Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Binding variables errors

See original GitHub issue

Running the following query on MySQL:

select COMMAND
from information_schema.PROCESSLIST
where COMMAND = :appo
;

with the binding variable appo set as Sleep

I get this error output:

Errore SQL [1054] [42S22]: Unknown column 'Sleep' in 'where clause'
  com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'Sleep' in 'where clause'

if I run the same query without the where clause i get:

COMMAND |
--------|
Query   |
Sleep   |
Sleep   |

This issue was not present in DBeaver 3.7.7

Another (probably related, that’s why I’m adding it here) issue on Oracle about binding is the following; running the query

select * 
from dual
WHERE dummy = :appo
;

with appo set as X

I get the error:

Errore SQL [904] [42000]: ORA-00904: "X": identificativo non valido
java.sql.SQLSyntaxErrorException: ORA-00904: "X": identificativo non valido

which is Italian for invalid identifier.

running it without the where clause I obviously get:

DUMMY |
------|
X     |

Both query work as expected in SQLDeveloper 4.1.3.20

DBeaver version 3.8.0

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
serge-ridercommented, Dec 5, 2016

It’d be a very bad idea to give access to DBeaver SQL editor to untrusted user. You can execute any SQL there, it doesn’t make any sense to use SQL injections to harm database - you can do this by simply executing harmful queries.

Agreed about single quote chars you need to use for strings. This is the price we had to pay. Potentially I could quote all “string-like” parameters but this won’t let to use expressions.

0reactions
dariopnccommented, Dec 5, 2016

Yes, it is SQL injection. And there is no switch (for now). What problems do you see in this approach?

With the usual behavior of binding you could provide access to a DB with DBeaver even to untrained/untrusted users with specific queries, while keeping safety. Also, having to type apostrophes for every string remarkably slows down the workflow

Read more comments on GitHub >

github_iconTop Results From Across the Web

Managing Bind Variable Errors
Mouse over the error to learn what problems were detected. You can use the Bind Variable Editor to set the types or variables....
Read more >
Having error while declaring binding variable in pl/sql
Hi I am getting the error, need advise. The code is: VARIABLE v_bind1 VARCHAR2(10); --declare bind variable exec : v_bind1 ...
Read more >
How to solve error "ORA:01-006 :bind variable does not exist ...
This is my sample procedure with in which I'm trying to use bind variables . ... put_line(qry); open res for qry using item_number,...
Read more >
Bind Variable is NOT DECLARED" error with SQL Developer
Hi All, While executing the below block in SQL Developer, I get "Bind Variable "OUT_RSELL" is NOT DECLARED" error. RSELL_REC_TYPE is a package ......
Read more >
"Toad has detected some symbols within the SQL indicating ...
"Toad has detected some symbols within the SQL indicating you might be using bind variables” error (4275931).
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[MS SQLServer] Cannot connect with instance specified

Next page

hive jdbc URL kerberos Authentication