I got the vulnerable code below from a book about SQL injection. But when I try to exploit it and add ' to the input, it gives me an error like this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
Why do I get this error?
// build dynamic SQL statement
$SQL = “SELECT ∗ FROM table WHERE field = ‘$_GET[“input”]’;”;
// execute sql statement
$result = mysql_query($SQL);
// check to see how many rows were returned from the database
$rowcount = mysql_num_rows($result);
// iterate through the record set returned
$row = 1;
while ($db_field = mysql_fetch_assoc($result))
{
if ($row <= $rowcount)
{
print $db_field[$row]. “<BR>”;
$row++;
}
}
I don't know whats up with your quotation characters, but lets look at this line of code instead:
$SQL = "SELECT ∗ FROM table WHERE field = '$_GET[input]';";
So lets say you want to exploit this and get all rows. If you set $_GET[input] = "' OR 1=1" you get the following SQL:
SELECT ∗ FROM table WHERE field = '' OR 1=1';"
This is invalid SQL. Why? Because at the end you have a stray ' that the SQL interpreter doesn't understand. After a condition there is not suppose to be a beginning of a quote, and all quotes should be closed! That is why you get an error.
So to do succesful injection you need to make sure you produce valid SQL. In this case you could try using the payload ' OR '' = ', that generates this:
SELECT ∗ FROM table WHERE field = '' OR '' = '';"
Or just use a comment, as in ' OR 1=1 --, to neutralize the rest of the query:
SELECT ∗ FROM table WHERE field = '' OR 1=1 --';"
Related
I have php script like this
$query = "select * where userid = 'agusza' ";
$result = mysql_query($query) or die(mysql_error());
while($row=mysql_fetch_array($result)) {
echo $result;
}
when I execute, the result like this
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where userid = 'agusza'' at line 1
But when I run that sql in sqlserver, it running well
Anybody has solution ?
$query = "select * from table_name where userid = 'agusza' ";
See the corrections I have made. You haven't used the right syntax for SELECT query
You didn't select a table using FROM. Without that, it does not know which table you are selecting data from.
You should also stop using mysql as it is deprecated. Use mysqli or PDO as they are safer.
You are also echoing the wrong variable in your while loop, try this:
while ($row = mysql_fetch_array($result) {
echo $row['column_name'];
}
$query = "select * from table where userid = 'agusza'";
Right now, you're not telling which table SQL should look in.
You should format your query like so:
select * from `TableName` where userid='agusza'
In your query below you doesnt state the database table where you should get that data using FROM
$query = "select * where userid = 'agusza' "; // instead of this
$query = "select * FROM declaredtable where userid = 'agusza' "; used this
Whats wrong with my code?
Basically what I'm trying to do is add a number and update a field in the sql with what is connected to the variable. But since steamids look like this STEAM_0:0:123123123 or STEAM_0:1:123123123 I get this
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':0:14166834' at line 1
This is just for learning, so I know my code has useless echos, but its just to see it being added and making sure i was doing it correctly anyways
addmoney.php
<?php
include("inc/config.php");
$mysteamid=mysql_real_escape_string($_POST['mysteamid']);
$sql = "SELECT * FROM $tbl_name WHERE steamid='$mysteamid'";
$result=mysql_query($sql);
$cash=mysql_result($result, 0, 'cash'); // outputs 7th
echo $cash;
$newcash= $cash + "10000";
echo "\n";
echo $newcash;
mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = $mysteamid") or die(mysql_error());
?>
index.php contains a working formdata its not really required with the error in my code.
my main problem is this line from addmoney.php which is
$mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = $mysteamid") or die(mysql_error());
As your steamid field in your DB is a string (it seems to be, as possible values are STEAM_0:0:123123123 and STEAM_0:1:123123123), you must use quotes arround the value :
mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = '$mysteamid'");
Using mysql_real_escape_string() is necessary, as it escapes quotes inside the variable you pass it as a parameter -- but you still have to put quotes arround the string, in your SQL queries.
In the first query you surrounded your $mysteamid value with simple quotes, and in the second query you didn't. If the steamid is a string type, you need to surround the value with quotes, like
"UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` =' $mysteamid'"
I trying to query a database to find relevant results between two columns in separate tables, to do this I'm using the following code:
$query = "SELECT * FROM $table WHERE MATCH (TITLE) AGAINST ($description) AND ARTIST=$band ORDER BY relevance DESC";
$result = mysql_query($query);
if (!$result) {
die("Result False on line 47: $result <br>
Query: $query <br>
Error: " . mysql_error());
}
As you might expect the error message appears saying I have an error in my MYSQL syntax but I'm not sure what it is, any pointers?
AGAINST ($description) should be AGAINST ('$description')
ARTIST=$band should be ARTIST='$band'
Any strings that are processed through queries need single quotes ( ' ) around them, and column names with spaces need backticks ( ` ).
If $description or $band contain any quotes or slashes you will need to escape them using mysql_real_escape_string() (I'd recommend doing this anyway)
Also, you can consolidate your die statement into your query line:
$result = mysql_query($query) or die(
"Result False on line 47: $result <br>
Query: $query <br>
Error: " . mysql_error()
);
Sometimes even syntax is correct this error is coming because some SQL version dont support this syntax.
Make sure your MySQL version is supporting this query or not before looking into other way around.
I'm new at this, what are the problems with this statement:
$sql=" SELECT * FROM `calendar` WHERE `DayId` ='".$day."'";
$result = mysql_query($sql, $conn);
if (!$result){
echo "DB Error, could not query the database\n";
echo 'MySQL Error: ' . mysql_error();
exit;
}
while ($row = mysql_fetch_array($result)) { //set $dayType
$dayType = $row[DayType];
}
I keep getting the error:
DB Error, could not query the database
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '' at line 1
but when I put an "echo $result;" in after the line that starts with $result=... then I get a value for $result of "Resource id #2"
You need to enclose your "day" variable in quotes (and you should be escaping it if you haven't already!)
$sql = "SELECT * FROM calendar WHERE DayId = '" . mysql_real_escape_string($day) . "'";
Shouldn't it be
$sql="SELECT * FROM `calendar` WHERE `DayId` = '".$day."'";
It seems likely to me that your $day variable is not getting populated ... Try echoing the SQL statement before you run it to make sure everything looks as it should ...
If it's date(z) change it to date('z').
Can anyone tell me what's going on here. I'm not sure why this code is not working and throwing the following error:
You have an error in your SQL syntax, check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND role != 7 AND role != 4' at line 3
$sql = 'SELECT * FROM tblusers
INNER JOIN permissions on tblusers.usrID = permissions.user_id
WHERE permissions.team_id='.$team_id.' AND role != 7 AND role != 4';
require("connection.php");
$result = mysql_db_query($DBname,$sql,$link) or die(mysql_error());
while($row = mysql_fetch_assoc($result))
{
$message->addTo($row['usrEmail'], $row['usrFirst'] . ' ' . $row['usrLast']);
}
I know that the variable $team_id is working fine, because if I "echo" it, it works fine. Any ideas on what I'm doing wrong here? Thanks!
echo out $sql, try the statement in the database or paste it here so we can debug it. I initially suspected that you needed quotes around the variable but you probably don't since its a number.
Do both tables have a row column or does just one table have it?
I get that exact error message if $team_id is empty - are you sure it's set at that point in the code?
By using prepared statements you can avoid quotes problems.
$dbConn = new mysqli("127.0.0.1", "username", "password", "db");
$stm = $dbConn->prepare("SELECT * FROM tblusers WHERE team_id = ?");
$stm->bind_param("i", $team_id); /* 'i' for an integer */
$stm->execute();
role field is ambiguous try tblusers.role