Re: creating view with user variable
From: Jerry Stuckle <jstucklex_at_attglobal.net>
Date: Thu, 26 Jan 2017 08:45:00 -0500
Message-ID: <o6cudf$s07$2_at_jstuckle.eternal-september.org>
>
> Hi Guys,
>
> Thanks so much for all your input, using stored procedures is exactly what i was looking for and its working well.
>
> There is one small issue I was hoping someone could answer.
>
> How would I allow the person to re-order the data. In our old system, they could choose the column header on the website to reshuffle the sql query, and it would send through something like:
>
> ORDER BY $field $direction (where these two fields are dynamic)
>
> Now I am using a stored procedure, I have tried adding the two fields to the IN variables and then using them at the end of the query. This throws an error when I try to create the procedure with:
>
> ORDER BY FIELD DIRECTION
> You have an error with you sql syntax.
>
> I have tried changing the field names to something different, but no matter what I use it still throws up the error.
>
> Dave.
>
Date: Thu, 26 Jan 2017 08:45:00 -0500
Message-ID: <o6cudf$s07$2_at_jstuckle.eternal-september.org>
On 1/26/2017 4:55 AM, David wrote:
[Quoted] > On Tuesday, January 24, 2017 at 1:20:39 PM UTC, Jerry Stuckle wrote:
>> On 1/24/2017 2:24 AM, David wrote: >>> On Monday, January 23, 2017 at 10:32:52 PM UTC, Jerry Stuckle wrote: >>>> On 1/23/2017 12:50 PM, David wrote: >>>>> Hi guys, >>>>> >>>>> Can anyone tell me if its possible to create a view with a where clause linking to a variable which is passed by the user. >>>>> >>>>> Something like: >>>>> CREATE VIEW test As >>>>> SELECT * FROM userAccount >>>>> LEFT JOIN userDetails On userAccount.ID = userDetails.UID >>>>> WHERE userAccount.ID = {variable} >>>>> >>>>> >>>>> Then in the user accesible pages, it would be called by >>>>> >>>>> SELECT * FROM test WHERE (but here is where I get stuck) >>>>> >>>>> I have found a few articles knocking around which suggest creating a function and then calling the function by the user instead of calling the view , but all examples I tried this always through up errors. >>>>> >>>>> Would be most grateful if someone could point me in the right direction. >>>>> >>>>> Dave. >>>>> >>>> >>>> Dave, >>>> >>>> You would put the WHERE clause in your SELECT statement, not in the >>>> CREATE VIEW, i.e. >>>> >>>> CREATE VIEW test As >>>> SELECT * FROM userAccount >>>> LEFT JOIN userDetails On userAccount.ID = userDetails.UID; >>>> >>>> SELECT * FROM test WHERE ID = {variable} >>>> >>>> However, generally it's better to specify the individual columns instead >>>> of *, and is required if you have duplicate column IDs. >>>> >>>> But I'm not sure what you're trying to accomplish here. You're JOINING >>>> to userDetails, but not selecting any columns from it. Which brings up >>>> the question - what are you REALLY trying to do? >>>> >>> >>> Hi Jerry, >>> >>> Thanks for your response on this. I know normally you would leave the where clause out of the view but I am trying to lock down our database as much as possible. >>> >>> The query I posted above was just a quick example hoping to show what I am trying to achieve. As it stands, if the where clause is held in the web pages which connect to the database, then there is a potential for all user accounts to be accessed if, in the unfortunate circumstances the website gets compromised and hacked - then someone could access the view and list all accounts. >>> >>> I am trying to lock it down, so regardless of whether the website is compromised or not, only records can come back from the view with a relevant userID (ie only 1 record - not all of them) >>> >>> I followed this article: http://stackoverflow.com/questions/2281890/can-i-create-view-with-parameter-in-mysql but could not get it to work; hence why I came here. There must be a way to lock down views to stop it bringing back all rows >>> >>> Dave. >>> >> >> Well, think about it. If it's based on a variable from the web script, >> then any value can be passed and any rows can be retrieved (even if it's >> only one row at a time). No matter how you do it, if the web site is >> compromised, all rows will be available. There is no way around it. >> >> A SP like Axel would work. So would having a script on the server and >> using RPC to fetch the data as a JSON string or similar. This will give >> you more control over the data (better filtering), but you still have >> the potential of someone accessing your data. >> >> But your real problem here is security practices. You must ensure your >> server is secure, and if it is hacked, no one can get at your data. >> Things like keeping user ids and passwords outside of the web server's >> document root will help. Other methods can help, also. >> >> But the bottom line is - if the data is available to the web server, it >> will be available to a hacker. >> >> -- >> ================== >> Remove the "x" from my email address >> Jerry Stuckle >> jstucklex_at_attglobal.net >> ==================
>
> Hi Guys,
>
> Thanks so much for all your input, using stored procedures is exactly what i was looking for and its working well.
>
> There is one small issue I was hoping someone could answer.
>
> How would I allow the person to re-order the data. In our old system, they could choose the column header on the website to reshuffle the sql query, and it would send through something like:
>
> ORDER BY $field $direction (where these two fields are dynamic)
>
> Now I am using a stored procedure, I have tried adding the two fields to the IN variables and then using them at the end of the query. This throws an error when I try to create the procedure with:
>
> ORDER BY FIELD DIRECTION
> You have an error with you sql syntax.
>
> I have tried changing the field names to something different, but no matter what I use it still throws up the error.
>
> Dave.
>
P.S. When getting an error message, please show the entire statement and the error message you get. Otherwise we have to guess.
-- ================== Remove the "x" from my email address Jerry Stuckle jstucklex_at_attglobal.net ==================Received on Thu Jan 26 2017 - 14:45:00 CET