im trying to learn and understand mysql inject, i have created demo case.
SELECT ret_variable FROM data WHERE name = '".$name."' AND age = ".$age;
then if(ret_variable == 2){something} but query originally returns 1 and i need to force it to output 2
How to modify $age variable to set custom output field for ret_variable(only in response) ?
I have tried few ways with OR but didn't wroked.
I see no practical application other than learning. I assume since you know the code , you have permission to test this out. So let's give it a go!
You can only return a 2 for the ret_variable when there is a row in the database with a value of 2 as the ret_variable and you know the name value of that row. You can for instance enter that name and the following to bypass the correct value for the age.
age AND ret_value = 2
That would create the following query:
SELECT ret_variable FROM data WHERE name = 'John' AND age = age AND ret_value = 2;
The principle of mysql injection is this sort of manipulation of the query. But you can not force a value which is returned unless there is a row in the database with this value for ret_variable and you can somehow select this row.
When you don't know the name (or there is no record of your known name with a ret_variable of 2) it is not possible.
Since the AND operator has precedence over the OR operator you cannot manipulate the query to give a 2 as ret_variable. This is because the name = '?' part will always fail.
Related
I want to insert new record in database if not already present. I know I can do it if I make that column unique but cant do this as there are several redundant records already present . So i wish any new record I insert should only be inserted if not already present.
Sample table for reference
id name
1 a
2 b
3 c
Before inserting do a select query:
Select id from tablename where name = 'a' limit 1;
Then check, if the result has rows. If it does not have rows execute the insert statement.
INSERT IGNORE INTO... You can find more info on already accepted answer on another question.
I will use pseudo-code to explain .
Use a select query with a WHERE that gonna select only value/values that is/are equal to the value/values of the input type .
You will have to store the values in variables , one variable for the input type and one variable to store the value for the select query.
Before that don't forget to store variables because if you do a search it will read the value but not gonna store it and the second reason is it's gonna help you for the if and else if .
Also i will recommend you to see POST method and REQUEST method and logic operators ( ex: && , || , etc ... )
You should use a if and a else if .
The if could be:
if variable1 = variable 2
echo "Data already exist" ;
end of the if
the else if could be :
Insert query
end of the else
You should echo the value that you get from the select query just to be sure for your test.
I have a table filter feature in PHP club membership webpage. I made it so the user can filter the table and choose which members to display in a table. For example, he can choose the country or state where the member is from then hit display. I am using a prepared statement.
The problem is, I need to use wildcards to make the coding easier. How do I use a wildcard in PHP MySQL query? I will use wildcards for example if the user does NOT want specific country but instead he wants to display all members from all countries.
I know not specifying the WHERE country= will automatically select any countries but I already constructed it so each controls like the SELECT control for country already has a value like "CA" or "NY" and "*" if the user leaves that control under "All Countries". This value when submitted is then added to the query like:
$SelectedCountry = $_POST["country"];
sql .= " WHERE country=" . $SelectedCountry;
But the problem is using WHERE country=* doesn't seem to work. No errors, just doesn't work. Is "*" the wildcard in PHP MySQL?
The * is not a wildcard in SQL when comparing with the = operator. You can use the like operator and pass a % to allow for anything.
When doing this the % should be the only thing going to the bind. $Bind_country = "'%'"; is incorrect because the driver is already going to quote the value and escape the quotes. So your query would come out as:
WHERE country ='\'%\''
The = also needs to be a like. So you want
$bind_country = '%';
and then the query should be:
$sql = 'select * from table where country like ?';
If this were my application I would build the where part dynamically.
Using * in WHERE clause is not right. You can only give legit value. For example:
// looking for an exact value
SELECT * FROM table WHERE column = 'value'
// you can also do this when looking for an exact value
// it works even if your $_POST[] has no value
SELECT * FROM table WHERE column = 'value' OR '$_POST["country"]' = ''
// looking for a specific or not exact value
// you can place % anywhere in value's place
// % denotes the unknown characters of the value
// it works also even if your $_POST[] has no value
// results will not be the same when you're using AND or OR clause
SELECT * FROM table WHERE column LIKE '%val%'
I think below link can solve your problem.
Just have a look and choose what you need.
Thanks.
http://www.w3schools.com/sql/sql_wildcards.asp
I want not update a record when the variable is empty when executing a UPDATE query in SQL. However, when the variable is filled, the record should be updated.
So in example, the myAge field in the database have currently a value of 20 (type int).
After executing the following query, the record should still be 20.
$age = '';
db_con->query("UPDATE info SET myAge = ".$age." WHERE account_id = 1");
Ps: I know I could check if the variable is empty with PHP, but I was wondering If this could be archieved within SQL?
You could use an IF construct in SQL to check if the value is empty:
$age = mysql_real_escape_string($age);
db_con->query("UPDATE info SET myAge = IF('".$age."' = '', myAge, ".$age.") WHERE account_id = 1");
If the passed PHP variable is empty, you set the old myAge.
Checking in PHP makes more sense, you might save a database query.
The way you are passing that variable to your database is potentially dangerous. If you didn't know about mysql_real_escape_string, look it up NOW.
Better yet, start using a database wrapper that escapes values for you.
I would add the condition into the where, if you only care about one field.
It is not clear what you mean by empty. That could be either NULL or a blank string. My guess is that myAge is a number, so NULL would be "empty":
UPDATE info
SET myAge = ".$age."
WHERE account_id = 1 AND myAge IS NOT NULL;
You can also do this in the SET, if you like:
UPDATE info
SET myAge = (CASE WHEN myAge IS NOT NULL THEN ".$age." END)
WHERE account_id = 1;
This is necessary if you have multiple columns that you want to update like this. I much prefer CASE over IF(), because CASE is ANSI standard and available in most databases.
I'm working with a table in which information is stored in a table in JSON format. The JSON value field looks like:
select * from k2_extra_fields where id = 2 and published = 1;
id | value
2,[{"name":"Apples","value":1,"target":null,"alias":"","required":0,"showNull":1},{"name":"Pears","value":2,"target":null,"alias":"","required":0,"showNull":1},{"name":"Mangos","value":3,"target":null,"alias":"","required":0,"showNull":1},{"name":"Guava","value":4,"target":null,"alias":"Fruit","required":0,"showNull":1},{"name":"Pineapple","value":5,"target":null,"alias":"Fruit","required":0,"showNull":1}]
Or values in a simple line by line view (minus the ID):
[
{"name":"Apples","value":1,"target":null,"alias":"","required":0,"showNull":1},
{"name":"Pears","value":2,"target":null,"alias":"","required":0,"showNull":1},
{"name":"Mangos","value":3,"target":null,"alias":"","required":0,"showNull":1},
{"name":"Guava","value":4,"target":null,"alias":"Fruit","required":0,"showNull":1},
{"name":"Pineapple","value":5,"target":null,"alias":"Fruit","required":0,"showNull":1}
]
The query that leads me here returns the value of 3. 3 = Mangos. How do I take the '3' value and match it up with the stored names/values so that I end up with the output, Mangos?
It should be possible with build in mysql functionality, but very hard and 'not clever' idea to do. If you really need to compute this problem within mysql, you would need to actually add new funtionality to your mysql. Look up on UDF plugins: http://dev.mysql.com/doc/refman/5.1/en/udf-compiling.html
I have a column called name in a table info
So I want to update that with it's current value, like this name + user_input. I tried with this code but not working
mysql_query("UPDATE info SET name = name + '$user_input' WHERE id='$user_id'");
But It returns 0 and update column to 0....
Any idea how to accomplish this task??
You should use CONCAT to concatenate string in MySQL (+ is for addition arithmetic operations which I guess can't properly work with names) :
UPDATE info SET name = CONCAT(name,'$user_input') WHERE id='$user_id'