I'm using the below SQL statement in a OLEDB command transformation.
Syntax 1:
INSERT INTO dbo.Table1 (col1,col2)
SELECT ?, 22 FROM dbo.Table1
But, it fails with an error:
syntax error , permission violation or other nonspecific error.
However, this syntax works fine.
Syntax 2:
INSERT INTO dbo.Table1 (col1,col2)
values (?,?)
Is Syntax 1 not supported by SSIS?
There's a hack to make it work & Martina White (http://dataqueen.unlimitedviz.com/) helped me out with it.
Below is her transcript:
I can duplicate your issue. There is a funky issue with OLE DB Command. When I write the query with the Values statement commented out, the Syntax 1 query as you have written it does work. When I remove the commented out statement it does not work. It seems to want the word Values() in there, regardless of whether it is commented out.
Try this and see if you get the same behaviour. If so, this should work successfully for you.
INSERT INTO dbo.Table1 (col1,col2)
--Values()
SELECT ?, 22 FROM dbo.Table1
No, it is not; in fact, it's not supported by any database that I'm aware of. You cannot parameterize the columns of a SELECT statement.
Related
I am testing out a blind boolean SQL injection endpoint in a course and am having some issues figuring out where my payload is going wrong.
I have tested the below in the mysql shell on the target box and it works.
GRANT/**/ALL/**/ON/**/*.*/**/TO/**/root#localhost;
But when I submit it in the q GET param I am getting an error in the application.
php?q=off')/**/or/**/GRANT/**/ALL/**/ON/**/*.*/**/TO/**/root#localhost%23
I tested a basic boolean statement with '1'='1' instead and it works fine so I am assuming there is something wrong with my actual query in the context of the URL.
q=off')/**/or/**/'1'='1'%23
I have tried the payload url encoded as well but still with the same issues.
Any idea what might be causing this?
Using SQL injection to combine a partial expression like
OR '1'='1' as part of some other query works because there are many ways to append extra expression syntax to an existing SQL query that already has a WHERE clause.
For example, it's easy to see in the below example how the additional expression can be appended to the first query, and it's still a legal expression.
SELECT * FROM mytable WHERE col1 = 'off'
SELECT * FROM mytable WHERE col1 = 'off' OR '1'='1' -- '
But GRANT is a statement on its own. It cannot be appended to another query like that. There's no way to combine GRANT with a SELECT statement.
SELECT * FROM mytable WHERE col1 = 'off' OR GRANT ALL ON *.* TO ...
That's just not a legal SQL query. You can study the online syntax reference for SELECT and other types of statements.
SQL injection works by tricking the app into executing one SQL statement with different syntax than the original intended SQL statement. But it can't make invalid syntax work!
As far as I can see my SQL code is formatted correctly, it seems to just be refusing to insert into the database.
this is my code:
INSERT INTO `writings`(`cover`, `pages`) VALUES(['test'], [10]);
i also tried
INSERT INTO `writings`(cover, pages) VALUES(['test'], [10]);
&
INSERT INTO `writings`(cover, pages) VALUES('test', 10);
I encounter this error "#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '['test'], [10])' at line 1 "
table name is correct, aswell as column names.
Any help would be fantastic! :)
As already pointed out on the comment
MySQL does not use [] around values
So you should try this way
INSERT INTO `writings`(`cover`, `pages`) VALUES('test', 10);
OR if you want the cover and pages value as an string of array notation
INSERT INTO `writings`(`cover`, `pages`) VALUES("['test']", "[10]");
First two queries are incorrect as mentioned above.
Third query is absolutely correct and must work. If it doesn't, try using INSERT ... SET syntax:
INSERT INTO `writings` SET cover = 'test', pages = 10;
INSERT INTO writings(cover, pages) VALUES('test', 10);
This is worked for inserting data in mysql. Basic syntax problem in your query, nothing else. Make sure table name and field name is proper match with database & values are of same datatype you mention while created table.
Please try like this :
Sql Query:
INSERT INTO writings (cover, pages) VALUES ('test', 10);
I Have problem when using INSERT INTO SELECT function on mysql database, error is like this
the right syntax to use near 'INSERT INTO tmpProgkeg SELECT A.Tahun, 1, A.Kd_Urusan, A.Kd_Bidang, A.Kd_Un' at line 4
this Is Mysql Query
https://www.db-fiddle.com/f/tfVhWXC25EAQKHdpHv6VLU/0
i need help, thanks before...
Note that before your INSERT statement, you have a CREATE TEMPORARY TABLE statement:
CREATE TEMPORARY TABLE tmpProgkeg (
...
)
INSERT INTO tmpProgkeg SELECT ...
But you don't terminate the CREATE TEMPORARY TABLE statement with the required semicolon (;) character.
Each SQL statement must be terminated. For example:
CREATE TEMPORARY TABLE tmpProgkeg (
...
);
INSERT INTO tmpProgkeg SELECT ...
The requirement to terminate statements is similar to some other programming languages, for example C++, Java, or PHP.
Tip: When MySQL reports syntax errors, it shows you some portion of an SQL statement. It's telling you "I didn't expect the following code at the position you used it." It got confused because it was expecting some other code, the end of code, and it's showing you what it saw instead, following the point where it got confused.
So when you see
the right syntax to use near 'INSERT INTO ...
You know that you should look at your code right before that point, to see what you forgot.
Strange situation with my ODBC code ( called from a C library ). Basically, I have the following sequence of events:
Create insert statement ( just a string )
Call SQLPrepare with that insert statement string
Bind the various parameters ( column values ), using
SQLBindParameter
Call SQLExecute to insert the row ( this works, by the way, as I can
see the row in the MySQL DB )
Create "select last_insert_id()" statement string
NOTE: if in SQL Server mode, we would create a "select ##identity"
statement
Bind column using SQLBindCol - this is where I get the "Invalid
descriptor index" error
NOTE: if in SQL Server mode, this works fine, with no error
Call SQLExecDirect to get the last insert id - this never happens
because of SQLBindCol error
Does the standard MySQL ODBC connector require something special in this situation? Does anyone have an ODBC example of this type of "insert" then "get last insert id" behavior? Maybe I need to call "SQLPrepare" before step 6 ( where I bind the column )? Another way to ask this: Should there be an SQLPrepare call for each SQLExecute or SQLExecDirect call?
I know it works directly in SQL, so the problem is my C ODBC code.
Thanks.
For those who are interested, I ended up changing the above steps by adding an SQLPrepare call between creating the "select last_insert_id()" ( step 5 ) and calling SQLBindCol ( step 6 ). Not sure if that would work for others, but it seems to be working rather well for me.
As for research, I looked all over the place online and never found a really good or clear answer. Most comments were about the SQL involved, not ODBC. And the references to ODBC were vague and did not seem to apply to my situation, from what I could see.
My assumption is that the SqlServer ODBC driver I am using handles the missing prepare statement differently ( maybe even better, but that is debatable ) than my MySql ODBC driver.
SQL Server ODBC driver was the one provided by Easysoft
MySql ODBC driver was the one provided with the standard CentOS install of MySql
Hopefully this will help people. Obviously, if people have a better idea, please tell us.
I want to extract a text field from a database and insert it into some other database. So while extracting I used the REPLACE(message_text,'\'', '"') while selecting the test. I gave me an error. I changed that from my select statement and did it while initiating the global variable.
etl.globals['message_text'] = message_text;
still I'm getting an error at the insert statement
insert into lcs_al_user_likes(user_id,liked_user_id,post_content,loop_id) values('${etl.globals['posted_by']}','${etl.globals['liked_user_id']}','${etl.globals['message_text']}',?batchLoopCounter);
saying
*You have an error in your SQL syntaxcheck the manual that corresponds to your MySQL server version for the right syntax to use near 'message_text']}')' at line 1*
I think it is not getting the global variable. That I say because when i print its value using log it just gives me
${etl.globals['message_text']}
as output. So please help me out here.
<query connection-id="lcsDBConnection">
SELECT forum_topic_post_id AS forum_topic_post_id, posted_by AS posted_by,message_text as message_text FROM lcs_tbl_forum_topic_post WHERE like_count>0 LIMIT ?batchSize OFFSET ?queryCounter ;
<script connection-id="jexl">
etl.globals['forum_topic_post_id'] = forum_topic_post_id;
etl.globals['posted_by'] = posted_by;
etl.globals['message_text'] = message_text.replace('\'', '"');
</script>
It looks like the problem is in INSERT statement, you should use prepared statement
parameters escaping:
INSERT INTO lcs_al_user_likes(user_id,liked_user_id,post_content,loop_id) values(?{etl.globals['posted_by']},?{etl.globals['liked_user_id']},?{etl.globals['message_text']},?batchLoopCounter);
BTW As I understand, your original problem was quotes breaking the insert statement, so in this case with ?{parameter} syntax you don't need to use replace(...) function at all.