We Keep Coding

Syntax error when trying to run an IF EXISTS query

I am trying to run the below query (in Sequel Pro), but I am getting the following syntax error:
'You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near 'IF
(EXISTS(SELECT username FROM USER WHERE username = "TestObserver"))
{SELECT *' at line 1'
Code:
IF EXISTS (SELECT username FROM USER WHERE username = "TestObserver")
SELECT * FROM USER WHERE username = "TestObserver"

You can't use an if block outside of a function. Instead just run the subsequent SQL statement:
SELECT * FROM `USER` WHERE username = "TestObserver"
If there is no username with testobserver value it will already return nothing all by itself.

Update longtext field in mysql

Im trying to update a longtext type field called 'comment' using a simple sql query in mysql client like this :
Update mytable set comment='Test' where id = 1;
But i'm getting this error
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'comment='Test' where id = 1' at line 1
Am i missing something ?, thanks in advance.

comment is a reserved word, if you want to have a table/field with that name, you have to quote it (or use the table.fieldname syntax, in case of a field). default in mysql is the backtick for that, so:
update mytable set `comment`='Test' where id = 1;

Found it, it gets solved with this:
update mytable as a set a.comment='Test' where id = 1;

MySQL select table

How can I select a MySQL table when the table name is in the URL format?
SELECT hash FROM 'http://www.mittelbayerische.de' WHERE time = '1465132682'
This will output following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''http://www.mittelbayerische.de' WHERE time = '1465132682'' at line 1

Are you sure that's a table name?
Anyway assuming it is, you should be able to use backticks to quote the table name.
SELECT hash FROM `http://www.mittelbayerische.de` WHERE time = '1465132682'

delete query for mysql using c

can anyone tell me the correct query to delete values from mysql db table,in my case the table name and id are accepted from the user and the row is deleted based on id.This is my query
sprintf(Query,"DELETE FROM ('%s') where id = (%d)",tb1,idt1) ;
/*table name is in form of string and id is int */
mysql_query(conn,Query);

You should remove parentheses around the table name:
sprintf(Query,"DELETE FROM '%s' where id = (%d)",tb1,idt1) ;
MySQL considers queries like this syntax errors:
delete from (mytable) where id=2;
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(mytable) where id=2' at line 1
(I'll assume that you know everything about SQL injection attacks, and that neither tb1 nor idt1 are constructed from user input in any shape or form).

Is it possible through SQL injection to launch an UPDATE/DELETE statement from an INSERT/SELECT statement in MySQL?

Let's take the following vulnerable query ($id not being escaped):
SELECT * FROM table WHERE id = $id
Would it be possible in MySQL 5.x to modify some data through an UPDATE statement which would appear inside the hacked SELECT statement?
I thought about something using benchmark() function:
SELECT * FROM table WHERE id = id OR benchmark(1, (UPDATE ...))
But it doesn't seem to work:
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE ...
Any other possibilities not using stored procedure?
Edit: and nor using multiple queries of course...

Depending on the driver this may pass:
SELECT * FROM table WHERE id = id; UPDATE table ...

Multiple queries.