I am trying to update a field using
UPDATE table set field='some_variable' where id=1;
The problem here is that the some_variable comtains data with multiple special characters in it. so I am not able to use 'some_variable' or "some_variable" as it breaks and fails when it encounters the first same character(' or "). How can I overcome this?
Thanks.
Mike
There are two solutions, the first is to use mysql_real_escape_string() the second is to use prepared statements. You have not mentioned what your programming language is but it's sure to support either prepared statements or real escape.
In addition to real escape, if your field is a char or varchar you should modify your query as follows:
UPDATE table set field='some_variable' where id=1;
Generally, you just need to escape the reserved characters -- see MySQL docs for specific reference. If you are directly executing the query (ie: in mysql shell), you'll have to escape manually. Most languages will supply a function to escape for you -- in PHP, for example, it's mysql_real_escape_string().
Related
Below are two stored procedures for MySQL community server version 8.0.11. I have seen some stored procedures written the first way using the back-quote: `, character in the parameter list and query statement. However, I have also seen queries written like the second one where there are no back-quote characters.
Which way is the best practice to follow? Are they any security differences? If one uses the back-quote character in stored procedures are they more vulnerable to SQL injection attacks?
CREATE PROCEDURE `procedure`(IN `in_data` VARCHAR(100))
BEGIN
SELECT COUNT(*) FROM `table_name` WHERE `data` = `in_data`;
END
Or:
CREATE PROCEDURE `procedure`(IN in_data VARCHAR(100))
BEGIN
SELECT COUNT(*) FROM table_name WHERE data = in_data;
END
I hope I made this clear enough, thank you for your time.
As long as your procedure is not doing dynamic SQL with PREPARE and EXECUTE, the queries are fixed and they cannot be vulnerable to SQL injection.
The back-ticks are meant to delimit identifiers (table names, column names, procedure names, etc.) to allow you to use an identifier that wouldn't be legal because they contain punctuation or white space or international characters or conflict with SQL reserved words.
For examples, see my answer to this question: Do different databases use different name quote?
I have used backticks (`) in some SELECT queries to escape fields such as 'first-name'. This will work on MySQL. These queries are run through a DBO class in a php application and I would like the application to be able to use other database servers, such as MSSQL and Posgres.
What is the best approach for allowing problematic field names to be used across all of these database servers? I was thinking of taking the fields as an array and quoting them with the escaping character that is appropriate to each.
[EDIT]
To clarify: I am building a tool that will be used to map configurations stored within the php application to the fields of an external database. I wanted to escape these as a precaution because I have no idea what field names will actually be mapped to and used within the queries.
The solution is very simple: do not use reserved words as identifiers. It makes the code more difficult to read anyways.
If you really need to use such words (as in "there is some obscure reason beyond your control"), you can just prefix all your identifiers by an arbitrary character, such as _ for example.
The cross-DBMS mechanism (as defined in SQL-92 and other standards) is using double-quoted delimited identifiers. According to this reference it's widely supported.
It's worth nothing that MySQL allows to enable/disable this syntax so you still need to ensure that session settings are correct before issuing any query.
MySQL uses backticks (`) by default, but can be configured to support proper ANSI quoting.
IMO: If you're connecting to MySQL, set it to ANSI mode, and while you're at it enable every STRICT option it has. It becomes much easier to write code that's portable against it then.
Of course, the best option has to be not using reserved words, but the list of reserved words can change over time so rigorous quoting isn't such a bad idea.
The proper way of escaping is not to use field names that need escaping.
If you still have to use escaping - use ". It is the standard one (defined by ANSI SQL).
Postgres and Oracle understand " escaping. But i do not know about MSSQL an MySQL.
I thought there would be another question about this but I was unable to find one. In MySQL with PHP I usually encapsulate my field names with backticks to mask any reserved names or characters. However, one of my colleagues has pointed out that this can also be achieved using square brackets. Excluding the fact that the backticks are not compatible with SQL server (apparently), what is the difference? Which should I use?
SELECT `username` FROM `users`
SELECT [username] FROM [users]
SQL Server/T-SQL uses square brackets (as well as MS Access), while MySQL uses backticks.
As far as I know, can turn up in documentation, or use in testing, square brackets are not valid for MySQL. So if you need to enclose a keyword as a table name in SQL Server, use [], and in MySQL use backticks, or double-quotes when ANSI_QUOTES is enabled.
From the documentation:
The identifier quote character is the backtick (“`”):
mysql> SELECT * FROM `select` WHERE `select`.id > 100;
If the ANSI_QUOTES SQL mode is enabled, it is also permissible to quote identifiers within double quotation marks:
mysql> CREATE TABLE "test" (col INT);
ERROR 1064: You have an error in your SQL syntax...
mysql> SET sql_mode='ANSI_QUOTES';
mysql> CREATE TABLE "test" (col INT);
Query OK, 0 rows affected (0.00 sec)
Both are non-standard ways to quote object names that should either be case-sensitive, are a reserved word or contain special characters that are not allowed otherwise.
The standard quoting character for such an identifier is a double quote. To be ANSI SQL compatible, you should use them:
SELECT "username" FROM "users"
But note that quoted identifiers are case-sensitive as per ANSI SQL. However both mentioned products do not obey to this requirement. Whether such an identifier is case-sensitive or not depends on a several (different) configuration settings in MySQL and the database collation in MS SQL Server.
Both DBMS can (and in my opinion should) be configured to accept the ANSI standard quote characters as well.
I would strongly recommend to avoid any object name that requires quoting. Using identifiers that do not require quoting will save you a lot of trouble in the long run.
Hi I want to insert all escape characters in a column in MySQL. I can not insert \ always because a long data may have a lot escape characters.
Thanks
Sunil Kumar Sahoo
I am not sure if I am getting this correct but you
have a lot of data
you want to insert them into database with regular SQL commands
most of data requires escaping.
So you have no much options. Since there is no direct binary mode in MySQL you
either execute SQL script with escaping
you will write parametrized queries and insert data directly with some custom tool you will write.
If choosing first approach have a look at MySQL manual for some escaping string details. Particularly you may escape one backslash \ with double backslashes \\ sequence. Also have a look at NO_BACKSLASH_ESCAPES, which eliminates need for escaping completly.
Does MySQL allows to create database which has dot (.) in its name?
I'm using MySQL 5.1.22.
You can't use the dot in a database name. Also, I'd avoid using it in any identifier. A common convention is to use underscore instead. It will serve the same purpose and will avoid a LOT of confusion. If you do have a good reason for using strange and otherwise-illegal characters in a table or field name, then you have to escape it.
to escape identifiers in MySQL, use the backtick:
SELECT `select`, `some.field name`, `crazy()naming+here`
FROM `my-=+table`
Getting into the habit of backticking all field names regardless of whether you need to is a good practice in my opinion, but that's another story.
You can use . in names from MySQL 5.1.6 according to the documentation.
However, as has been said and will said again, please don't do it. For every problem you think you're solving now you'll be creating five which will bite you later on. Since . is used to qualify names - e.g. database.table or table.column you'll have to quote your database name every time you use it.*
You can do this with backticks:
CREATE TABLE `do.not.do.this` (col INT);
or using double quotes if you set the following option:
SET sql_mode='ANSI_QUOTES';
CREATE TABLE "asking.for.problems" (col INT);
* Not strictly true - you have to quote any character that's not alphanumeric or _ or $ , but . is a particularly troublesome option to have in your names.
Before MySQL 5.1.6, database and table names cannot contain /, \, ., or characters that are not allowed in file names (see 8.2. Schema Object Names).
In versions after 5.1.6 you have to quote your tablename with a backtick (`) - but as others also advised: you shouldn't do this to prevent any unnecessary trouble.
MySQL 5.0.22 doesn't appear to allow it:
% mysqladmin -uroot -pXXX create foo.bar
mysqladmin: CREATE DATABASE failed; error: 'Incorrect database name 'foo.bar''
Even it if it did allow it, I would strongly recommend against it.
At the very least you'd have to escape any reference to that database with backticks in every single query that ever uses it.