On Saturday, 12 December 2015 at 12:14:30 UTC, Vadim Lopatin wrote:
> On Saturday, 12 December 2015 at 12:06:21 UTC, Suliman wrote:
>> On Saturday, 12 December 2015 at 11:53:51 UTC, Suliman wrote:
>>> On Saturday, 12 December 2015 at 11:31:18 UTC, Suliman wrote:
>>>> Oh sorry! I used wrong host! All ok!
>>>
>>> Yes, there was issue with host name, but it's do not solve problem. Second DB have same fields and I still getting false instead moving into while loop
>>
>> It's look like it do `next` step before return something.
>> So if in DB 1 value it will work like:
>> do step
>> if no value after it --> return false
>> if yes --> return true
>>
>> but I need any way to check if first value in DB is exists. Any suggestion?
>
> If you expect to have single or zero rows in result, use
> if (rs.next()) {
>             dbuser = rs.getString(1);
>             dbpassword = rs.getString(2);
>             writeln(dbuser);
> } else {
>             writeln("user not found");
> }

Do not help :( same result. It's return false :(

On Saturday, 12 December 2015 at 12:36:10 UTC, Suliman wrote:
> On Saturday, 12 December 2015 at 12:14:30 UTC, Vadim Lopatin wrote:
>> On Saturday, 12 December 2015 at 12:06:21 UTC, Suliman wrote:
>>> On Saturday, 12 December 2015 at 11:53:51 UTC, Suliman wrote:
>>>> On Saturday, 12 December 2015 at 11:31:18 UTC, Suliman wrote:
>>>>> Oh sorry! I used wrong host! All ok!
>>>>
>>>> Yes, there was issue with host name, but it's do not solve problem. Second DB have same fields and I still getting false instead moving into while loop
>>>
>>> It's look like it do `next` step before return something.
>>> So if in DB 1 value it will work like:
>>> do step
>>> if no value after it --> return false
>>> if yes --> return true
>>>
>>> but I need any way to check if first value in DB is exists. Any suggestion?
>>
>> If you expect to have single or zero rows in result, use
>> if (rs.next()) {
>>             dbuser = rs.getString(1);
>>             dbpassword = rs.getString(2);
>>             writeln(dbuser);
>> } else {
>>             writeln("user not found");
>> }
>
> Do not help :( same result. It's return false :(

Ehm... it's seems that issue occur if I have few rs.next() call. I thought it's create new content every time. So I will try to look at my code again.

On Saturday, 12 December 2015 at 12:43:36 UTC, Suliman wrote:
> On Saturday, 12 December 2015 at 12:36:10 UTC, Suliman wrote:
>> On Saturday, 12 December 2015 at 12:14:30 UTC, Vadim Lopatin wrote:
>>> On Saturday, 12 December 2015 at 12:06:21 UTC, Suliman wrote:
>>>> On Saturday, 12 December 2015 at 11:53:51 UTC, Suliman wrote:
>>>>> On Saturday, 12 December 2015 at 11:31:18 UTC, Suliman wrote:
>>>>>> Oh sorry! I used wrong host! All ok!
>>>>>
>>>>> Yes, there was issue with host name, but it's do not solve problem. Second DB have same fields and I still getting false instead moving into while loop
>>>>
>>>> It's look like it do `next` step before return something.
>>>> So if in DB 1 value it will work like:
>>>> do step
>>>> if no value after it --> return false
>>>> if yes --> return true
>>>>
>>>> but I need any way to check if first value in DB is exists. Any suggestion?
>>>
>>> If you expect to have single or zero rows in result, use
>>> if (rs.next()) {
>>>             dbuser = rs.getString(1);
>>>             dbpassword = rs.getString(2);
>>>             writeln(dbuser);
>>> } else {
>>>             writeln("user not found");
>>> }
>>
>> Do not help :( same result. It's return false :(
>
> Ehm... it's seems that issue occur if I have few rs.next() call. I thought it's create new content every time. So I will try to look at my code again.

Could anybody check on their PC, I if `if (rs.next()` and `while (rs.next()` will return true or false if there is only one element in selection. I still getting same results...

On 12.12.2015 08:44, Suliman wrote:
>>> string query_string = (`SELECT user, password FROM otest.myusers where
>>> user LIKE ` ~ `'%` ~ request["username"].to!string ~ `%';`);
>>
>> Don't piece queries together without escaping the dynamic parts.
>> Imagine what happens when the user enters an apostrophe in the
>> username field.
>
> Do you mean to wrap:
>   request["username"].to!string
> in quotes?

no

On Saturday, 12 December 2015 at 13:18:12 UTC, anonymous wrote:
> On 12.12.2015 08:44, Suliman wrote:
>>>> string query_string = (`SELECT user, password FROM otest.myusers where
>>>> user LIKE ` ~ `'%` ~ request["username"].to!string ~ `%';`);
>>>
>>> Don't piece queries together without escaping the dynamic parts.
>>> Imagine what happens when the user enters an apostrophe in the
>>> username field.
>>
>> Do you mean to wrap:
>>   request["username"].to!string
>> in quotes?
>
> no

What is you suggestion?

P.S. Look like code now work as expected. The problem was with rs.next iterator.

On Sat, 12 Dec 2015 07:44:40 +0000, Suliman wrote:

>>> string query_string = (`SELECT user, password FROM otest.myusers where user LIKE ` ~ `'%` ~ request["username"].to!string ~ `%';`);
>>
>> Don't piece queries together without escaping the dynamic parts. Imagine what happens when the user enters an apostrophe in the username field.
> 
> Do you mean to wrap:
>   request["username"].to!string
> in quotes?

No. You'll end up with a query like:
SELECT user, pass FROM users WHERE user LIKE '%"suliman"%'

This will only retrieve users with "\"suliman\"" in their username. But then I could still register with a username of "'; DROP TABLE users; --" and you'd be in an unhappy place. Because that would be parsed as:

SELECT user, pass FROM users WHERE user LIKE '%"';
DROP TABLE users;
--"%'

There are two ways of avoiding this problem (SQL injection attacks). The first is to manually escape all input strings. This relies on you being ever vigilant. It also relies on you knowing every way someone can create a SQL injection attack. In practice, everyone will fail at one or both of these.

The more successful way is to use prepared statements. In a prepared statement, you write something like:

auto stmt = db.prepare("SELECT username, password FROM users where
username = ?");
auto result = stmt.execute(request["username"].to!string);

The "?" tells the database you're going to provide a piece of data there later, and that data is not part of the query. So you don't have to worry what the user entered; it's not going to mess up the query.