Comments by Max Methot

Max Methot 16-Sep-15 8:13am View

Are you running your grant command as the root user (mysql -u root -p) ?

This -> (using password: NO) is telling me you are trying to give root access to a user without being root or wihout proper permission.

Max Methot 31-Jul-15 10:56am View

Indeed, but it is still a "workaround".

Max Methot 31-Jul-15 10:04am View

I am not a PHP pro, but I think mixing PHP and Java isn't as trivial as it may sound. A quick Google search brought some results about a PHP to Java "bridge", but that sounds kind of messy to me. If you really have to use a JAVA backend, I would definitely go with a JAVA+JSP web application rather than using a PHP frontend.

Max Methot 28-Jul-15 11:48am View

Please provide your code. We cannot guess what your code looks like.

Max Methot 12-Sep-13 10:18am View

About the SQL injection, as I said you could go with stored procedures. You use them somthing like this:

public static MyObject Get(string connectionString, InspectionMissionExt ime)
{
//Create the connection object that points to the right MS Access database
OleDbConnection connection = new OleDbConnection(connectionString);

//Open the connection
connection.Open();

//Instatiate the stored procedure by it's name
string storedProcedure = "MyProcedure";

//Create the command that will execute the stored procedure for the given connection
OleDbCommand command = new OleDbCommand(storedProcedure, connection);

//Make sure it is a Stored procedure type of command
command.CommandType = CommandType.StoredProcedure;

//Set the command parameters
command.Parameters.AddWithValue("@insp_mission_number ", ime.insp_mission_number);
command.Parameters.AddWithValue("@insp_branch_id", ime.insp_branch_id);
command.Parameters.AddWithValue("@inspector_id", ime.inspector_id);
command.Parameters.AddWithValue("@ministry_id", ime.ministry_id);

//Create the reader that will read the results of the command
OleDbDataReader reader = command.ExecuteReader();

//Instantiate the object that will be filled with the query results
MyObject myObject = new MyObject;

//If the query gives us results...
if (reader.Read())
{
myObject.Property1 = reader.GetString(0);
myObject.Property2 = reader.GetInt32(1);
myObject.Property3 = reader.GetString(2);
myObject.Property4 = reader.GetDouble(3);
.
.
.
}

return myObject;
}

Your stored procedure in MS Access might be created like:

CREATE PROCEDURE MyStoredProcedureName
(@insp_mission_number VARCHAR,
@insp_branch_id INT,
@inspector_id INT,
@ministry_id INT)
AS

SELECT im.*,
i.first_name + i.surname AS inspector_name,
b.name AS branch_name,
m.name AS ministry_name
FROM (((insp_mission AS im left join inspector as i on im.inspector_id = i.id)
LEFT JOIN branch as b on im.insp_branch_id = b.id)
LEFT JOIN ministry m on im.ministry_id = m.id)
WHERE im.insp_mission_number like '%' + @insp_mission_number + '%'
AND im.insp_branch_id = @insp_branch_id
AND im.inspector_id = @inspector_id
AND im.ministry_id = @ministry_id

By doing it that way, you are safe for SQL injections since you'll be using typed parameters and a remote stored procedure instead of a clear text query in the C# code. It is a good practice to do so.

Once you return your object or value in the C#, you'll be able to do whatever treatment you need to do on it.

Also, it will most likely fix your problem with including the parameters in the SQL query.

I hope it'll help you and I hope I didn't mix up things more than necessary for you!

Comments by Max Methot (Top 5 by date)