Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Okay so basically I'm a little bit stumped. This question is regarding the JDBC driver. Basically we own a server that is hosted on this driver, and it's running MYSQL. We are using coldfusion as our language of choice. We have a GET parameter ?lang= and injecting the character '\' into it prompts the error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near and no other character causes this error. I am sort of worried here. Can anyone tell me how an attacker would approach an sql injection attack into this parameter? So I can understand how I can filter it because in my code I am properly filtering preg_match on \ character and yet I still get this error. How would I be able to inject this parameter? Can someone point me to a guide or something, or if it's even possible. Just so I can rest in piece assuming it's not. But anyhow if this information is necessary the mysql version is 5.1.30 and the exact driver name is MySQL-AB JDBC Driver. Thanks for taking your time to help me out!
\ can be an escape character in mysql.
For example, an attacker could use the \b sequence to delete portions of your query and rewrite with their own injected sql.
The most reliable way to prevent sql injection attacks is to use parametrized queries.
See also:
Mysql character escape sequences
Preventing Sql Injection in Java
Using prepared statements
Also be aware that in many databases (not absolutely sure about the JDBC/Mysql combination) it is also possible to "inject" a wildcard character into a sql LIKE clause, even with a parametrized query. "Injection" in this particular case is not always a problem - in fact, in many cases it may be exactly the desired behavior. However, it can be a problem, if for example, you were doing something horrid like SELECT * FROM Users WHERE UserName LIKE #userInput AND Password LIKE #passwordInput (which would allow anyone to log in simply by inputing the % wildcard character on the screen for both fields).
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 2 years ago.
Improve this question
I don't have much experience with mySQL but I thought I knew the basics. However, I am clearly missing something. I am using a database that has 6 tables, I can look at 5 of them with no problem. I was looking for some values and I wasn't sure which exact table it was in so I typed in my mySQL 101 level statement- 'SELECT * FROM project', received the values, and saw that my target was not in there. So I next ran 'SELECT * FROM release' except that command does not work.
The MySQL Workbench underlines the word 'SELECT' and the tooltip message says- "select" is not valid at this position for this server version
When I attempt to run the command, I get Error Code: 1064. You have an error in your SQL syntax
So I tried deleting and rewriting, thinking it was some sort of bug but restarts and everything else I have tried is not helping and I have been unable to google anything relevant.
full command-
USE scorecarddb;
SHOW TABLES;
SELECT * FROM release;
but I usually just use the 1 line command run (aka I only run line 3 since I am already in the scorecard db). And I don't think it is an actual syntax error because if I change the word 'release' to 'project' or any of the other table names, it works
release might be a reserved keyword. Try using:
SELECT * FROM `release`;
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 6 years ago.
Improve this question
I want to run a MySQL query and then process all the result sets. The MySQL
5.7 documentation says that the way to do is to use SELECT ... PROCEDURE
stored_procedure_name(parameters). I created a stored procedure that does what I want without any problems. I used it in a SELECT ... PROCEDURE query and got this syntax error:
ComposeStatement (identifier) is not valid at this position
(where ComposeStatement is the name of my stored procedure). I checked I have the proper number of parameters and they are of the proper type. Using a
different procedure gives the same error (with the obvious change in name).
The documentation shows an example of this syntax using a procedure called
ANALYSE (which I understand from another post is now deprecated, but I really don't care about using ANALYSE specifically). When I tried the example I get the same error, with ANALYSE as the identifier. The errors I'm getting are
not in the procedures themselves, which is why many earlier posts don't apply.
Any suggestions? The SELECT..PROCEDURE construct sounds like it's exactly
what I need.
The MySQL feature #LarryGriffith references has nothing to do with stored procedures.
It's related to this deprecated feature: https://dev.mysql.com/doc/refman/5.7/en/procedure-analyse.html
SELECT col1, col2 FROM table1 PROCEDURE ANALYSE(10, 2000);
This use of the PROCEDURE query modifier is like putting a filter function on the result set from a query. It's analogous to a pipeline in the shell:
ls | grep myfile
The thing is, the "procedure" you use (ANALYSE() in the example) is not a stored procedure of the type you can write with CREATE PROCEDURE.
You would have to code the filtering function in C++ and compile it with the MySQL source.
The ANALYZE() example was originally meant as a proof of concept or example that developers could follow if they wanted to develop their own query filters. But I've never heard of anyone who actually did create a query filter of their own.
Last year it was announced that the SELECT ... PROCEDURE ANALYZE() feature was intended to be deprecated in MySQL 8. http://www.tocker.ca/2015/06/29/plan-to-deprecate-procedure-analyse.html
If you need to post-filter a query result, it's far easier to write a script (in Python or whatever your favorite language is), which fetches the raw data from the query result, and then does whatever you need to do with it.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I want to write custom queries using Sequelize, and as far as possible avoid potential issues with SQL Injection. My question is therefore if there exists a secure way of writing custom queries with inserted variables using Sequelize?
Sequelize escapes replacements, which avoids the problem at the heart of SQL injection attacks: unescaped strings. It also supports binding parameters when using SQLite or PostgreSQL, which alleviates the risk further by sending the parameters to the database separately to the query, as documented here:
Bind parameters are like replacements. Except replacements are escaped
and inserted into the query by sequelize before the query is sent to
the database, while bind parameters are sent to the database outside
the SQL query text. A query can have either bind parameters or
replacements.
Only SQLite and PostgreSQL support bind parameters. Other dialects
will insert them into the SQL query in the same way it is done for
replacements. Bind parameters are referred to by either $1, $2, ...
(numeric) or $key (alpha-numeric). This is independent of the dialect.
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I'm trying to pull a simple count distinct from a table in MySQL. The query is the following:
select COUNT (DISTINCT column1) as distinctVol
from table1
The error I'm getting is below:
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'DISTINCT call_reference) as distinctVol
from dlr_calls_hist' at line 1 (State:37000, Native Code: 428)
I've already tried in various different ways, but I can try things again upon suggestions, to make sure it's not typo related.
I've also given it a go with an online SS to MySQL converter (I'm used to using SQL Server), which just spat back the same syntax.
Yes, I could potentially output data and import it into SQL Server, which is the final aim of my efforts, but first I would need to create the dataset as the entire db in MySQL is too large with quite a bit of unnecessary info - trying to keep the resource waste to minimum.
All ideas welcome, and thank you in advanZe!
In MySQL, when using aggregate functions, you can't have whitespace between the function name and the (. Change to:
SELECT COUNT(DISTINCT column1)
FROM table1
DEMO
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I want to secure all my inputs to my database. I have written follow function:
function mysql_real_escape_array($t){
return array_map("mysql_real_escape_string",$t);
}
In a file which get loaded by all my php datas i have written:
$_POST=mysql_real_escape_array($_POST);
I think i dont have any disadvantages trough this dirty code and there is no malicious query possible. Or does somebody thinks, that is have any disadvantages trough this code?
Would be happy to hear some feedback. I know it is maybe not the best solution, but in this way i can never forget to escape something.
Thanks!
The only way to surely protect against injection is to use properly parameterized queries. All parameters to queries have vulnerabilities and must be properly escaped. This is not just to prevent malicious injection, but to prevent accidental injection. For example, you could have:
SELECT value FROM t1
$value = $result; //$value is now "o'connel"
// SQL error caused by apostrophe in string
SELECT col FROM t2 WHERE value = '$value'
You may consider this data safe because it is internal, but it can still cause a problem by not being properly escaped.
About overwriting $_POST, note that you can still get the raw post body as well as $_POST values from $_REQUEST, so there is no way to assure that your data is properly escaped. What's more is that mysql_real_escape_string may not have a valid mysql connection when you need to use it. This can cause problems and vulnerabilities. $_POST values can also be arrays, so your function would need to be recusive too.
It's much easier to forget all those considerations and use parameterized queries with PDO or mysqli. Note that using prepared statements is not enough in and of itself. You have to properly parameterize the queries.
Use Prepared Statements either via PDO or MySQLi. This is the only approach that is really secure and doesn't hurt performance.