I'm new here so I'll try to make my post as clear and readable as possible.
While browsing some site's log I came across some hacking attempts that I want to recreate/test in a closed server. I made a simple PHP web page that gets a variable named 'id' and without any filtering/validation use it in a query.
Relevant PHP code
$var = $_GET['id'];
echo $_GET['id'] . "<br>\n";
include ( "/var/www/dbconnect.php" );
$mysqli = new mysqli ( $db_host, $db_user, $db_password, "news" );
if ( $mysqli->connect_errno ) { echo "Failed to connect to MySQL: (" . $mysqli- >connect_errno . ") " . $mysqli->connect_error; }
$query = "SELECT id, date, subject FROM news_table WHERE id=" . $var;
//$query = "SELECT id, date, subject FROM news_table WHERE id=250; DROP TABLE test;"; // This won't work because in PHP's implementation multiple statements are not allowed
if ( ! $result = $mysqli->query ( $query ) ) { echo "CALL failed: (" . $mysqli->errno . ") " . $mysqli->error; } else { }
Then I load the page using the following
testserver/test-files/test-mysql-vulnerability.php?id=362099999.1
union select unhex(hex(version())) -- 1=1
and get this result:
CALL failed: (1222) The used SELECT statements have a different number
of columns
The hacker spent 5 minutes sending numerous combinations trying to break into our production server. My production server does not give any indication of success/failure like the error above.
My question is: Can the above hack work when the number of columns don't match? If so how?
tnx
As noted in the comments, don't do this.
To answer your question, though, union is useful in injections because it allows you to use an unrelated table in the output. The error you're seeing is because the original database query wanted a certain number and type of columns, and the injected query wanted only one. In this case we know that we need three columns (from the code), so we want the resultant SQL statement to be
SELECT id, date, subject FROM news_table WHERE id=3 union select 0, 0, unhex(hex(version())) --
(This may not work exactly depending on your data types and my ability to do this off the top of my head).
SELECT id,
date,
subject
FROM news_table
WHERE id = 3
UNION
SELECT NULL AS id,
NULL AS date,
Unhex(Hex(Version())) AS subject
also use mysql instead of mysqli as it is more prone to injections
I have this VERY inefficient way of updating the phone numbers in my database after cleaning them of all non-digits.
$san_phone = mysql_query('SELECT * FROM table');
while ($row = mysql_fetch_array($san_phone)) {
$row['phone_clean'] = preg_replace('#[^\d]#', '', $row['phone']);
echo $row['id'] . ' - ' . $row['phone_clean'] . '<br>';
mysql_query("UPDATE table SET phone = " . $row['phone_clean'] . " WHERE id = " . $row['id']);
}
That update part of the loop is causing me to timeout after only about 400 of my 2,400 records. It's obvious I'm doing something wrong so be gentle when schooling me. ;)
First off, stop using mysql_ functions as they are being deprecated. Use mysqli_ or PDO functions instead.
The method you are using to UPDATE your records is inefficient. You should instead create a temporary table, INSERT the new records in a single query, and finally run an UPDATE query to replace the data.
You can start out with this:
$san_phone = mysql_query('SELECT id, phone FROM table');
$insertArray = array();
while ($row = mysql_fetch_array($san_phone)) {
$phone_clean = preg_replace('#[^\d]#', '', $row['phone']);
echo $row['id'] . ' - ' . $row['phone_clean'] . '<br>';
$insertArray[] = "(" . $row[id] . ", '" . $phone_clean . "')";
}
$insertQuery = "INSERT INTO tempTable (id, phone) VALUES ";
$insertQuery = implode(", ", $insertArray);
mysql_query($insertQuery);
I've made a quick demo to illustrate this process. t1 is your original table, and t2 is the temporary table that contains the data to replace.
See it in action
You could use something like this user-defined function:
http://www.mysqludf.org/lib_mysqludf_preg/index.php#PREG_REPLACE_SECTION
or https://launchpad.net/mysql-udf-regexp
And rewrite your query to:
UPDATE table
SET phone = PREG_REPLACE('#[^\d]#', '', phone);
Well, multiple calls to your database incurs a speed hit, and (in my experience), it's a painful one. Even two trips to the database can lead to a noticeable delay over one.
To get around this, you want to minimize the calls to your database, which means doing as much in one call as possible. To this end, try rewriting this as a single SQL update where your replacement logic is in SQL itself. That would mean only one trip to the database and a massive speed improvement.
That's easier said than done, since last I checked, MySQL didn't have a regular expression string replacement function. You could try a work-around, or see about some of the UDF's. Another answer provided a link for one. I recommend looking into that.
Using MySQL I can run the query:
SHOW CREATE TABLE MyTable;
And it will return the create table statement for the specificed table. This is useful if you have a table already created, and want to create the same table on another database.
Is it possible to get the insert statement for an already existing row, or set of rows? Some tables have many columns, and it would be nice for me to be able to get an insert statement to transfer rows over to another database without having to write out the insert statement, or without exporting the data to CSV and then importing the same data into the other database.
Just to clarify, what I want is something that would work as follows:
SHOW INSERT Select * FROM MyTable WHERE ID = 10;
And have the following returned for me:
INSERT INTO MyTable(ID,Col1,Col2,Col3) VALUES (10,'hello world','some value','2010-10-20');
There doesn't seem to be a way to get the INSERT statements from the MySQL console, but you can get them using mysqldump like Rob suggested. Specify -t to omit table creation.
mysqldump -t -u MyUserName -pMyPassword MyDatabase MyTable --where="ID = 10"
In MySQL Workbench you can export the results of any single-table query as a list of INSERT statements. Just run the query, and then:
click on the floppy disk near Export/Import above the results
give the target file a name
at the bottom of the window, for Format select SQL INSERT statements
click Save
click Export
Since you copied the table with the SQL produced by SHOW CREATE TABLE MyTable, you could just do the following to load the data into the new table.
INSERT INTO dest_db.dest_table SELECT * FROM source_db.source_table;
If you really want the INSERT statements, then the only way that I know of is to use mysqldump http://dev.mysql.com/doc/refman/5.1/en/mysqldump.htm. You can give it options to just dump data for a specific table and even limit rows.
I wrote a php function that will do this. I needed to make an insert statement in case a record needs to be replaced after deletion for a history table:
function makeRecoverySQL($table, $id)
{
// get the record
$selectSQL = "SELECT * FROM `" . $table . "` WHERE `id` = " . $id . ';';
$result = mysql_query($selectSQL, $YourDbHandle);
$row = mysql_fetch_assoc($result);
$insertSQL = "INSERT INTO `" . $table . "` SET ";
foreach ($row as $field => $value) {
$insertSQL .= " `" . $field . "` = '" . $value . "', ";
}
$insertSQL = trim($insertSQL, ", ");
return $insertSQL;
}
Laptop Lift's code works fine, but there were a few things I figured people may like.
Database handler is an argument, not hardcoded. Used the new mysql api. Replaced $id with an optional $where argument for flexibility. Used real_escape_string in case anyone has ever tried to do sql injection and to avoid simple breakages involving quotes. Used the INSERT table (field...) VALUES (value...)... syntax so that the fields are defined only once and then just list off the values of each row (implode is awesome). Because Nigel Johnson pointed it out, I added NULL handling.
I used $array[$key] because I was worried it might somehow change, but unless something is horribly wrong, it shouldn't anyway.
<?php
function show_inserts($mysqli,$table, $where=null) {
$sql="SELECT * FROM `{$table}`".(is_null($where) ? "" : " WHERE ".$where).";";
$result=$mysqli->query($sql);
$fields=array();
foreach ($result->fetch_fields() as $key=>$value) {
$fields[$key]="`{$value->name}`";
}
$values=array();
while ($row=$result->fetch_row()) {
$temp=array();
foreach ($row as $key=>$value) {
$temp[$key]=($value===null ? 'NULL' : "'".$mysqli->real_escape_string($value)."'");
}
$values[]="(".implode(",",$temp).")";
}
$num=$result->num_rows;
return "INSERT `{$table}` (".implode(",",$fields).") VALUES \n".implode(",\n",$values).";";
}
?>
In PHPMyAdmin you can:
click copy on the row you want to know its insert statements SQL:
click Preview SQL:
you will get the created insert statement that generates it
You can apply that on many rows at once if you select them and click copy from the bottom of the table and then Preview SQl
I use the program SQLYOG where I can make a select query, point at the results and choose export as sql. This gives me the insert statements.
The below command will dump into the terminal without all the extra stuff mysqldump will output surrounding the INSERT. This allows copying from the terminal without it writing to a file. This is useful if the environment restricts writing new files.
mysqldump -u MyUserName -pMyPassword MyDatabase MyTable --where="ID = 10" --compact --no-create-info --complete-insert --quick
Using mysqldump --help I found the following options.
-q, --quick Don't buffer query, dump directly to stdout.
(Defaults to on; use --skip-quick to disable.)
-t, --no-create-info
Don't write table creation info.
-c, --complete-insert
Use complete insert statements.
--compact Give less verbose output (useful for debugging). Disables
structure comments and header/footer constructs. Enables
options --skip-add-drop-table --skip-add-locks
--skip-comments --skip-disable-keys --skip-set-charset.
If you want get "insert statement" for your table you can try the following code.
SELECT
CONCAT(
GROUP_CONCAT(
CONCAT(
'INSERT INTO `your_table` (`field_1`, `field_2`, `...`, `field_n`) VALUES ("',
`field_1`,
'", "',
`field_2`,
'", "',
`...`,
'", "',
`field_n`,
'")'
) SEPARATOR ';\n'
), ';'
) as `QUERY`
FROM `your_table`;
As a result, you will have insers statement:
INSERT INTO your_table (field_1, field_2, ..., field_n) VALUES (value_11, value_12, ... , value_1n);
INSERT INTO your_table (field_1, field_2, ..., field_n) VALUES (value_21, value_22, ... , value_2n);
/...................................................../
INSERT INTO your_table (field_1, field_2, ..., field_n) VALUES (value_m1, value_m2, ... , value_mn);
, where m - number of records in your_table
Within MySQL work bench perform the following:
Click Server > Data Export
In the Object Selection Tab select the desired schema.
Next, select the desired tables using the list box to the right of the schema.
Select a file location to export the script.
Click Finish.
Navigate to the newly created file and copy the insert statements.
you can use Sequel pro to do this, there is an option to 'get as insert statement' for the results obtained
There is a quite easy and useful solution for creating an INSERT Statement for editing without the need to export SQL with just Copy & Paste (Clipboard):
Select the row in a query result window of MySQL Workbench, probably even several rows. I use this even if the row does contain different data than I want to insert in my script or when the goal is to create a prepared statement with ? placeholders.
Paste the copied row which is in your clipboard now into the same table (query results list is an editor in workbench) into the last free row.
Press "Apply" and a windows opens showing you the INSERT statement - DO NOT EXECUTE
Copy the SQL from the window to your clipboard
CANCEL the execution, thus not changing the database but keeping the SQL in your clipboard.
Paste the SQL wherever you want and edit it as you like, like e.g. inserting ? placeholders
You can create a SP with the code below - it supports NULLS as well.
select 'my_table_name' into #tableName;
/*find column names*/
select GROUP_CONCAT(column_name SEPARATOR ', ') from information_schema.COLUMNS
where table_schema =DATABASE()
and table_name = #tableName
group by table_name
into #columns
;
/*wrap with IFNULL*/
select replace(#columns,',',',IFNULL(') into #selectColumns;
select replace(#selectColumns,',IFNULL(',',\'~NULL~\'),IFNULL(') into #selectColumns;
select concat('IFNULL(',#selectColumns,',\'~NULL~\')') into #selectColumns;
/*RETRIEVE COLUMN DATA FIELDS BY PK*/
SELECT
CONCAT(
'SELECT CONCAT_WS(','''\'\',\'\''',' ,
#selectColumns,
') AS all_columns FROM ',#tableName, ' where id = 5 into #values;'
)
INTO #sql;
PREPARE stmt FROM #sql;
EXECUTE stmt;
/*Create Insert Statement*/
select CONCAT('insert into ',#tableName,' (' , #columns ,') values (\'',#values,'\')') into #prepared;
/*UNWRAP NULLS*/
select replace(#prepared,'\'~NULL~\'','NULL') as statement;
For HeidiSQL users:
If you use HeidiSQL, you can select the row(s) you wish to get insert statement. Then right click > Export grid rows > select "Copy to clipboard" for "Output target", "Selection" for "Row Selection" so you don't export other rows, "SQL INSERTs" for "Output format" > Click OK.
The insert statement will be inside you clipboard.
In case you use phpMyAdmin (Tested on version 5.x):
Click on "Edit" button next to the row for which you would like to have an insert statement, then on the bottom next to the action buttons just select "Show insert query" and press "Go".
With PDO you can do it this way.
$stmt = DB::getDB()->query("SELECT * FROM sometable", array());
$array = $stmt->fetchAll(PDO::FETCH_ASSOC);
$fields = array_keys($array[0]);
$statement = "INSERT INTO user_profiles_copy (".implode(",",$fields).") VALUES ";
$statement_values = null;
foreach ($array as $key => $post) {
if(isset($statement_values)) {
$statement_values .= ", \n";
}
$values = array_values($post);
foreach($values as $index => $value) {
$quoted = str_replace("'","\'",str_replace('"','\"', $value));
$values[$index] = (!isset($value) ? 'NULL' : "'" . $quoted."'") ;
}
$statement_values .= "(".implode(',',$values).")";
}
$statement .= $statement_values . ";";
echo $statement;
I think that the answer provided by Laptop Lifts is best...but since nobody suggested the approach that I use, i figured i should chime in. I use phpMyAdmin to set up and manage my databases most of the time. In it, you can simply put checkmarks next to the rows you want, and at the bottom click "Export" and chose SQL. It will give you INSERT statements for whichever records you selected. Hope this helps.
You can try this
function get_insert_query($pdo, $table, $where_sth)
{
$sql = "";
$row_data = $pdo->query("SELECT * FROM `{$table}` WHERE $where_sth")->fetch();
if($row_data){
$sql = "INSERT INTO `$table` (";
foreach($row_data as $col_name => $value){
$sql .= "`".$col_name."`, ";
}
$sql = rtrim($sql, ", ");
$sql .= ") VALUES (";
foreach($row_data as $col_name => $value){
if (is_string($value)){
$value = $pdo->quote($value);
} else if ($value === null){
$value = 'NULL';
}
$sql .= $value .", ";
}
$sql = rtrim($sql, ", ");
$sql .= ");";
}
return $sql;
}
To use it, just call:
$pdo = new PDO( "connection string goes here" );
$sql = get_insert_query($pdo, 'texts', "text_id = 959");
echo $sql;
Update for get insert statement for current registers at PhpMyAdmin:
Select the table from you DB to get registers from
"Export" tab at the top menĂº as the image below
Custom export
Move down to "Data creation options"
Once there, select "Insert" function at your preferred syntax
Its very simple. All you have to do is write an Insert statement in a static block and run it as a script as a whole block.
E.g. If you want to get Insert statements from a table (say ENGINEER_DETAILS) for selected rows, then you have to run this block -
spool
set sqlformat insert
select * from ENGINEER_DETAILS where engineer_name like '%John%';
spool off;
The output of this block will be Insert statements.
In MySQL Workbench, right-click the table and select 'Send to SQL Editor'/'Insert Statement'. Clean it up a bit and you're good to go.
Based on your comments, your goal is to migrate database changes from a development environment to a production environment.
The best way to do this is to keep your database changes in your source code and consequently track them in your source control system such as git or svn.
you can get up and running quickly with something like this: https://github.com/davejkiger/mysql-php-migrations
as a very basic custom solution in PHP, you can use a function like this:
function store_once($table, $unique_fields, $other_fields=array()) {
$where = "";
$values = array();
foreach ($unique_fields as $k => $v) {
if (!empty($where)) $where .= " && ";
$where .= "$k=?";
$values[] = $v;
}
$records = query("SELECT * FROM $table WHERE $where", $values);
if (false == $records) {
store($table, array_merge($unique_fields, $other_fields));
}
}
then you can create a migration script which will update any environment to your specifications.