying to make this code work inspite the fact it's just working fine with nhibernate and SQL server but when it come to oracle it generate wrong sql
UnitOfWork.Current.CreateCriteria<Bill>().Add(Restrictions.IsEmpty("ReqId"))
.SetMaxResults(BatchSize).SetLockMode(LockMode.Upgrade).List<Bill>();
the generated SQL will something like
Select * from
(Select bill_0.id,bill_0.BillNo ...... from Bill bill_0 where bill_0.reqId is Not null )
where ROWNUM < 10 for UPDATE of bill_0.ID
so i wont run because the allies bill_o is defined inside the inner sql statement so who got the solution ?
the correct sql would be something like this which i tried and worked on oracle db
Select bill_0.id,bill_0.BillNo ...... from Bill bill_0
where bill_0.reqId is Not null and ROWNUM < 10 for UPDATE of bill_0.ID
Since, as you say, NHibernate is generating invalid Oracle SQL, I suggest you file a bug with the NHibernate people. The SQL would work if the in-line view had been assigned an alias of "bill_0", or if the FOR UPDATE clause didn't use a table alias ("for UPDATE of ID"). Whether you can modify your NHibernate calls to make either of these happen I'm afraid I have no idea.

Resources