I trying to query a database to find relevant results between two columns in separate tables, to do this I'm using the following code:
$query = "SELECT * FROM $table WHERE MATCH (TITLE) AGAINST ($description) AND ARTIST=$band ORDER BY relevance DESC";
$result = mysql_query($query);
if (!$result) {
die("Result False on line 47: $result <br>
Query: $query <br>
Error: " . mysql_error());
}
As you might expect the error message appears saying I have an error in my MYSQL syntax but I'm not sure what it is, any pointers?
AGAINST ($description) should be AGAINST ('$description')
ARTIST=$band should be ARTIST='$band'
Any strings that are processed through queries need single quotes ( ' ) around them, and column names with spaces need backticks ( ` ).
If $description or $band contain any quotes or slashes you will need to escape them using mysql_real_escape_string() (I'd recommend doing this anyway)
Also, you can consolidate your die statement into your query line:
$result = mysql_query($query) or die(
"Result False on line 47: $result <br>
Query: $query <br>
Error: " . mysql_error()
);
Sometimes even syntax is correct this error is coming because some SQL version dont support this syntax.
Make sure your MySQL version is supporting this query or not before looking into other way around.
Related
I got the vulnerable code below from a book about SQL injection. But when I try to exploit it and add ' to the input, it gives me an error like this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
Why do I get this error?
// build dynamic SQL statement
$SQL = “SELECT ∗ FROM table WHERE field = ‘$_GET[“input”]’;”;
// execute sql statement
$result = mysql_query($SQL);
// check to see how many rows were returned from the database
$rowcount = mysql_num_rows($result);
// iterate through the record set returned
$row = 1;
while ($db_field = mysql_fetch_assoc($result))
{
if ($row <= $rowcount)
{
print $db_field[$row]. “<BR>”;
$row++;
}
}
I don't know whats up with your quotation characters, but lets look at this line of code instead:
$SQL = "SELECT ∗ FROM table WHERE field = '$_GET[input]';";
So lets say you want to exploit this and get all rows. If you set $_GET[input] = "' OR 1=1" you get the following SQL:
SELECT ∗ FROM table WHERE field = '' OR 1=1';"
This is invalid SQL. Why? Because at the end you have a stray ' that the SQL interpreter doesn't understand. After a condition there is not suppose to be a beginning of a quote, and all quotes should be closed! That is why you get an error.
So to do succesful injection you need to make sure you produce valid SQL. In this case you could try using the payload ' OR '' = ', that generates this:
SELECT ∗ FROM table WHERE field = '' OR '' = '';"
Or just use a comment, as in ' OR 1=1 --, to neutralize the rest of the query:
SELECT ∗ FROM table WHERE field = '' OR 1=1 --';"
<?php
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id='" . $subject_id ."' ";
$query .= "LIMIT 1";
?>
The problem cause is in this line:
The error : "Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1"
So why... despite the syntax is right. Given me that error ?!
The error message is from the execution of a line of code not shown in your question.
One obvious possibility is that the string value produced by this code is not being passed to MySQL. Another possibility is that $subject_id contains a string value that is being interpreted as SQL text, and the $query does not contain what you think it contains. There's a lot of other possibilities.
For debugging issues like this, we really need to identify the line of code that is actually throwing the error. (In your case, it's going to be a call to a mysql_, mysqli or PDO execute or prepare function or method.)
What you can do is add an echo or var_dump of the ACTUAL SQL text that is being passed to MySQL, on a line immediately preceding the line that is throwing the error.
For example, you would get this error message if a line of code after this code, and before the parse or execute call, modifies $query
$query .= " LIMIT 1";
That would add a second LIMIT clause on the query, which is invalid, and would throw the same error you are getting.
To reiterate: the lines of code posted in your question are NOT throwing an error. The lines of code you posted are simply assigning a string value to a variable. (This may be the string value that is being passed to MySQL, but we don't see that anywhere in your code.)
You are using 'subject_id' may be int format have some problem so use subject_id and Limit 1 alternate Limit 0,1.
<?php
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id=" . $subject_id;
$query .= "LIMIT 0,1";
?>
You don't need to concatenate the variable you can use
<?php
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id='$subject_id' ";
$query .= "LIMIT 1";
?>
You have two semi-colons after your variable as well, and if your variable is a integer, it doesnt need to be in single quotes either.
Im using:
$query = "SELECT * FROM mydb WHERE condition = New ORDER BY id ASC";
but i get this error:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/mydb.php on line 84
however if i remove the where clause it works perfectly, can anyone point me in the right direction?
Is the Where clause not usable when doing a fetch array?
Thanks for any help.
edit: error message I've got:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'condition = 'New' ORDER BY id ASC'
always run all your queries this way (at least until you adopt some intelligent lib for this)
$query = "SELECT * FROM mydb WHERE condition = New ORDER BY id ASC";
$result = mysql_query($query) or trigger_error(mysql_error()." in ".$query);
just because not a single soul in the world can tell what's wrong with your query, but database itself. So, you have to ask it if there were any trouble. Not stackoverflow community (they have no idea anyway) but your db server. That's the point.
Note that you have to be able to watch errors occurred, either on-screen or in the error log.
After getting error message about syntax error you have to check syntax of the displayed query. If there are no visible errors, refer to http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html in case there are reserved word unescaped in your query. condition seems is. So
$query = "SELECT * FROM mydb WHERE `condition` = New ORDER BY id ASC";
will be solution
You appear to be missing quotes around the word "New".
$query = "SELECT * FROM mydb WHERE condition = 'New' ORDER BY id ASC";
Also, are you passing $query to mysql_fetch_array, or did you just not mention the mysql_query call in your question?
Since you have tried adding single quotes to the ('New'),
kindly ensure that the condition is a column in the table you are querying and
that mydb is a table in your database (and not your database name)!
You have to quote the string.
$query = "SELECT * FROM mydb WHERE `condition` = 'New' ORDER BY id ASC";
Edit:
condition is a reserved word.
Is New one of your columns or just a value?
Try this:
$query = "SELECT * FROM mydb WHERE condition = 'New' ORDER BY id ASC";
$query = "SELECT * FROM mydb WHERE condition = 'New' ORDER BY id ASC";
$result = mysql_query( $query );
while( $row = mysql_fetch_array( $result ) {
// use $row
}
Never assume that a query will work - expect errors and check for them before processing any results.
$query = 'SELECT * FROM `mydb` WHERE `condition` = "New" ORDER BY `id` ASC';
$result = mysql_query( $query );
if( !$result ){
// Query Failed. You can access the error details with mysql_error()
}elseif( mysql_num_rows( $result )==0 ){
// Query Returned No Results
}else{
while( $r = mysql_fetch_assoc( $result ) ){
// Do whatever you want with the row, which is $r
}
}
Encountered with the following warning when trying to access the page:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/designand/www/www/random.php on line 13
Everything was working fine when I was testing it on XAMPP.
<?php
$db_hostname = "localhost";
$db_username = "root";
$db_name = "links";
$db_pass = "xxx";
$dbh = mysql_connect ($db_hostname, $db_username, $db_pass) or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db($db_name) or die(mysql_error());
$num_displayed = 1 ;
$result = mysql_query ("SELECT * FROM 'links' ORDER BY RAND() LIMIT $num_displayed");
while($row = mysql_fetch_array( $result ))
{
echo "<img src=\"" . $row["image"] . "\" border=0 alt=\"\">" ;
}
mysql_close($dbh);
?>
An error like that almost always means there's a problem with your query.
To find out what error message MySQL returns, you can put or die(mysql_error()) just before the semicolon after your mysql_query call. You may also want to print the exact query text you send to MySQL, as this may help you to see the actual problem.
Given that I don't know how much you may have anonymized this example, I can't be sure if this is the actual error, but it looks like you've surrounded your table name with apostrophes ('). This is incorrect; the correct character for escaping table and column names is `.
"supplied argument is not a valid MySQL result resource" means that the query didn't return a valid resource. It failed. To view the error just print out mysql_error() after mysql_query().
Could be that the table doesn't exist. Did you check it?
The second thinkg - ORDER BY RAND() is bad! You should think of different ways on how to shuffle the result. Just google it, there are a lot of other ways to do it - ORDER BY RAND() # Google
Try changing this line:
$result = mysql_query ("SELECT * FROM 'links' ORDER BY RAND() LIMIT $num_displayed");
To:
$result = mysql_query ("SELECT * FROM 'links' ORDER BY RAND() LIMIT $num_displayed") or die (echo mysql_error());
It seems like the SQL is failing to return a valid response. Adding the above should show you the last MySQL error and help point you in the correct direction.
Please add this code to get if the mysql is throwing any errors:
$result = mysql_query('SELECT * WHERE 1=1');
if (!$result) {
die('Invalid query: ' . mysql_error());
}
while(....
I'm trying to use this query
$page_set = mysql_query("SELECT * FROM pages WHERE subject_id =
{$subject["id"]}", $connection);
but i keep getting this error when loading my page .
Database query failed: You have an
error in your SQL syntax; check the
manual that corresponds to your MySQL
server version for the right syntax to
use near '' at line 1
Try it without the complex syntax:
$query = 'SELECT * FROM pages WHERE subject_id = ' . $subject['id'];
$page_set = mysql_query($query, $connection);
Incidentally, I loathe variable parsing in strings, and prefer concatenation.
you're experiencing a quote mismatch. try replacing the double quotes around your array key with single quotes.
$page_set = mysql_query("SELECT * FROM pages WHERE subject_id =
{$subject['id']}", $connection);
$sql = "SELECT * FROM pages WHERE subject_id = '".$subject["id"]."'";
$page_set = mysql_query($sql, $connection);
Make sure you escape the subject_id also.
use single quote