Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Reg ex again.
Trying to run a like SQL query:
mysql_query("SELECT * From tablename WHERE somthing LIKE '%id|length:3:\"{$id}\"%'");
problem is the length value will be unknown, only the ID.
Of course, I could use strlen($id) and do this:
$len = intval(strlen($id));
mysql_query("SELECT * From tablename WHERE somthing LIKE '%id|length:{$len}:\"{$id}\"%'");
But I dont really care to check the len value, there's gotta be a bit of Reg ex to match anything where the length will be and sort this without having to calc the length before.
mysql_query("SELECT * From tablename WHERE somthing LIKE '%id|length:^*:\"{$id}\"%'");
ideas?
#Naddiseo's link is a good one, I recommend you use REGEXP. What do you mean by 'No exact example matching'?
Try something like (I added in the newlines for readability):
mysql_query("SELECT * From tablename
WHERE somthing
REGEXP '^.*id\\\|length:[0-9]+:\"{$id}\".*$'");
The relevant regex without worrying about escaping for MYSQL/php strings is
^.*id\|length:[0-9]+:"abc".*$
(assuming abc is a particular ${id}).
It says, "look for anything followed by the literal string id|length: (I've escaped it as | has a special meaning in regex and you want literal |), followed by numbers ([0-9]+) being the length of the id, followed by :"{$id}" and anything else (where {$id} has been substituted in).
Now, if you read the MySQL regexp page that #Naddiseo quoted, you'd see that any backslashes need to be further escaped as MySQL parses backslashes as special characters.
So, if you were to enter this query into a MySQL command line (let's assume {$id} is abc for now), you'd have to type:
SELECT * From tablename
WHERE somthing
REGEXP '^.*id\\|length:[0-9]+:"abc".*$'
Now, since you are calling this from PHP inside double quotes, you need to escape your backslashes again to make sure the right number get through to MySQL, as well as backslashing your double quotes to escape them. Hence the three backslashes in the mysql_query above before the |.
Related
This question already has answers here:
How to escape underscore in the string query in hibernate and SQL?
(2 answers)
Closed 1 year ago.
I have one MySQL query which is using LIKE for matching a string with one of my tables columns, and it's working fine in most of the scenarios.
select * from TableName where Column like "%STRING%"
But No I have one group of records that have "_0" in it. in this case, I get a get query something like this.
select * from TableName where Column like "%_0%"
in this case, MySQL is taking _ as a wildcard and skipping the first index from the string
Now my question is, is it possible to make this search work as it is, any way to tell MySQL it's not ( _ ) wildcard, So search for the string.
I will really appreciate your help.
Thanks in advance.
Query Result Image
You can use a backslash to escape it:
where Column like '%\_0%'
Or use your own escape character:
where Column like '%$_0%' escape '$';
This question already has answers here:
How to search for slash (\) in MySQL? and why escaping (\) not required for where (=) but for Like is required?
(5 answers)
Closed 2 years ago.
I have an SQL query which searches for json strings, these json strings include backslashes within them to escape quotation marks.
The SQL query I am using works to find what I am looking for but I'm struggling to get a PHP mysqli query working due to having to have backslashes within the query which are literal and not escape characters, but also having to use backslashes to escape quotation marks within the mysqli query.
So the string I'm searching for is this, with the backslashes actually appearing within the string:
[insert=\"userform\",id=\"1\"]
The SQL query I use is:
SELECT id, name FROM `posts` WHERE content LIKE '%[insert=\\"userform\\",id=\\"1\\"]%' ESCAPE "|"
This works to find the rows I want by changing the default excape character. But then when I try to use the same query in PHP I have to escape the single quotes around the LIKE statement causing issues.
$mysqli->query('SELECT id, name FROM `posts` WHERE content LIKE \'%[insert=\\"userform\\",id=\\"1\\"]%\' ESCAPE "|"');
I'm trying to use mysqli_real_escape_string as I think that will do what I need, but haven't been able to get it right yet, what am I doing wrong?
It's because php escape character is backslash, you need to escape them too like.
$mysqli->query('SELECT id, name FROM `posts` WHERE content LIKE \'%[insert=\\\\"userform\\\\",id=\\\\"1\\\\"]%\' ESCAPE "|"');
A good solution to check it's to echo the query before execute to check if the final result is good.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I am able to navigation between a php page using ID but not using project name. Can you only use an number and not characters?
Works
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE id=$id";
'.$row['project'].'
page url: https://example.com/project.php?id=1
Doesn't work
$sql = "SELECT id, assigned, project, start, end, status
FROM projects
WHERE project=$project";
'.$row['project'].'
page url: https://example.com/project.php?project=Test
Thanks for the help!
MySQL uses single or double quotes for strings. Your second query puts string to a query, resulting in invalid query.
This is not a valid SQL query:
SELECT `name` FROM `cats` WHERE `breed` = ordinary cat
But this is:
SELECT `name` FROM `cats` WHERE `breed` = 'ordinary cat'
Of note, be careful with using any input (including query string) in your query like you did. You should use prepared statement instead to safely escape that string for your query.
I was surprised to discover that the MySQL query
SELECT * WHERE name LIKE "%AFA_";
returns rows where name is SAFARI. To get it to match on the underscore, you have to do:
SELECT * WHERE name LIKE "%AFA\_";
Is there a PHP function that can do this transition or do I have to use str_replace?
PHP has no knowledge of MySQL LIKE wildcards, nor should it.
It does, however, have a way to escape things in strings if you want, and that is str_replace.
Replace instances of _ with \_, or whatever you like.
Ultimately this question has nothing to do with MySQL.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
http://www.pwntester.com/blog/2014/01/15/hackyou2014-web100-write-up/
At this link, They have injected by hex code like
0x39393939393939393939393920756e696f6e20616c6c202873656c656374202748656c6c6f21212729
meaning:
999999999999 union all (select 'Hello!!')
In mysql,we cannot type a query like
Mysql> 0x0abcd... (assume that 0x0abc.. mean select * from...).
So, Can you explain for me why can they inject as in my link?
p/s: Sorry about my poor English.
The SQL injection does not happen in the INSERT statement but in the second SELECT statement:
"SELECT title FROM picture WHERE id = ".$r['id']
Here $r['id'] is the recently inserted ID, i. e., the user supplied $_POST['id'] value.
Now the reason for why this SQL injection works is MySQL’s support for hexadecimal literals and the fact that the id column of the vote table is of a string type as in that case the following applies:
In string contexts, they act like binary strings, where each pair of hex digits is converted to a character:
mysql> SELECT X'4D7953514C';
-> 'MySQL'
mysql> SELECT 0x0a+0;
-> 10
mysql> SELECT 0x5061756c;
-> 'Paul'
For PHP 0x… is numeric (i. e., is_numeric) and for MySQL 0x… is interpreted and stored as string, which later gets inserted into the above mentioned SELECT statement.
This wouldn’t be possible if either
id would have been a numeric data type, or
the SELECT would have been a prepared statement.
This is already answered in the comments on that blog post. The hex string must be run through PHP, or some other system which incorrectly passes the value to MySQL as a string (instead of a number), in order for this "hack" to work.