according to this tutorial:http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
Below codes will demonstrate SQL Injection:
<?php
// a good user's name
$name = "timmy";
$query = "SELECT * FROM customers WHERE username = '$name'";
echo "Normal: " . $query . "<br />";
// user input that uses SQL Injection
$name_bad = "' OR 1'";
// our MySQL query builder, however, not a very safe one
$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";
// display what the new query will look like, with injection
echo "Injection: " . $query_bad;
In front end, it shows:
Injection: SELECT * FROM customers WHERE username = '' OR 1''
So I just did a test, in phpmyadmin->sql, I run below codes:
SELECT * FROM users WHERE fname = '' OR 1''
And it shows:
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' LIMIT 0, 30' at line 1
Qustion:
supposed it will show every single entry in the "users" table, but not, why? if I want to demonstrate sql injection, how to do it?
A more typical SQL injection would be: $name_bad = "' OR 1=1 -- ";. This would lead to the following SQL:
SELECT * FROM customers WHERE username = '' OR 1=1 -- '
SELECT * FROM users WHERE fname = '' OR 1 = 1
is likely what they meant
edit just looked
SELECT * FROM users WHERE fname = '' OR 1
1 evaluates to true, so just remove the '' after it
also that link is way out of date, Look at mysqli or pdo instead
Related
I have a pretty long SELECT query I have attempted to save to a variable (queryString) in my app.js file. It's throwing a SQL syntax error and I'm just not getting it. It appears I am not escaping my double quote on the string "February" because the error message shows a transient single quote at the end like "February"'. How am I getting that additional single quote at the end? Or is that really what's causing the error?
Also, is there a more appropriate method for passing a query like this? Like, can you store it in an .sql file and import that into the app.js file?
I know the query works because I can run it from the terminal with expected results.
This is the original query:
SELECT CASE WHEN m.item_trx_qty > 0 THEN m.item_trx_qty * (s.old_cost - m.liuom_unit_price_amt) ELSE 0 END as `Savings`,
s.coid as `COID`,
s.fee_id as `Fee ID`,
s.sw_idea_num as `SW Idea Num`,
s.description as `Item Description`
FROM
monthly_usage m, smart_items s
WHERE
m.coid = s.coid
AND m.fin = s.fin
AND m.u_year = 2019
AND m.u_month = "February"
GROUP BY s.sw_idea_num
ORDER BY s.sw_idea_num
;
This is the snippet from my app.js file:
// For savings data from the saving query
const queryString = "SELECT CASE WHEN m.item_trx_qty > 0 THEN m.item_trx_qty * (s.old_cost - m.liuom_unit_price_amt) ELSE 0 END as `Savings`, " +
"s.coid as `COID`, s.fee_id as `Fee ID`, s.sw_idea_num as `SW Idea Num`, s.description as `Item Description`" +
"FROM monthly_usage m, smart_items s" +
"WHERE m.coid = s.coid " +
"AND m.fin = s.fin " +
"AND m.u_year = 2019 " +
"AND m.u_month = \"February\"" +
"GROUP BY s.sw_idea_num " +
"ORDER BY s.sw_idea_num;"
const savings = connection.query(queryString, (err, rows, fields) => {
console.log('Fetched savings successfully!')
})
Here is the error I am getting:
Failed to query for savings Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm.coid = s.coid AND m.fin = s.fin AND m.u_year
= 2019 AND m.u_month = "February"' at line 1
I have a problem with the following query. It keeps giving me an error 1064 and I don't know what I'm doing wrong.
/*storing in the database */
$query = 'INSERT INTO #__comprofiler SET(`cb_googlex`, `cb_googley`) WHERE `user_id`= \''. $userComplete->id . '\'
VALUES ( \''.$mapCor['latitude'].'\', \''.$mapCor['longitude'].'\')';
$_CB_database->setQuery($query);
$_CB_database->loadResult();
You are trying to do an update here is the correct syntax:
$query = 'UPDATE __comprofiler
SET `cb_googlex` = \''.$mapCor['latitude'].'\',
`cb_googley` = \''.$mapCor['longitude'].'\'
WHERE `user_id`= \''. $userComplete->id . '\';';
Using a try-catch phrase I catch an error in the following code:
ResultSet rs = stmt.executeQuery("select * from 'user_tbl' where user_id = '"+user+"' ");
The error details are as follows:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''user_tbl' where user_id = '12345678'' at line 1
Is there anything wrong with my syntax here? I'm using Netbeans as my IDE.
Single quotes are not required, try this:
ResultSet rs = stmt.executeQuery("select * from user_tbl where user_id = " + user);
If user_id is non-integer then enclose user variable in single quotes
You shouldn't have user_tbl inside ' marks, try removing them so it reads:
ResultSet rs = stmt.executeQuery(
"select * from user_tbl where user_id = '"+user+"' ");
$updateStock = "UPDATE opening SET qtyUsed = 1000 WHERE openingId = 1 ; UPDATE purchase SET qtyUsed = qtyUsed + 25 WHERE purchaseId = 1";
$updateAllStock = mysql_query($updateStock);
This Gives Error : Data Not InsertedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE purchase SET qtyUsed = qtyUsed + ' at line 3
mysql_query can only execute one query at a time. You need to execute mysql_query twice.
Instead of the mysql extension use mysqli. With mysqli you can execute multiple queries. http://www.php.net/manual/fr/mysqli.multi-query.php
You can use mysqli_query()
It allows multiple statements. Be careful.
You are sending two queries, so you have to query the databsae twice. There is the support for multiple queries in mysqli, but I strongly advise against using this feature, because you raise the probability of SQL injection attacks.
$updateStock = "UPDATE opening SET qtyUsed = 1000 WHERE openingId = 1";
$updatePurchase = "UPDATE purchase SET qtyUsed = qtyUsed + 25 WHERE purchaseId = 1";
$updateAllStock = mysql_query($updateStock);
$updateAllPurchase = mysql_query($updatePurchase);
Here is the query
$query_order = "select * from orders where key = '$pay_key'";
Error shown
SELECT
*
FROM `orders`
where `key` = 'C90320'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key = 'C90320'' at line 1*
key is a reserved word. Change your query to:
$query_order = "select * from orders where `key` = '$pay_key'";
Also, I would recommend escaping the $pay_key's value. Say something like:
$pay_key = mysqli_real_escape_string($pay_key);
$query_order = "select * from orders
where `key` = '".mysqli_real_escape_string($pay_key)."'";
try this
first of all you need to compare it using string so code should like this
$query_order = "select * from orders where `key` = '".$pay_key."'";