C#•3y ago

❔ SQL Statement only returning one row

Only chest press gets returned, where as I need both

jaixOP•11/4/23, 2:12 PM

arion•11/4/23, 2:33 PM

SELECT * FROM CustomExercises

SELECT * FROM CustomExercises

arion•11/4/23, 2:34 PM

if you want only the exercise

SELECT Exercise FROM CustomExercises

SELECT Exercise FROM CustomExercises

TheRanger•11/4/23, 2:46 PM

what is DatabaseUtils.ReadData ?

TheRanger•11/4/23, 2:46 PM

never seen it around before

TheRanger•11/4/23, 2:46 PM

we usually use Entity framework or Dapper

TheRanger•11/4/23, 2:49 PM

and its not recommended to use List<object>

arion•11/4/23, 2:56 PM

Its also not recommended to use raw strings in a query like that

arion•11/4/23, 2:56 PM

https://youtu.be/fRhsU4K82Fg?t=494

YouTubeNick Chapsas

"Your Code Has a SQL Injection!" | Code Cop #007

Use code GRPC20 and get 20% off the brand new "gRPC in .NET" course on Dometrain: https://dometrain.com/course/from-zero-to-hero-grpc-in-dotnet

Become a Patreon and get special perks: https://www.patreon.com/nickchapsas

Hello everybody, I'm Nick, and in this video, I'll show you what SQL Injection actually is and explain why people on LinkedIn...

Tvde1•11/4/23, 6:42 PM

that's quite a bad video to link

Tvde1•11/4/23, 6:42 PM

it does not explain SQL injection

Jimmacle•11/4/23, 7:16 PM

oh no it's AskSQL

Jimmacle•11/4/23, 7:16 PM

there's a cursed function like that in all the work code i inherited

Jimmacle•11/4/23, 7:17 PM

anyway, you didn't share how you're adding this data to the database

Jimmacle•11/4/23, 7:17 PM

your current query looks for an exact username match, so if you accidentally added a space or something to one it won't return it

Jimmacle•11/4/23, 7:18 PM

if not that then something in your ReadData function is wrong

TTvde1 it does not explain SQL injection

arion•11/4/23, 7:27 PM

https://tenor.com/view/wot-wtf-wut-what-girl-gif-15824407

Tenor

arion•11/4/23, 7:31 PM

explain "quite a bad" its pretty much 1:1 whats happening here (timestamp) and he explains it

Tvde1•11/4/23, 7:36 PM

the video is aimed toward people generically saying "this code is bad! sql injection!" when those people don't know the full code of the user, and don't explain SQL injection

Tvde1•11/4/23, 7:36 PM

if usernameusername is not a user-inputted string, it's not SQL injection

Tvde1•11/4/23, 7:36 PM

there are much better ways to explain what SQLi is, than showing this video

arion•11/4/23, 7:38 PM

It shows what its not, it shows what it is, it shows an example, it even says that if its not controllable its not injectable. It explains 2/3 of the explanation of:

SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally able to retrieve. This might include data that belongs to other users, or any other data that the application can access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.

In some situations, an attacker can escalate a SQL injection attack to compromise the underlying server or other back-end infrastructure. It can also enable them to perform denial-of-service attacks.

It doesn't explain that last paragraph or demonstrate it

arion•11/4/23, 7:39 PM

He explained all of that (except the last paragraph), how is that a "quite a bad"?
He says word for word "... if the user from an API post request or query string parameter is controlling this I they can pass down anything they want so what I can say for example if I wanted to attack this query is okay what if I say that where ID is one and ..." then proceeds to demonstrate injection, i'd say that does explain SQL injection, no?

jaixOP•11/4/23, 10:26 PM

um so how do i fix my problem

Aarion if you want only the exercise ```sql SELECT Exercise FROM CustomExercises ```

jaixOP•11/4/23, 10:26 PM

thats what it says but only returns one row

JakenVeina•11/4/23, 10:29 PM

what IS your problem?

JakenVeina•11/4/23, 10:30 PM

SELECT Exercise
FROM CustomExercises

SELECT Exercise
FROM CustomExercises

only returns one row? That's because there's only one row in the CustomExercisesCustomExercises table

Jimmacle•11/4/23, 10:30 PM

you didn't include all the code between making your query and getting your response

Jimmacle•11/4/23, 10:30 PM

DatabaseUtils.ReadDataDatabaseUtils.ReadData is a black box that none of us know anything about

JJimmacle you didn't include all the code between making your query and getting your respo...

jaixOP•11/5/23, 5:53 PM

jaixOP•11/5/23, 5:53 PM

Sorry

JJakenVeina ```sql SELECT Exercise FROM CustomExercises ``` only returns one row? That's bec...

jaixOP•11/5/23, 5:53 PM

theres 2

JakenVeina•11/5/23, 5:54 PM

then that's how many rows that query is returning

Jimmacle•11/5/23, 5:54 PM

well, it's clear why you only get one row

Jimmacle•11/5/23, 5:54 PM

your ReadData method only ever reads the first row of the response

Jimmacle•11/5/23, 5:54 PM

reader.Read()reader.Read() advances the reader to the next row in the result, you aren't calling it in a loop

Jimmacle•11/5/23, 5:55 PM

in addition, you're pivoting the first row into your list which doesn't make sense

Jimmacle•11/5/23, 5:56 PM

https://learn.microsoft.com/en-us/dotnet/api/system.data.oledb.oledbdatareader.read?view=dotnet-plat-ext-7.0

OleDbDataReader.Read Method (System.Data.OleDb)

Advances the OleDbDataReader to the next record.

jaixOP•11/5/23, 5:56 PM

ohhhhhhhhh

jaixOP•11/5/23, 5:56 PM

okay thank you

JJimmacle https://learn.microsoft.com/en-us/dotnet/api/system.data.oledb.oledbdatareader.r...

jaixOP•11/5/23, 6:09 PM

does this look any better

Jjaix does this look any better 😭

Jimmacle•11/5/23, 6:12 PM

the

if

if

shouldn't be there

Jimmacle•11/5/23, 6:12 PM

as it is now you're skipping the first record by calling Read twice before accessing the fields

jaixOP•11/5/23, 6:13 PM

ahh okay thank you

Jjaix does this look any better 😭

TheRanger•11/5/23, 6:16 PM

try to define a class instead of using List<object>List<object>

Jimmacle•11/5/23, 6:17 PM

also that

Jimmacle•11/5/23, 6:19 PM

you could end up with a method like List<T> ReadData<T>(string query, Func<DbDataReader, T> rowReader)List<T> ReadData<T>(string query, Func<DbDataReader, T> rowReader) if you want to keep it reusable

Jimmacle•11/5/23, 6:21 PM

or if you don't care to reinvent the wheel, use dapper or another ORM which does this kind of mapping for you

JJimmacle or if you don't care to reinvent the wheel, use dapper or another ORM which does...

jaixOP•11/5/23, 6:30 PM

jaixOP•11/5/23, 6:30 PM

im taking each row and inserting it into essentially a 3d list i think

❔ SQL Statement only returning one row

Similar Threads

Similar Threads

Similar Threads