I am trying a simple SQL Injection example which is already working correctly. The goal is to add SQL code to a login page that asks for EmployeeID and Password. In this example I am supposed to know the following information:
* There is a user called Admin
* There is a table field called Name
With this data at hand, the code below did the trick. A space is included after the second dash in order to be interpreted as a comment so the rest of the query is ignored. Basically, the password information is not necessary.
' or Name = 'Admin'; --
So far, so good. Now, I have to include a second SQL statement and I am told that I can use a semicolon as a separator for multiple SQL statements. So I did the following:
' or Name = 'Admin'; SELECT id FROM credential; --
But it does not work. I get a message saying that there is an error in the SQL syntax. I thought that maybe there is no support for multiple queries in one line but I tested using MySQL console and I could successfully issue 2 select statements separated by a semicolon. Below, I show the query (displayed intentionally by an echo statement) and the error that appears on screen.
I will very much appreciate your feedback to help me discover and fix my issue.
SELECT id, name, eid, salary, birth, ssn, phoneNumber, address, email,nickname,Password FROM credential WHERE eid= '' or Name = 'Admin'; SELECT id FROM credential; -- ' and Password='da39a3ee5e6b4b0d3255bfef95601890afd80709'
There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT id FROM credential; -- ' and Password='da39a3ee5e6b4b0d3255bfef95601890af' at line 3]\n
Related
I test a WAF.and I enter my SQL in Mysql console:
select * from test where id='-1' union select table_name,1,1 from/*/*/**/information_schema.tables limit 0,1;
the SQL syntax is correct,and show the table_name
but if you enter the below sql syntax.
http://localhost/test.php?id=-1' union select table_name,1,1 from/*/*/**/information_schema.tables limit 0,1%23
in your brower ,you can see the below error.
You have an error in your SQL syntax;check the manual that corresponds to your MySQL server version for the right syntax to user near **/information_schema.tables limit 0,1#
and this is same test environment version.The question is why Mysql conole can parsed the syntax,but browser not.
so,What's wrong?and Why the error only appear in brower but mysql console can handle it ?How can fix it
First of all, your union clause at the beginning of your SQL statement does not make sense as UNION should appear between two SELECT statements.
I am a bit confused with what your code is trying to do, but the opening /* and closing */ indicates a comment that is ignored by the SQL parser. Breaking this up, everything on the second line below will be ignored and treated as a comment
union select table_name,1,1 from
/*/*/
**/information_schema.tables limit 0,1#
Therefore your third line with **/ does not make sense.
It is a bit unclear how you are testing this in your browser or if two different SQL parsers are involved. However, what your code is doing is closing a comment inside of a comment. In other words you have a partially nested comment.
From the MySQL 5.7 documentation:
"Nested comments are not supported. (Under some conditions, nested comments might be permitted, but usually are not, and users should avoid them.)"
The MySQL 5.0 documentation simply says:
"Nested comments are not supported."
I am not sure if it is just the wording that has changed here or if the way comments are parsed has actually changed.
I have the following tables:
image_sources
character_trait_annotations
character_traits
characters
(and tables that are not pertinent to this problem). I am trying to use a stored procedure that looks for an ImageURL in image_sources where AnnotationID is equal to the one fetched from the code at random. That AnnotatonID belongs to character_trait_annotations table, which also has a CharacterID and a CharacterTraitID. The CharacterID is in characters table, which has CharacterName, and the CharacterTraitID is in character_traits, which has CharacterTraitName.
The code is to call the stored procedure with $character, $trait (which are CharacterName, CharacterTraitName, respectively), and attempt to fetch the ImageURL for it.
The stored procedure
The SQL code for the procedure is as follows:
CREATE PROCEDURE getImageURL(IN charName VARCHAR(35), IN traitName VARCHAR(100))
BEGIN
SELECT ImageSourceURL FROM image_sources WHERE
AnnotationID = (SELECT AnnotationID FROM character_trait_annotations WHERE CharacterID =
(SELECT CharacterID FROM characters WHERE CharacterName = charName) AND CharacterTraitName =
(SELECT CharacterTraitID FROM character_traits WHERE CharacterTraitName = traitName)
);
END;
However, when I call the procedure from PHP, I get this error: Unable to call stored procedure: Unknown column 'CharacterTraitName' in 'where clause'. I was able to create the stored procedure without complaint on the active server.
I check this procedure locally, on my own machine('s version of the database, in phpMyAdmin), by trying to create the stored procedure there to see what is going on, and I get this error: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 7
I even tried to enclose the column names and the table names with backticks, and it is telling me the same thing. What is wrong with this?
I figured it out; /* by "I", I mean a friend of mine */
OK, so what did you do?
I didn't have access to phpMyAdmin, MySQLConnect, or any other of those database editors, so I had to attempt making one of my own: http://dinotator.biokdd.org/ResearchProject/tableViewer.php . Right now, the only thing that works is the dropdown menu to select the tables.
I didn't have access to this up until today, and when I asked my friend, and he asked for a way to see the database, I gave him that. The problem he pointed out (and I should have seen) was the second condition in the subquery: CharacterTraitName =
(SELECT CharacterTraitID FROM character_traits WHERE CharacterTraitName = traitName) The stupid mistake that was made was trying to check for equality between CharacterTraitName and CharacterTraitID. Furthermore, CharacterTraitName column didn't exist in character_trait_annotations.
echo 'I feel dumb.';
I have a delete function implemented on my website. A normal customer can delete his/her account and this updates a "delete" field from 0 to 1.
My table is called "users" and everything seem to work fine. However when I test the delete function I get the following error:
" You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'delete='1' WHERE email='active#user.com'' at line 1"
The code for my update query is shown below:
mysql_query("UPDATE users SET delete='1' WHERE email='$email'")or die(mysql_error());
Your help will be much appreciated.
DELETE is a MySQL reserved keyword. If you're going to name a column after that you must wrap it in ticks;
mysql_query("UPDATE users SET `delete`='1' WHERE email='$email'")or die(mysql_error());
You really shouldn't use DELETE as a column identifier. I strongly recommend changing it.
Without getting into the lengthy details of why, I have a need to auto-generate mySQL tables that utilize a unique table name that incorporates the string generated by PHP uniqid function. When doing so, I occasionally (not always) get the following query error:
Invalid query: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near ''512e1d9518d44_tbl'' at line 1 Whole query: SELECT
SUM(p_count) AS 'pcnt' FROM 512e1d9518d44_tbl
I know I could use a simple cross reference lookup table, but is there another way to avoid the error, which I believe is the result of a violation of table naming rules, while still maintaining the table naming non-squential uniqueness? I've tried single quoting the table name but get the same result btw.
When your table / column name starts with a number, you have to escape it using backticks:
SELECT SUM(p_count) AS pcnt FROM `512e1d9518d44_tbl`
I have a website with a sales and wanted page, which uses a query to return all of the sales & wanted ads into a recordset. It's been working for 4-5years without incident, but suddenly stopped working on Friday. My ISP tell me they have implemented v5 of MySQL, which seems to have caused the problem.
The query is below:
$query = "select * from $table order by uidno desc limit $from,$max_results";
It's executed via the following command
$recordset = mysql_query($query);
if($recordset == false)
{
echo("Could not retrieve comment. Please try later<br>");
echo("060211<br>");
return;
It's no longer able to load the comments into the recordset. Also the statement to populate the table is no longer populating the fields in the table correctly, though a new row is being created.
The statement is below:
$inputdata = "INSERT INTO $table(date,name,email,suggestion) values('$today','$inputname','$email','$suggestion')";
And it is executed via:
$outcome = mysql_query($inputdata);
The structure of the table is as follows:
uidno int(11) extra=AUTO_INCREMENT Null=no default = none
date date default 0000-00-00
Name varchar(60)
Email varchar (60) Null=yes Default = NULL
Suggestion blob attrbutes=binary null=no
Please help - I don't understand what changes I need to make to the syntax to make these queries compatible with MYSQL v5.
Update:
I added the echo mysql_error(); and it appears to output the following:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10,10' at line 1
So this indicates an error in the syntax - but I've no idea what the error is.
http://dev.mysql.com/doc/refman/5.0/en/select.html
The LIMIT clause can be used to constrain the number of rows returned by the SELECT statement. LIMIT takes one or two numeric arguments, which must both be nonnegative integer constants (except when using prepared statements).
Column, index, stored routine, and
event names are not case sensitive on
any platform, nor are column aliases
so your lowercase column names in code and upper case column names in mysql structure should not be the problem.