This precise code was working before on my old machine, but I'm getting this error spat back at me (on Mac OSX 10.7).
The C code is:
printf("%s\n",query);
if (mysql_query(conn,query)){
fprintf(stderr, "%s\n", mysql_error(conn));
}
The output is:
INSERT INTO comment (unum,cat_subject,cat_major,cat_minor,unmod)
VALUES (1,1,1,0,'The cat was lazy.')
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version
for the right syntax to use near ','The cat was lazy.')' at line 1
The original printf statements creates two lines of text, but I've wrapped them for readability.
It all looks fine to me! The following works in PHP for the same table (with the correct bindParam statements):
$STH=$DBH->prepare("INSERT INTO comment (unum,cat_subject,cat_major,cat_minor,unmod) VALUES (:u,:s,:ma,:mi,:t)");
What's wrong?
(BTW: I tried it with " instead of ' but that made no difference.)
(Upgrading to an answer)
It appears that you may have non-printable characters in query, probably after the 0 character. Try hexdumping the string's bytes to see if anything is suspicious:
char* c;
for (c=query; *c; c++) printf("%02x",*c);
Should you be concatenating into your SQL the unknown contents of variables, I'd strongly recommend using MySQL's prepared statement API to pass your variables to MySQL as parameters in order to avoid SQL injection; this will also perform basic type-conversion of such parameters to the destination column types - if you need more control over the cleansing of your variables, you will need to perform such in your application prior to passing the parameters to MySQL.
Related
I am new to MySQL and I am building a Flask project and using mysql.connector to query a MySQL Database. I know this question has been answered many times before but this is more specific to using MySQL with Flask.
I need to pass a query where I want to plug in the table name into the query, dynamically, depending on the value stored in the session variable in Flask. But the problem is, if I try to do:
Method 1:
cur.execute('SELECT * FROM %s;',(session['table_name'],))
the database throws an error stating that such a table is not found. However, the problem is mysql.connector keeps enclosing the table name with single quotes, hence the error.
Sample Error Statement:
mysql.connector.errors.ProgrammingError: 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''52_data'' at line 1
Here the table name should be 52_data and not '52_data'.
Only other workaround, I figured, is using:
Method 2:
cur.execute('SELECT * FROM '+session['table_name']+';')
which is working but it does not escape SQL Injection, I am guessing, since it's direct concatenation, unlike Method 1, where the cur.execute() function handles the escaping, as per this question.
The value being passed is stored in a sessions variable in Flask, which is not so secure, as per Miguel's Video. Hence, I want to escape that string, without triggering off an error.
Is it possible to implement Method 1 in a way that it does not add the quotes, or maybe escape the string using some function? Or maybe any other Python/Flask package that can handle this problem better?
Or if nothing works, is checking for SQL Injection manually using regex is a wiser option?
Thanks in advance.
Note: The package name for this mysql.connector is mysql-connector-python and not any other same sounding package.
For identifiers, you can use something like:
table_name = conn.converter.escape(session['table_name'])
cur.execute('SELECT * FROM `{}`'.format(table_name))
For values placeholders, you can use your Method 1, by using the parameters in the cur.execute() method. They will be escaped and quoted.
More details in https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html
NOTE: You don't need to end the SQL statements with ;
I'm working with JMeter to load test queries on a mySQL database (memsql server, mySQL syntax). I'm using a gui version of JMeter to create a test plan xml file and then go to another server and run that xml in non-gui mode.
I have two queries running, one that selects and one that inserts. Both queries use parameters taken from a csv file I made with a script.
My SELECT statement works just fine with parameters taken from a csv file but I run into syntax errors with my INSERT statement:
INSERT INTO customer_transactions_current (`column_name1`, ... , `column_name12`)
VALUES ((${r1},${r2},${r3},${r4},${r5},${r6},${r7},${r8},${r9},${r10},${r11},${r12}));
In the section of the query in the gui mode under 'CSV Data Set Config' I choose to delimit the data by ',' and the variable names are r1,..,r12.
Under the query itself I entered the parameter types and again the same names, just as I did for the working SELECT query.
When I run the query I run into a syntax error on the first column (which is of type datetime):
java.sql.SQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '19:00:00,75400492,936988,56,1115,5,2156,8,2,3,909,3))' at line 2
The dates I'm entering are of the form: '2018-11-2 20:00:00' and in the csv file they are present without apostrophes.
It seems that the syntax error has something to do with the date and in the position where it holds a space. I tried entering the STR_TO_DATE function for that column but kept getting syntax errors.
BUT when I try to take some values from the file and manually run the query it works fine! So my thoughts are that it has something to do JMeter's conversion of spaces before sending out the query.
Is the problem with my configurations of JMeter? Since the query is OK manually.
Add apostrophes to insert and remove unnecessary parenthesis
INSERT INTO customer_transactions_current ('column_name1', ... , 'column_name12')
VALUES ('${r1}','${r2}','${r3}','${r4}','${r5}','${r6}','${r7}','${r8}','${r9}','${r10}','${r11}','${r12}');
If you have date issue see using STR_TO_DATE
Trying to relocate a Wordpress DB and are running in to this issue all the time.
Been trying all the normal stuff to get it working optimizing, repairing etc and also try to import it with several tools (Sequel pro etc ) and over ssh.
Have the issue occurring over several tables and can see that other's have had the same. Because i can't import any copy i would need some expertise advice how to solve this either in phpmyadmin or ssh.
Error message is
#mysql -u -p db < /tmp/file.sql
> ERROR 1064 (42000) at line 109088: You have an error in your SQL
> syntax; check the manual that corresponds to your MySQL server version
> for the right syntax to use near '<!
> <div class="error"><h1>Error</h1> <p><strong>SQL query:</strong> <a href=' at line 1
Don't really know how to approach it because i find this all over the DB
like
<image:caption><![CDATA
Any advice?
Since "all the normal stuff" isn't working...
I'm going to take a guess, you are a running something to "copy" the contents of a database table, or you're doing some sort of "dump" or "export" that creates SQL statements.
And the SQL statements that are running against the target are throwing an error.
We can't tell (from where we're sitting and what we're seeing) what it is you are actually doing, we're just guessing.
The two most likely possibilities:
Whatever tool you are using isn't expecting that the column values being copied might contain values that need to be "escaped" if that value is incorporated in the text of a SQL statement. For example, suppose I have a column value like this:
I'd like a pony
and If I grab that value and I naively stick that into the text of a SQL statement, without regard for any characters it might contain, e.g.
INSERT INTO foo (bar) VALUES ('I'd like a pony');
If I try to execute that statement, MySQL is going to throw a syntax error. MySQL is going to see a string literal with a value of 'I' (the single quote that is part of the string is now being seen as the end of the string literal. MySQL is going to flag a syntax error on what follows d like a pony.
When we take a value and build a SQL statement from it, we have to properly escape the values. In this example, the insert statement to reproduce that string value could look like this:
INSERT INTO foo (bar) VALUES ('I''d like a pony');
^^
If this is what's happening, you can be thankful that the column values didn't include something more nefarious...
Robert'); DROP TABLE students; --
But without seeing the actual SQL statement that is being executed, this is just a guess at what is causing the issue.
Is there some kind of guide or some instructions that you are following to "relocate a Wordpress DB" which documents "all the normal stuff" that you are doing?
FOLLOWUP
Question was edited to add this information:
mysql -u -p db < /tmp/file.sql
What's important here is the contents of file.sql.
The problem is most likely in the part of "all the normal stuff" is producing that file. That part is effectively broken because it's not expecting that an extracted column value can contain a single quote character, and is not properly escaping the value before it's incorporated into the text of a SQL INSERT statement.
In mysql, I'm trying to create a function that will return the result of a bash command. I've created a simplified version of what I'm trying to do to make it easier to understand.
I have a file called mycmd.sh, and inside it, I have this line:
echo $1 'test'
When in mysql, I execute the sh file it is working fine
system ~/mycmd.sh 'test'
But I would like to be able to call it while doing a select in mysql, something like this
select myFunc(username) from user;
The result will be that, every username will have a "test" after it.
The problem is when I try to create the mysql function
CREATE FUNCTION myFunc(s VARCHAR(500)) RETURNS VARCHAR(505)
RETURN SYSTEM ~/mycmd.sh s;
I always get the error: ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '~/mycmd.sh s' at line 2
I tried putting it in quote, or in a variable, or in a prepared statement, but nothing seem to work...
Anyone have an idea how to do so?
Thank you
Unfortunately what you are trying to do isn't possible without using a UDF (User Defined Plugin). The system command you're using is part of the MySQL shell, not an actual MySQL function, which is why it doesn't work in the function you're trying to define.
The only other option I can think of is to write a procedure that imitated whatever your external command was going to do.
I am using a portal system on my website and modified the ASP code heavily.
Since the website is growing, I want to migrate from MS Acces to MySQL.
Now, I think the portal I'm using (and some code I inputted) aren't MySQL compatable, because when I switch to the MySQL database, I get the following error.
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[MySQL][ODBC 5.1 Driver][mysqld-5.1.55-community]You have an error in
your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near '[EzModuleID],
[ModName] From EzCore_Plugin Where IsModActive='1'' at line 1
[website]\WWWROOT\BOXX\INCLUDES../../includes/include.asp, line 3736
The SQL string regarding this line is the following:
Select [EzModuleID], [ModName] From EzCore_Plugin Where [IsModActive] = 1;
Im new to MySQL and I can't find why this is giving an error.
I've tried the quote's around 1, removing [], removing the space..
I think that when I figure out why this is causing an error, I can continue modifying the rest to make the website work on mysql.
Lose the square brackets
(I might as well post this as the answer rather than a comment)
In MySQL column and table names can be escaped with the backtick character ` or if the ANSI SQL mode is enabled with double quotes ".
Your WHERE clause (according to the error message) is Where IsModActive='1'. This works if IsModActive is a text column. If it is numeric, drop the single quotes. If IsModActive is a Boolean, change the clause to Where IsModActive IS true.
See: is operator