I have the below perl extract:
$query = "INSERT INTO test (`MACADDR`)
VALUES ($MACADDR)";
print $query,"\n";
$db->do($query);
I got the below error when trying to insert to mysql and my mac address is 000E38F4E9CC:
DBD::mysql::db do failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0E38F4E9CC)' at line 2 at insertmac.pl line 156.
Is perl mysql dbi able to insert mac address?
My other records is able to be inserted correctly except mac addresses.
Any idea?
Thanks.
As your passing in a string as a value you need to quote it
$query = "INSERT INTO test (`MACADDR`)
VALUES ('$MACADDR')";
Alternatively you can prepare it and use parameters
$query = "INSERT INTO test (`MACADDR`)
VALUES (?)";
my $q = $db->prepare($query);
$q->execute($MACADDR);
which is a better idea as you can reuse it for speed and it also avoid SQL injection attacks
Related
I created a form to collect user data, including address and write them in a Mysql DB.
In the user table, Street is a Varchar (255).
Everything works fine, unless in the name street there's an apostrophe, in this case I have
the following SQL warning:
For example, if in the Street name I put "Francesco D'assisi 24"
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'assisi 24',
Any idea how to avoid it?
Pass the variables via a stored procedure parameters.
Need to escape data: use function mysql_real_escape_string (or analogs in other libraries), or using PDO and parameters.
For example:
$data = <<<TXT
Francesco D'assisi 24
TXT;
$data = mysql_real_escape_string($data);
mysql_query("INSET INTO table VALUES ('$data')") or die mysql_error();
I am attempting to connect to my SQL SERVER 2008 database using Ubuntu Linux and ODBTP to run a prepared statement and insert a new row into the database.
The query looks like the following
$Q = "INSERT INTO Table
([DocumentGuid]
,[ProjectId]
,[CreatedByContactId]
,[IdNumber]
,[Type])
VALUES
(:DocumentGuid
,:ProjectId
,:CreatedByContactId
,:IdNumber
,:Type )";
$statement = odbtp_prepare($Q , $database_connection);
// Attach the values to the procedure.
odbtp_attach_param($statement,":DocumentGuid",$DocumentGuid,ODB_CHAR);
odbtp_attach_param($statement,":ProjectId","33",ODB_INT);
odbtp_attach_param($statement,":CreatedByContactId","5",ODB_INT);
odbtp_attach_param($statement,":IdNumber","ID",ODB_CHAR);
odbtp_attach_param($statement,":Type","ABC",ODB_CHAR);
odbtp_execute($statement);
But I am getting the following error message in the log
"PHP Warning: [ODBTPERR][0]Not prepared procedure in (filename) on line 14"... Line 14 being the first odbtp_attach_param() line.
I have only ever made prepared statements using PDO and I am probably doing something wrong.
does anyone have an example prepared statement created using ODBTP they could show me?
I'm trying to write sql to insert a SQL code into one of the table's columns.
The table has these three columns: email, verification code, sql.
I try this code, and variations of it, playing around with the quotes and backslashing/escaping them, etc... but something's still wrong:
INSERT INTO pre_registration(email, verification_code, sql) VALUES('myemail#gmail.com', '8efb100a295c0c690931222ff4467bb8', '"INSERT INTO customer(title) VALUES(\'Mr.\')"')
It tells me there's an error in the SQL syntax:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'sql) VALUES('myemail#gmail.com', '89f0fd5c927d466d6ec9a21b9ac34ffa', "INSER' at line 1
How to do it? I'm using PHP/MySQL.
MySQL considers sql as a keyword. You have to quote it:
INSERT INTO pre_registration(email, verification_code, `sql`) VALUES('myemail#gmail.com', '8efb100a295c0c690931222ff4467bb8', '"INSERT INTO customer(title) VALUES(\'Mr.\')"')
By the way double the quotes to escape them instead of using bakslashes. This is more SQL friendly.
INSERT INTO pre_registration(email, verification_code, `sql`) VALUES('myemail#gmail.com', '8efb100a295c0c690931222ff4467bb8', '"INSERT INTO customer(title) VALUES(''Mr.'')"')
Some insight into the exact SQL error would help. At first glance I'd say you need to apply spaces between the table name and the open parentheses and between values and the open parentheses.
Also, the Single quotes around the double quotes for the SQL portion may be creating an error though I am not certain. Whatever is between the single quotes is interpreted literally which should make the escape characters actually be slashes inside the stored data.
Also, sql is a reserved word that must be quoted for use.
Finally, depending on your situation there may be a more secure method of data entry using prepare and bound parameters:
try
{
$conn = new PDO ( "sqlsrv:server = $serverstringname; Database = $logindatabase", "$loginusername", "$loginpassword");
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch ( PDOException $e )
{
print( "Error connecting to SQL Server." );
die(print_r($e));
}
$email = 'myemail#gmail.com' //or some other way of setting the variable like $_POST
$verification_code = '#####' //or $_Post method
$sql = 'Put Query Here' //probably have to declare this explicitly
$sql_insert = "INSERT INTO pre_registration_info (email, verification_code, 'sql') VALUES (?,?,?)";
$stmt = $conn->prepare($sql_insert);
$stmt->bindValue(1, $email);
$stmt->bindValue(2, $verification_code);
$stmt->bindValue(3, $sql);
$stmt->execute();
I'm trying to insert some binary data into database using 'mysql' gem in ruby. But as the binary data contains many single and double quotes, the following code fails. Please help me to fix it.
m = mysql.prepare("insert into data (binary) values ('#{binary_data}') ")
Error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.......' at line 1 (Mysql::Error)
binary is reserved word in mysql so wrap it with apostrophe like
insert into data (`binary`) ......
You're using prepared statements wrong. What about this?
stmnt = mysql.prepare("insert into data (`binary`) values (?)")
stmnt.execute binary
I'm new to Perl and was attempting to write a script on a RHEL box that will auto-configure a vanilla DB for new sites we create on our host. I already have the connect statement working and I'm able to connect and create a DB from the script (Used $dbh->do( qq(CREATE DATABASE $dbcreate) ); Is this the best way???), but I have a couple that I haven't been able to figure out how to make them work.
These are the mysql commands which I'm having issues with. Any suggestions? Thanks!
$dbh = DBI->connect("DBI:mysql:$db:$host", $user, $pass);
$dbh->do( qq(CREATE DATABASE $dbcreate) );
$dbh->do(qq(GRANT SELECT , INSERT , UPDATE , DELETE , CREATE , DROP , INDEX , ALTER , CREATE TEMPORARY TABLES , CREATE VIEW , SHOW VIEW , CREATE ROUTINE, ALTER ROUTINE, EXECUTE ON `$dbcreate` . * TO 'moodle'#'%'`) );
$dbh->do( qq(FLUSH PRIVILEGES) );
$dbh->do( qq($dbcreate < MySQL_pristine.sql) );
$dbh->do( qq(USE $dbcreate) );
$dbh->do( qq(UPDATE md1_label SET content = REPLACE( content, "pristine", "$dbcreate")) );
$dbh->do( qq(UPDATE md1_label SET contents = REPLACE( contents, "pristine", "$dbcreate")) );
$dbh->do( qq(UPDATE md1_label SET questiontext = REPLACE( questiontext, "pristine", "$dbcreate")) );
DBD::mysql::db do failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'GRANT SELECT , INSERT , UPDATE , DELETE , CREATE , DROP , INDEX ,�' at line 1 at create-auto-db.pl line 52.
DBD::mysql::db do failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'test3 < MySQL_pristine.sql' at line 1 at create-auto-db.pl line 54.
DBD::mysql::db do failed: Table 'test3.md1_label' doesn't exist at create-auto-db.pl line 56.
DBD::mysql::db do failed: Table 'test3.md1_label' doesn't exist at create-auto-db.pl line 57.
DBD::mysql::db do failed: Table 'test3.md1_label' doesn't exist at create-auto-db.pl line 58.
The main issue you've encountered is interpolation of strings with containing an at-sign. If you have something like qq{Here is my email: test#hotmail.com} - this fails because it tries to put a list variable #hotmail, which doesn't exist. Either use a backslash to escape it (i.e., qq{Here is my email: test\#hotmail.com}), or if you don't need to interpolate any variables, use the non-interpolating quote q{...}.
Having said that, you need to be a little careful with some of these statements. You're putting variable values into these SQL statements, and that is a risk for SQL injection attacks. I'd use $dbh->quote($dbcreate) to get a string version, and $dbh->quote_identifier($dbcreate) to get an identifier version of the value of $dbcreate, and embed those values in. This is much safer, as it will avoid somebody doing a Bobby Tables on you and giving you a database name like: db'; DROP TABLE mysql.user; '; or similar. DBI provides both string and identifier quoting, so you can get the right kinds of quoting as needed. For example:
my $quoted_id_dbcreate = $dbh->quote_identifier($dbcreate);
$dbh->do( qq(USE $quoted_id_dbcreate) );
Placeholders are usually better, but some of these admin statements probably won't support them, so using proper quoting to inject the values is likely to be necessary.
Two things stand out to me.
$dbh->do(qq(GRANT SELECT , INSERT , (snip), EXECUTE ON '$dbcreate' . * TO 'moodle'#'%'`) );
...you've got a trailing backtick that you probably don't intend.
$dbcreate < MySQL_pristine.sql
...isn't quite what you want. I think you're trying to do is to read that file in Perl, and iterate over each contained SQL statement, calling "$dbh->do()" against it. If you're very lucky, you have one line per statement in that .sql file.