I have asked this question on Github, issue #641, since it seems like a deficiency or an enhancement question.
Most databases (e.g. Oracle, SQL*Server, Sybase, ... ) send back a description of the resultset, even if there are zero rows. I cannot seem to find this in pqxx, nor can I find a way to describe SQL of any kind prior to execution. The only way I have been able to get the SQL metadata is by collection upon the first row retrieved, but this is limited to an actual row being retrieved. If there are zero rows, I have no way to determine the metadata.
Looking at the v15.x code base for libpq (standard C library), I see that psql has a "workaround" for this very problem. In the file src/bin/psql/common.c there is a function called static bool DescribeQuery(const char *query, double *elapsed_msec) (on or about line #1248).
This function has a rather ingenious solution for this very problem. They create an "unnamed" prepared statement, which they do not execute, instead they use the results of that call, which provides the field info, and subsequently query against the pg_catalog for the metadata descriptions (source below).
Unfortunately, the pqxx library doesn't provide enough (that I can tell) to duplicate this functionality. Does anyone have a solution for this problem?
Credit for resolution goes to Jeroen Vermeulen, on the Github issue #641. He suggested that the predicate AND false be added to the query to force a prototype result. By doing this an empty resultset is returned, with the fields available for metadata collection.
Related
After reading a response involving security django provides for sql injections. I am wondering what the docs mean by 'the underlying driver escapes the sql'.
Does this mean, for lack of better word, that the 'database driver' checks the view/wherever the queryset is located for characteristics of the query, and denies 'characteristics' of certain queries?
I understand that this is kind of 'low-level' discussion, but I'm not understanding how underlying mechanisms are preventing this attack, and appreciate any simplified explaination of what is occuring here.
Link to docs
To be precise we are dealing here with parameters escaping.
The django itself does not escape parameters values. It uses the API of the driver that in general looks similar to this (see for example driver for postgres or mysql):
driver.executeQuery(
'select field1 from table_a where field2 = %(field2)s', {'field2': 'some value'}
)
The important thing to note here is that the parameter value (which may be provided by the user and is subject to sql injection) is not embedded into the query itself. The query is passed to the driver with placeholders for parameters values and the list or dict of parameters is passed in addition to that.
Driver then can either construct the SQL query with proper escaped values for parameters or use the API provided by the database itself which is similar in functionality (that is it gets query with placeholders and parameters values).
Django querysets use this approach to generate SQL and that what this piece of documentation is trying to say.
I am currently in the process of writing a custom DataProvider. Using the Intergrate External Data documentation.
I've managed to show the external data in the Sitecore back end. However whenever I try to view the data in the items I created, I am getting an error
Null ids are not allowed. <br> Parameter name: displayName
There seems to be precious little on the subject on how to create a custom DataProvider on the Sitecore Developer Network.
The example on their website seems to only show how to import a SINGLE item into a static database. However I am simply trying to merge some items into the hierarchy and I can't find any useful documentation.
It seems that one of your methods that should return an ID doesn't. It might be GetChildIds and/or GetParentId.
Nick Wesselman wrote a good article about it gathering all the information including an example on the Marketplace. I think that is your best start. You can read it here.
Turns out I needed to include at the very least, the Fields->Section->Template in the GetParent method. To be on the safe side I included the Fields/Sections/Templates into my implementations of
GetChildIDs
GetItemDefinition
GetParentID
It wasn't obvious that this was the case, since I had in fact implemented the GetTemplates method correctly, and I had expected that should be enough.
I am writing a provider hosted SharePoint 2013 application. I'm using SharePoint online.
Since the people picker isn't supported in this scenario, I need to build my own. I found the SearchPrincipals method. That seems like exactly what I'm looking for, but no matter what I try, the method is returning with 0 results.
What little information I've found around this method suggests that the problem is usually a permissions issue, but the user that I'm logged in as is a Site Collection Administrator (ClientContext.Web.CurrentUser.IsSiteAdmin is true), so that shouldn't be the case with me.
I've tried passing in virtually every combination of PrincipalType and PrincipalSource, even ones that didn't make sense. I've also tried passing in ClientContext.Web.SiteUsers for the scope, and also null, both of which I've seen used in my searches, and that didn't turn up any results either.
Any help would be appreciated!
I figured it out. The ClientContext of the CSOM (Client Side Object Model) allows the developer to make multiple --unrelated -- queries. It queues up these queries and does not execute them until ExecuteQuery is called. Even though SearchPrincipals is a static method off of the Utility class, it still translates the method call into a query and queues it up. The method will always return an empty collection, but once you call ExecuteQuery on the ClientContext, that collection is then filled with the results of the search.
Also, another problem that I ran into immediately afterwards was that I was getting an error that seemed completely unrelated to my query when I called ExecuteQuery. It turns out that there was code that previously executed that queued up some queries, but it never executed them, so when I called ExecuteQuery, it executed those queries as well, and one of those was erroring. If you are getting an unexpected error, it's a good idea to see if there are other queued queries that haven't been executed yet. You can check the boolean property HasPendingRequest to help determine this.
Hopefully this answer saves other people a lot of time!
I am logging db information to a file, but what I would really like to do is see the code that produces each query, or at least the file/line number.
Is there a way to do this? Using filename/funcName/etc (see http://docs.python.org/library/logging.html#logrecord-attributes) only log the lower level files/functions (i.e. 'execute' in 'utils.py', instead of my code).
The SQLCompiler is located at django.db.models.sql.compiler
You can poke around in there. Some of what is there gets delegated to the other helper files in the sql folder and some others get further delegated to the base file in the respective backend.
You could probably attempt to log the variables as they come through those particular points.
I'm curious though, why?
You should try Django toolbar which is can give you sql queries for a page with backtrace and timings too.
I'm using QSqlQuery::prepare() and ::addBindValue() for my queries in a Qt project I'm working on. There's a lot of repeated code and though I think that's the "right" way, I wanted to make sure. Perhaps someone has alternative ideas? Example:
QSqlQuery newQuery;
newQuery.prepare("INSERT INTO table "
"(foo,bar,baz,"
"herp,derp,biggerp,"
"alpha,beta,gamma,"
"etc) VALUES "
"(?,?,?,"
"?,?,?,"
"?,?,?,"
"?)");
newQuery.addBindValue(this->ui->txtFoo->text());
newQuery.addBindValue(this->ui->txtBar->text());
newQuery.addBindValue(this->ui->txtBaz->text());
newQuery.addBindValue(this->ui->txtHerp->text());
newQuery.addBindValue(this->ui->txtDerp->text());
newQuery.addBindValue(this->ui->txtBiggerp->text());
newQuery.addBindValue(this->ui->txtAlpha->text());
newQuery.addBindValue(this->ui->txtBeta->text());
newQuery.addBindValue(this->ui->txtGamma->itemText(0));
newQuery.addBindValue(this->ui->txtEtc->text());
newQuery.exec();
You can see there's a bunch of the same "newQuery.addBindValue(this->ui->__________" over and over. Is this the 'best' way to go about it?
Also, I asked in #qt on freenode the other night but didn't get a definitive answer; will the above (::prepare with ::addBindValue) protect agains SQL injection? The reference didn't really say.
It might look a bit tidier if you first create a QMap or QStringList with the bindings, then iterate through that data structure and call addBindValue() for each item in the list/map.
In relation to your sub-question on SQL injection, that combination of ::prepare and ::addBindValue does indeed fully protect against it. This is because the bound values are never parsed by the SQL engine; they're just values that slot in after compilation (the preparation step) and before execution.
Of course, you have to be careful when taking values out of the DB too, but that's not protecting the database but rather ensuring that the values aren't used to cause other mischief (e.g., injecting unexpected malicious <script> tags into HTML or, worse still, a <blink> or <marquee> monstrosity). But that's another problem, and doesn't apply to all uses anyway; putting the values in a strictly plain text GUI field is usually no problem.