MySQL Injection going wrong - mysql

I was testing security of a friend's site and I found SQL Injection vulnerability by putting ' at end of URL
The site is built in zend framework
The issue I am having is the comment syntax in MySQL -- is not working so the page is still throwing error
Exception: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by 1--) ORDER BY companies.company_name ASC' at line 8
in /home/xxxxxxx/xxxxxxxxxx/lib/Zend/Db/Adapter/Abstract.php on line 157
If you look up the error, the query is not terminated after --
Even # and --+-is not working

By putting ' at the end of the URL and the website is throwing out an error doesn't always mean it's vulnerable against SQLi.

Related

Mysql Collation does not work

I insert some text which i scrap from remote server and the problem is that in the text here is symbol.
� which makes a syntax error insert doe not work .Any ideas about this a
paradox????? I've tried almost all collation nothing works.Text is in armenian.
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
ՄԱԿ-ի գլխավոր քա�' at line 1
Thanks in advance
FIXED..!!!The problem was when create an instance of PDO I didn't mention this part
charset=utf8

MySQL error messages do not provides useful hints, what about others?

When you have some syntactical error in a query you will be a error message like:
SQL Error (1064): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'foo' at line 1 */
Such error message does not provide useful hint to resolve error, e.g. what it expects at that line.
Is there any config to improve the MySQL error reporting?
What about other RDBMS (PostgreSQL, Oracle, MS SQL Server)?
Do they generate better error messages?
PostgreSQL's error messages are generally quite useful.
craig=> SELECT abc FROM no_such_table HAVING blah WHERE nonense GARBAGE;
ERROR: syntax error at or near "WHERE"
LINE 1: SELECT abc FROM no_such_table HAVING blah WHERE nonense GARB...
^
It doesn't say Syntax error near WHERE; HINT: WHERE clause may not appear after HAVING... which would be nice, but turns out to be a bit tricky to do with the parser. Nonetheless, it tells you where the error is.
It can often be more specific than this, too, it depends on the nature of the error.
Using SQL fiddle I executed following query on some RDBMS.
select foo from
Only Oracle 11g returned a smart error message:
ORA-00903: invalid table name : select foo from
Other error messages:
# SQL Server 2008
Incorrect syntax near 'from'.: select foo from
#SQLite
could not prepare statement (1 near "from": syntax error)
#PostgreSQL 9.3
ERROR: syntax error at end of input: select foo from
#MySQL 5.5
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1: select foo from

Is there a way to enable MySQL to explain syntax error in more details?

MySQL only gives an unhelpful error message when it encounters a grammar or syntax error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near .......
Is there any way to let MySQL to explain syntax error (e.g. expecting closing parenthesis, illegal expression, etc) in details?
The answer is - no. All server errors messages and their codes are listed in the documentation.
Server Error Codes and Messages.
From the documentation - For error checking, use error codes, not error messages. Error messages do not change often, but it is possible.
About the syntax errors: if there are no more specific error codes, then you get Error: 1149 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax...
As a work around: You can view all syntax errors in dbForge Studio for MySQL. Create new SQL document and write some code, or just open SQL-file, automatic SQL syntax check will highlight errors in the code.
Automatic SQL syntax check feature.
This feature is available in Professional and Enterprise editions, but you can try it on trial version.

Can't create a view using the views module

I created a view using Views module based on the default node index. But the first thing I found is this error message:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1 OFFSET 0' at line 2
What might cause this and how do I solve it?
You have an error in your SQL syntax !
View module just GUI for create query
so you be sure your choice was Logical for create a query

SQLSTATE[42000]: Syntax error or access violation: 1064 error on ALL Magento MySQL setup files after migration

I get the following error on all Magento MySQL setup files, after I have moved the website to a new hosting company. The new hosting company is running on Plesk / Apache. The website used to work perfectly.
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use nea
try this
Simply change line 41 in \app\etc\config.xml
<initStatements>SET NAMES utf8</initStatements>
to
<initStatements>SET NAMES utf8; SET SQL_BIG_SELECTS = 1</initStatements>