I have a query that contains some characters that cause a syntax error because contains reserved characters and I am battling to understand how to escape the string correctly.
The query is:
SELECT * FROM `products`
WHERE MATCH (code, description)
AGAINST (UPPER(+("intel"*) +("cpu"*)) IN BOOLEAN MODE)
But when I run this query I get the following error:
1064 - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ') +("cpu"*)) ) IN BOOLEAN MODE)' at line 1
Okay so fine it does not like the ) as it would indicate that the AGAINST is being closed however it is not (yet). So I tried to escape it with a backslash but it still throws the same error.
If I try this in PHP using a prepared statement while binding the search string +("intel"*) +("cpu"*) into the statement it works. So it seems that the way that it escapes it is not with a backslash or that there is something else.
So I was looking at the PHP documentation for mysqlescapestring and I saw that it: "prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.".
Which indicate that the single and double quotes need to be escaped and I tried to do this but it just throws the same syntax error but on the double quote character, i.e. to use near '\"intel\"*\)...
I do understand that it would be best to use prepared statements and that this solves the problem but I just want to understand what I have done wrong here and how I could escape a string like this within an AGAINST clause as I have done here.
If anyone could suggest where I have going wrong with this then it would be greatly appreciated. Thank you.
Well, I managed to solve this.
I read an answer on another so question that helped me here. What I realised is that when a prepared statement includes the relative object it encapsulates it with quotes, so in actual fact UPPER(?) would become UPPER("prepared string") which means that UPPER(+("intel"*) +("cpu"*)) should actually be UPPER('+("intel"*) +("cpu"*)').
So the result is:
SELECT * FROM `product`
WHERE MATCH (code, description)
AGAINST (UPPER('+("intel"*) +("cpu"*)') IN BOOLEAN MODE)
Which does work without syntax errors.
As a note, if you are escaping strings in MySQL it would be worthwhile to note that MySQL uses C escape syntax in strings.
Related
I have an update query that updates a column that holds another application SQL query.
Putting SQL inside has been problematic I wanted to resolve it with escape characters.
update
my_table
set
sql_column = 'UPDATE inner_table SET user_name=\'user_name\' text=\'this this free text with things like \" inside it and drives me made\''
where
condition_col = 123456
The above is correct in any SQL syntax checker; however, Sybase throws an error simply Incorrect syntax new 'username.'
I am new to Sybase; please help.
I was expecting that Sybase would behave like MySQL, which is different.
Sybase (and ansi-standard SQL*) escapes the single quote with itself. You don't need to do anything special with a double quote inside a string literal (since in ansi-standard SQL double quotes do not create literals).
sql_column = 'UPDATE inner_table SET user_name=''user_name'' text=''this this free text with things like \\" inside it ...'
But Sybase will NOT behave like MySQL (it's far more standards compliant).
Lacking some context here, but this kind of code is also likely to end up leaving you dangerously susceptible to SQL injection issues, and that's a really big deal.
* The link is for Informix, but it does a good job explaining the standard
It looks like MySQL Workbench is now supporting JSON functionality, however I'm still seeing parser errors on MySQL 5.7.9 functionality, such as the "->" operator.
When I use the following query, I'm getting a syntax error over the "$.test" portion:
Record
record: {"test": 123}
Query
SELECT test->"$.test" FROM table
The query still executes successfully, however I'm curious as to why the syntax parser is incorrectly showing an error.
OK, the problem is probably something else than what I posted in my comments. You are using double quotes, which represent strings only if the ANSI quotes are not enabled (then they wrap identifiers). Use single quotes instead.
Having followed some tips on escaping apostrophes I am getting an unexpected combination of escape characters in the resulting sql statement. The following rails 4 active record statement is run against 5.5.42-MariaDB:
User.where(["surname LIKE ?", "%#{params[:search]}%"])
Where
params[:search] = "O'Keefe"
A .to_sql generates
SELECT * FROM users WHERE surname LIKE '%O\\'Keefe%'
MySQL/MariaBD expects an apostrophe to be escaped as two single apostrophes '' , or with a single backslash \' so this results in a syntax error. I am looking for help to understand why two backslashes \\' are appearing, and for a solution that will maintain protection against SQL injection.
UPDATE
After further investigation following suggestions below, it appears as though the console .to_sql output SELECT * FROM users WHERE surname LIKE '%O\\'Keefe%' is not what is passed onto MySQL. It failed for me 'cos I simply copied the statement into a mysql console to test execution. There is some black magic on route to the database that converts the double backslash \\' into a valid mysql escape sequence.
So problem 1/2 solved
User.where(["surname LIKE ?", "%#{params[:search]}%"])
is valid syntax that correctly auto-escapes the user input string. But can anyone shed any light on the reason for the generation of the double backslash and how it is modified on its way to database execution?
Try this:
User.where(["surname LIKE ?", "%#{params[:search].gsub("'", "''")}%"])
http://dev.mysql.com/doc/refman/5.0/en/string-literals.html#character-escape-sequences
I'm using joomla to develop sites, but I'm having a strange error. I have a syntax error in the following code:
$q = "TRUNCATE TABLE ".$db->quote('#__csvi_available_fields');
Which give output on runtime:
TRUNCATE TABLE 'erx_csvi_available_fields'
But mysql shows an error:
JDatabaseMySQL::query: 1064 - You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near ''#__csvi_available_fields'' at line 1
SQL=TRUNCATE TABLE '#__csvi_available_fields'
The strange thing is when I run without quotes, it runs normal:
TRUNCATE TABLE erx_csvi_available_fields <-- works without problem
Any idea what went wrong here ?
As other have said the wrong quotes have been added.
When using Joomla's JDatabase to provide quoting there are two different functions you can call one for values and another for database, table or column/field names.
To make your example line work you need to use quoteName() as follows:
$q = "TRUNCATE TABLE ".$db->quoteName('#__csvi_available_fields');
The $db->quote() is used to quote values being used in the SQL.
You can read through /libraries/joomla/database/database.php for an idea of how the abstraction is supposed to work.
don't use single quotes "'". use "`" (left to the numbers on your keyboard). normal single quotes are for strings, same as double quotes
Single quotes are used for strings, you should use backticks for names.
From the MySQL manual:
The identifier quote character is the backtick (`)
Also have a look at this Stackoverflow question: Using backquote/backticks for mysql queries
I have an MySQL query, which returns an error message. I think it could be due to the word "out". Normally, I would just change the field name but I am working on some software that I am not used to and I don't know how much of a change that would be. So, I want to be sure if I have to.
Here is the query:
SELECT * FROM probid_bids WHERE auctionid=73 AND out=0 AND invalid=0
Here the error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'out=0 AND invalid=0' at line 1
OUT is indeed a reserved word. You can encase the column names in backticks to quote the names, and thus avoid this problem, like so:
SELECT * FROM probid_bids WHERE `auctionid`=73 AND `out`=0 AND `invalid`=0
OUT is a reserved word (it is used to specify the type of parameters -- IN, OUT, INOUT -- when creating procedures). Try enclosing it inside backticks (`).
The rules regarding how and when to quote the identifiers (table names, column names, etc) are described here.
Note: certain MySQL configurations allow you to use double quotes as well but this should be avoided; stick with using backticks to quote identifiers and single quotes to quote strings.
Escape the keys:
SELECT * FROM `probid_bids` WHERE `auctionid`=73 AND `out`=0 AND `invalid`=0