database error simply by using a sting in a variable

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

database error simply by using a sting in a variable

Damien Mattei
why i'm getting this error?

code:

let name = "'A    20'"
    let qry = "select `N° BD` from Coordonnées where Nom = " ++ name

    putStrLn qry

    bd_rows <- query_ conn qry


    putStrLn $ show bd_rows
    putStrLn $ show name

    forM_ bd_rows $ \(Only a) ->
      putStrLn $  Text.unpack a



error:

*Main> :load UpdateSidonie
[1 of 1] Compiling Main             ( UpdateSidonie.hs, interpreted )

UpdateSidonie.hs:74:28: error:
    • Couldn't match expected type ‘Query’ with actual type ‘[Char]’
    • In the second argument of ‘query_’, namely ‘qry’
      In a stmt of a 'do' block: bd_rows <- query_ conn qry
      In the expression:
        do conn <- connect
                     defaultConnectInfo
                       {connectHost = "moita", connectUser = "mattei",
                        connectPassword = "sidonie2", connectDatabase =
"sidonie"}
           rows <- query_
                     conn
                     "SELECT Nom,distance FROM AngularDistance WHERE
distance > 0.000278"
           forM_ rows
             $ \ (name, distance)
                 -> putStrLn $ unpack name ++ " " ++ show (distance ::
Double)
           let name = "'A    20'"
           ....
   |
74 |     bd_rows <- query_ conn qry
   |                            ^^^
Failed, no modules loaded.


--
[hidden email], [hidden email], UNS / OCA / CNRS
_______________________________________________
Beginners mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/beginners
Reply | Threaded
Open this post in threaded view
|

Re: database error simply by using a sting in a variable

Francesco Ariis
Hello Damien,

On Wed, Dec 05, 2018 at 05:02:48PM +0100, Damien Mattei wrote:
>     • Couldn't match expected type ‘Query’ with actual type ‘[Char]’

GHC would like to have a `Query`, but you are providing a `String`.
You didn't specify which library you are using, but I am willing to
bet there is an appropriate ":: String -> Query" function.

That of you need to put

    {-# Language OverloadedStrings -#}

on top of your file. Does that work?
-F

_______________________________________________
Beginners mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/beginners
Reply | Threaded
Open this post in threaded view
|

Re: (SPAM 3)Re: database error simply by using a sting in a variable

Damien Mattei


Le 05/12/2018 17:12, Francesco Ariis a écrit :

> Hello Damien,
>
> On Wed, Dec 05, 2018 at 05:02:48PM +0100, Damien Mattei wrote:
>>     • Couldn't match expected type ‘Query’ with actual type ‘[Char]’
>
> GHC would like to have a `Query`, but you are providing a `String`.
> You didn't specify which library you are using, but I am willing to
> bet there is an appropriate ":: String -> Query" function.
>
> That of you need to put
>
>     {-# Language OverloadedStrings -#}


i had put it alreeady
>
> on top of your file. Does that work?

no

i begin to understand that {-# Language OverloadedStrings -#} is working
on string but not on string in variable or concatenation , i should have
to create an object of type Query from the String... ???

finally ,having a beginning of solution:

  let qry_head = "select `N° BD` from sidonie.Coordonnées where Nom = ?"
:: Query
    putStrLn qry

    bd_rows <- query conn qry_head (Only (name::String))

> -F
>
> _______________________________________________
> Beginners mailing list
> [hidden email]
> http://mail.haskell.org/cgi-bin/mailman/listinfo/beginners
>

--
[hidden email], [hidden email], UNS / OCA / CNRS
_______________________________________________
Beginners mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/beginners
Reply | Threaded
Open this post in threaded view
|

Re: (SPAM 3)Re: database error simply by using a sting in a variable

Damien Mattei
In reply to this post by Francesco Ariis
thanks for your help

Le 05/12/2018 17:12, Francesco Ariis a écrit :

> Hello Damien,
>
> On Wed, Dec 05, 2018 at 05:02:48PM +0100, Damien Mattei wrote:
>>     • Couldn't match expected type ‘Query’ with actual type ‘[Char]’
>
> GHC would like to have a `Query`, but you are providing a `String`.
> You didn't specify which library you are using, but I am willing to
> bet there is an appropriate ":: String -> Query" function.
>
> That of you need to put
>
>     {-# Language OverloadedStrings -#}
>
> on top of your file. Does that work?
> -F
>
> _______________________________________________
> Beginners mailing list
> [hidden email]
> http://mail.haskell.org/cgi-bin/mailman/listinfo/beginners
>

--
[hidden email], [hidden email], UNS / OCA / CNRS
_______________________________________________
Beginners mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/beginners
Reply | Threaded
Open this post in threaded view
|

Re: (SPAM 3)Re: database error simply by using a sting in a variable

Francesco Ariis
In reply to this post by Damien Mattei
On Wed, Dec 05, 2018 at 05:28:03PM +0100, Damien Mattei wrote:
> i begin to understand that {-# Language OverloadedStrings -#} is working
> on string but not on string in variable or concatenation , i should have
> to create an object of type Query from the String... ???

Yes, OverloadedStrings works on String *literals* not on String variables!

_______________________________________________
Beginners mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/beginners
Reply | Threaded
Open this post in threaded view
|

Re: database error simply by using a sting in a variable

Ian Denhardt
In reply to this post by Damien Mattei
It sounds from the later posts like you've made some progress. I just
want to call out one thing:

Quoting Damien Mattei (2018-12-05 11:02:48)
> let name = "'A    20'"
>     let qry = "select `N° BD` from Coordonnées where Nom = " ++ name

I'll hazard a guess that you're using the sqlite-simple library. From
their documentation on the Query type:

> This type is intended to make it difficult to construct a SQL query by
> concatenating string fragments, as that is an extremely common way to
> accidentally introduce SQL injection vulnerabilities into an
> application.

From later messages it looks like you worked out the OverloadedStrings
thing and ended up (correctly) moving to some code that uses the ?
interpolation syntax: ".... where Nom = ?". I just wanted to stress that
this is the right way to do things, and the distinction is important.
This is a general thing when working with SQL: don't construct queries
by gluing strings together; it's a great way to have vulnerabilities in
your app.

Happy Hacking,

-Ian
_______________________________________________
Beginners mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/beginners