I am using a MySQL db, when i run the below script it behaves very strangely. the current behaviour is...
if password is something normal it changes password to 0 but ignores the token value.
if the password is already 0 it just runs, doesn't do anything, and says 0 rows affected.
If someone could give me a clue as to why this is happening that would be great. My SQL is...
UPDATE travisor_tradesperson SET password='123456789' AND token = '' WHERE email='rhamilton469#qub.ac.uk'
The syntax is wrong. You separate columns in the set clause with a comma (,), not with (and):
UPDATE travisor_tradesperson
SET password = '123456789', token = ''
-- Here ---------------------^
WHERE email='rhamilton469#qub.ac.uk'
As to why does it do that, since you had the syntax wrong (as per other answer), the whole part after SET
password='123456789' AND token = ''
was probably interpreted as a single assignment of '123456789' AND token = '' into password. This was likely understood by MySQL as applying an boolean AND on a string converted to boolean and the result of the comparison token = ''.
Use commas to separate column and is an operator which for conditional statement, we can use it after where clause.
UPDATE travisor_tradesperson
SET password = '123456789', token = 'xyz'
WHERE email='rhamilton469#qub.ac.uk'
Related
i want to add in my databse the function if a user wants to add his email that it gets added in the right column.
I use azures mysql server and tried Insert into already but then found out UPDATE is the way to go, but i still have some issues
UPDATE Accounts SET("e-mail") VALUE (#email) WHERE Username = #Username;
My expected result is that it updates the e-mail variable but it doesn't, instead it shows me:
Wrong Syntax near '('. '.', ID, PSEUDOCOL, QUOTED_ID or VARIABLE is expected.
So what i am asking is, how do i fix this issue?
You seem to be looking for the syntax for a mysql UPDATE, using variables. Here is how you do it :
SET #Username := 'Foo';
SET #email := 'foo#bar.com';
UPDATE Accounts
SET email = #email
WHERE Username = #Username;
Does your database field is really named e-mail ? It is not a good idea to use special characters (here, the dash) in field names. You would need to quote it in every query, like :
SET `e-mail` = #email
I am attending a free online course at Pentesterlab and today I am getting comfortable with SQL Injections.
However I don't get the instructions and as it could be a huge (technical) difference I would want to know how it works.
The stuff I am talking about:
https://www.pentesterlab.com/exercises/web_for_pentester/course
Please scroll down more than the half to "SQL Injections" --> "Example 1".
In the example we found out, that the (My)SQL-Table should work like this pattern:
SELECT * FROM users WHERE name='[INPUT]';
As I understand this, all I am providing through the URL is the "INPUT", the quotes (') before and after the input, and the semicolon (;) is added by SQL automatically.
However, the instruction says:
?name=root' and '1'='1: the quote in the initial query will close the
one at the end of our injection.
I don't get it. I thought the quote (') after root ends the first part, but there's still the other part '1'='1 , isn't it?
Maybe it's a misunderstanding of the language, however I am not sure if I understood it .
Imo the SQL should look like this (for example 1, first "code"):
SELECT * FROM users WHERE name=' root' and '1'='1 ';
At the second try at Example 1 it's getting stranger:
?name=root' and '1'='1' # (don't forget to encode #): the quote in the initial query will be commented out.
Wait what? I thought the quote provided by SQL automatically gets commented out.
Imo the SQL should look like this (for example 1, second "code"):
SELECT * FROM users WHERE name=' root' and '1'='1' # ';
Hope someone can clear it out, if I understand it right and it's just to hard for me explained or if I am messing up something.
Thank you guys :)
Mysql does not addanything automatically to your query. If you are not providing a single quote, then it will not be there. Period.
SELECT * FROM users WHERE name='[INPUT]';
The application will contain the above sql statement template in its own code and will substitute the parameter received from the user in place of the [INPUT] placeholder.
If you provide a single name, as you are supposed to, then the query executed will be:
SELECT * FROM users WHERE name='root';
However, if you provide root' and '1'='1 as an input, then the sql code being executed will be
SELECT * FROM users WHERE name='root' and '1'='1';
The single quote before root and after the 2nd 1 are part of the sql statement template within the application.
I haven't read the course, so let's assume the logic will check the user exists in database only.
Original SQL
SELECT * FROM users WHERE name = 'admin'
(1 row affected)
By SQL injection, you can input something after that to make this SQL always return records
by input user name as [root' and '1' = '1]
SELECT * FROM users WHERE name = 'root' and '1' = '1'
(20 rows affected)
However, let's assume this SQL will also check the password
SELECT * FROM users WHERE name = 'admin' and pwd = 'abc'
(1 row affected)
by input user name as [root' and '1' = '1]
SELECT * FROM users WHERE name = 'root' and '1' = '1' and pwd = 'invalid'
(0 row affected)
We need to bypass the password, what need to do is comment out the rest of SQL
by input user name as [root' and '1' = '1'#]
SELECT * FROM users WHERE name = 'root' and '1' = '1'#' and pwd = 'abc'
(20 rows affected)
With this SQL, it will comment out the password checking, and it will grant access even you don't have the correct user name and password
The following query:
select replace(`Abilities`, 'export_import', 'auto') from fl_account_types;
gives me 'auto,listings' correct replacement from Abilities column. However, when I execute:
update fl_account_types set `Abilities` = replace(`Abilities`, 'export_import', 'autos');
MySQL just omits 'export_import' string and replaces Abilities with 'listings' string.
What could be the reason?
The problem was that Abilities was of type SET and I was trying to replace with a value which was not listed in a definition of it. But I still do not understand why select replace works well and why MySQL do not throw an error.
I have VB.net website. Somewhere I have used Update Query which has no errors in terms of syntax but suppose If user has selected some symbolic values like below
UPDATE Table SET Column = ''A'-wing' Where ID = '123'
So here in column the value 'A'-wing has quote which result to syntax error in my query. How do I avoid users option related error in query?
You have to escape your quotes by adding a backslash in front of them. Change your query to this:
UPDATE Table SET Column = '\'A\'-wing' Where ID = '123'
For more informations about this, check the official documentation here.
I have a Query - - < This Is a valid Query >
'SELECT *
FROM MyTable
WHERE city= ?
ORDER BY name ' [Keyname]
I am using this queried condition :: i am passing the Keyname as params from client to this sql query
This works & i get the required result BUT
If i pass nothing say null comes from client as param value for Keyname......... this query fails
how can i make the better query ... so that even if null comes ....
ORDER BY condition is satisfied
Or
R there other solution i need to look for
If so ... what is it ?
Hope i am clear
[EDIT]
CASE1:: for the url
http://54.218.73.244:7005/DescriptionSortedSearchRating/?Key=Pune
my told query satisfies::
But
http://54.218.73.244:7005/DescriptionSortedSearchRating/?Key=
my query fails, my sql query is expecting a Key for http://54.218.73.244:7005/DescriptionSortedSearchRating/ ..... if i pass nothing my query dosent get me a result..
.
what i am trying to see is even if i get nothing as key ORDER BY condition must be met ...
IF I PASS A KEY VALUE
IF I DONT PASS A KEY VALUE
You can clearly see i am not able to fetch results from database (Empty JSON)
This question doesn't have anything to do with MySQL. This is 100% your high level language. The null value the [Keyname] has is a null value in the language you're using to create the string that will be the final query.
The simplest solution will be not to assign null to your [Keyname] variable but rather an empty string.
You may use this:
ORDER BY name CASE WHEN Keyname IS NULL THEN '' ELSE CONCAT(',', Keyname) END
I am not sure whether the syntax is fine or not. But what I expect here to append empty string when Keyname is null and to append the Keyname with a comma (,). Please try it.
Other option is using function ISNULL
ISNULL(Keyname, '');