my code below
$count++;
$yesstring = 'MATCH';
echo $count . '. RESULT ' . $idcheck . ': ' . $phonecheck . ' was matched. <br />';
$matchquery = sprintf("UPDATE `list` SET match = `%s` WHERE homephone = `%s` LIMIT 1",
mysql_real_escape_string($yesstring),
mysql_real_escape_string($phonecheck));
$matchresult = mysql_query($matchquery);
if (!$matchresult) {
die("Invalid query: " . mysql_error());
}
and this is my error
Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'match = MATCH WHERE homephone = (999) 999-9999 LIMIT 1' at line 1
any help would be appreciated
match is a reserved word in MySQL. Escape it with backticks:
UPDATE `list` SET `match` = ...
You're using backticks when you should be using regular quotes. Backticks are reserved for escaping table or column names:
INSERT INTO `foo` VALUES ('value')
Although you're properly escaping your SQL, calling mysql_real_escape_string can prove to be a constant nuisance. Switching to mysqli or PDO would make writing correct SQL a lot easier in the long-run.
Related
I got the vulnerable code below from a book about SQL injection. But when I try to exploit it and add ' to the input, it gives me an error like this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
Why do I get this error?
// build dynamic SQL statement
$SQL = “SELECT ∗ FROM table WHERE field = ‘$_GET[“input”]’;”;
// execute sql statement
$result = mysql_query($SQL);
// check to see how many rows were returned from the database
$rowcount = mysql_num_rows($result);
// iterate through the record set returned
$row = 1;
while ($db_field = mysql_fetch_assoc($result))
{
if ($row <= $rowcount)
{
print $db_field[$row]. “<BR>”;
$row++;
}
}
I don't know whats up with your quotation characters, but lets look at this line of code instead:
$SQL = "SELECT ∗ FROM table WHERE field = '$_GET[input]';";
So lets say you want to exploit this and get all rows. If you set $_GET[input] = "' OR 1=1" you get the following SQL:
SELECT ∗ FROM table WHERE field = '' OR 1=1';"
This is invalid SQL. Why? Because at the end you have a stray ' that the SQL interpreter doesn't understand. After a condition there is not suppose to be a beginning of a quote, and all quotes should be closed! That is why you get an error.
So to do succesful injection you need to make sure you produce valid SQL. In this case you could try using the payload ' OR '' = ', that generates this:
SELECT ∗ FROM table WHERE field = '' OR '' = '';"
Or just use a comment, as in ' OR 1=1 --, to neutralize the rest of the query:
SELECT ∗ FROM table WHERE field = '' OR 1=1 --';"
This sql query is not working:
$sql = "INSERT INTO top(topic_subject,topic_date, topic_cat, topic_by)
VALUES(" . mysql_real_escape_string($_POST['topic_subject']) . " , NOW()," . mysql_real_escape_string($_POST['topic_cat']) . " , " . isset ($_SESSION['user_id']) . ")";
how can I fix it?. I am getting this error message.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 2`
It's likely that topic_subject is character data. To include literal strings in SQL text, it should be enclosed in single quotes.
... VALUES ('abc', ...
If you used prepared statements, this wouldn't be an issue, and for the love of all things that are beautiful and good in this world, don't use the deprecated PHP mysql_ interface for new development. It's been superseded by the mysqli_ and PDO interfaces.
You forgot the quotes.
$sql = "INSERT INTO top(topic_subject,topic_date, topic_cat, topic_by)
VALUES('" . mysql_real_escape_string($_POST['topic_subject']) . "' , NOW(),'" . mysql_real_escape_string($_POST['topic_cat']) . "' , '" . isset ($_SESSION['user_id']) . "')";
And be aware that mysql_* is deprecated. Use PDO or mysqli instead.
There are couple problems here.
Quote your strings
Make sure your data is of the correct type
$topic_subject = mysql_real_escape_string($_POST['topic_subject']);
$topic_date = NOW();
$topic_cat = mysql_real_escape_string($_POST['topic_cat']);
$topic_by = isset($_SESSION['user_id']) ? $_SESSION['user_id'] : ""; // always returns a string value.
$sql = "INSERT INTO top(topic_subject,topic_date, topic_cat, topic_by)
VALUES('{$topic_subject}' , {$right_now}, '{$topic_cat}' , '{$topic_by}')";
It may help you to use more variables in your code (shown) so that you can use a debugger to verify that the strings and variables you create have the values you intend them to have.
Came across an error i have never seen before after writing the following code:
$query= "UPDATE `Pharm_Log` SET `text` = ". $bloodtest . " WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());
My error message was this
"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'Pressure Test: 235/43 WHERE id = 1' at line 1"
Any one have any idea on how to fix this? would be greatly appreciated
the string literal (value of $bloodtest) must be wrap with single quotes,
$query= "UPDATE `Pharm_Log` SET `text` = '". $bloodtest . "' WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
I have the following query:
SELECT * FROM ships WHERE shipCode="SP"
SELECT * FROM ships WHERE shipCode=\"SP\"
The first works fine, the second which is the result of calling mysql_real_escape_string on the first string, doesn't work and gives the useless error message #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"SP\"' at line 1
What's wrong with it?
shipCode is a VARCHAR(2)
You're not supposed to call mysql_real_escape_string on the whole string. You use it only on the values you're concatenating into your query.
Wrong:
$query = 'SELECT * FROM ships WHERE shipCode="' . $var . '"';
$query = mysql_real_escape_string($query);
Right:
$query = 'SELECT * FROM ships WHERE shipCode="' . mysql_real_escape_string($var) . '"';
Even better: Prepared statements.
you need to have valid connection with mysql set up before you use mysql_real_escape string . do it like this
$attr="sp";
Select * from ships where shipcode = '" . mysql_real_escape_string($attr) . "';
$sql = "UPDATE galleries SET name='$name', desc='$desc', mainthumb='$mt'
WHERE id='$id'";
this throws an error for some godforsaken reason. I must be way too tired because I don't see it.
I've confirmed that all the values are being posted. What's worse, it's an almost exact copy any query that works fine.
Update:
This has been solved. It was the fact that desc didn't have backticks. I'm also going to use PDO instead as suggested.
Is desc not a keyword that you can not use as a column name?
You have a column called desc, which is a reserved word. You will need to quote it with backticks.
`desc`='$desc'
Did you sanitize all the parameters before mixing them with the sql statement?
desc is a reserved word in MySQL, you have to explicitly mark it as an identifier:
An identifier may be quoted or unquoted. If an identifier contains special characters or is a reserved word, you must quote it whenever you refer to it. [...]
The identifier quote character is the backtick (“`”):
$mysql = mysql_connect(...
$sql = "
UPDATE
galleries
SET
name='" . mysql_real_escape_string($_POST['name'], $mysql) . "',
`desc`='" . mysql_real_escape_string($_POST['desc'], $mysql) . "',
mainthumb='" . mysql_real_escape_string($_POST['mt'], $mysql) . "'
WHERE
id='" . mysql_real_escape_string($_POST['id'], $mysql) . "'
";
or even better: use prepared statements
echo $sql and see what it actually becomes. It looks like an easy target for SQL injection, unless you took care of that.
yes, make sure you first sanitize the data, using mysql_real_escape_string for instance.
Then echo your mysql error (mysql_error() ) it will give you more hints as to where is the error;
<?php
$link = mysql_connect("localhost", "mysql_user", "mysql_password");
mysql_select_db("nonexistentdb", $link);
echo mysql_errno($link) . ": " . mysql_error($link). "\n";
mysql_select_db("kossu", $link);
mysql_query("SELECT * FROM nonexistenttable", $link);
echo mysql_errno($link) . ": " . mysql_error($link) . "\n";
?>
$sql = "UPDATE `galleries` SET
name='".$name."',
desc='".$desc."',
mainthumb='".$mt."'
WHERE id='".$id."'";
This could be one alternative way to handle it. Although I would gone PDO as VolkerK suggested it. I would also Echo to see what it would output as well. Also as Ben suggested, Desc may be a reserve word.