This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 3 years ago.
Not sure what is the right syntax of the pdo->quote. php.net shows only "echo $stmt->quote($var)". But I don't need to "echo" this variable.
How should I save the result and transfer it to request?
With the first string $stmt uncommented I receive bool(false). Without it all works just fine.
//$var1 = $this->_db->quote($var1);
$stmt = $this->_db->query("SELECT activation FROM users WHERE email = '$var1' LIMIT 1");
quote() adds it's own quotation marks, so remove them from the query.
$var1 = $this->_db->quote($var1);
$stmt = $this->_db->query("SELECT activation FROM users WHERE email = $var1 LIMIT 1");
Have you considered using prepared statements? http://www.php.net/manual/en/pdo.prepare.php
Related
This question already has an answer here:
CS50: LIKE operator, variable substitution with % expansion
(1 answer)
Closed 2 years ago.
I am trying to run a SQL query in my Flask application to search a database. However, I get an error when I run the query:
db.execute("SELECT * FROM books WHERE author LIKE '%:author%' ", {"author":query})
The resulting error is this (passed 'Tom' in my input):
sqlalchemy.exc.ProgrammingError: (psycopg2.errors.SyntaxError) syntax error at or near "Tom"
LINE 1: SELECT * FROM books WHERE author LIKE '%'Tom'%'
^
[SQL: SELECT * FROM books WHERE author LIKE '%%%(author)s%%' ]
[parameters: {'author': 'Tom'}]
(Background on this error at: http://sqlalche.me/e/f405)
I've tested the query with a hard coded value and it works fine. I would like to know what is causing the error and how to fix it.
You need string concatenation. Many SQL databases support concat() (and other have an equivalent function or operator, such as standard operator ||):
db.execute("SELECT * FROM books WHERE author LIKE CONCAT('%', :author, '%')", {"author":query})
Another option is to concatenate '%'s around your parameter in your application first, and then pass it to the query.
This question already has an answer here:
Error using DBUtils in first scenario [duplicate]
(1 answer)
Closed 1 year ago.
In karate, I am trying to read database query
* def AccountDetails = db.readRow('select * from ')
From this I am trying to read individual values from this query and set this to one value
* set oimattrDetails $.User Login = AccountDetails.UD_BLR_USR_USER_LOGIN
Here, UD_BLR_USR_USER_LOGIN - is of the attribute present in the particular database
I do not want to hard code this value at this point. Instead assign this to some reference value and call it
*def USER_LOGIN = UD_BLR_USR_USER_LOGIN
Now use USER_LOGIN
* set oimattrDetails $.User Login = AccountDetails.USER_LOGIN
Something like this..But this is not working
Can any one help me here with exact syntax to use
A lot depends on what is the type of object returned by this code:
db.readRow()
That code is not part of Karate and you should provide more details here on that part - otherwise no one can help you. If it is not written by you, talk to the person or team who has written it - there is no point in talking about database "attributes". Maybe a simple solution is to add some Java code to the db object (I am assuming this is a Java utility) - to solve for your specific use case.
In short, your question sounds to me that it has nothing to do with Karate.
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 2 months ago.
I've used the mysqli_stmt_bind_param function several times. However, if I separate variables that I'm trying to protect against SQL injection I run into errors.
Here's some code sample:
function insertRow( $db, $mysqli, $new_table, $Partner, $Merchant, $ips, $score, $category, $overall, $protocol )
{
$statement = $mysqli->prepare("INSERT INTO " .$new_table . " VALUES (?,?,?,?,?,?,?);");
mysqli_stmt_bind_param( $statment, 'sssisss', $Partner, $Merchant, $ips, $score, $category, $overall, $protocol );
$statement->execute();
}
Is it possible to somehow replace the .$new_table. concatenation with another question mark statement, make another bind parameter statement, or add onto the existing one to protect against SQL injection?
Like this or some form of this:
function insertRow( $db, $mysqli, $new_table, $Partner, $Merchant, $ips, $score, $category, $overall, $protocol )
{
$statement = $mysqli->prepare("INSERT INTO (?) VALUES (?,?,?,?,?,?,?);");
mysqli_stmt_bind_param( $statment, 'ssssisss', $new_table, $Partner, $Merchant, $ips, $score, $category, $overall, $protocol );
$statement->execute();
}
Short answer to your question is "no".
In the strictest sense, at the database level, prepared statements only allow parameters to be bound for "values" bits of the SQL statement.
One way of thinking of this is "things that can be substituted at runtime execution of the statement without altering its meaning". The table name(s) is not one of those runtime values, as it determines the validity of the SQL statement itself (ie, what column names are valid) and changing it at execution time would potentially alter whether the SQL statement was valid.
At a slightly higher level, even in database interfaces that emulate prepared statement parameter substitution rather than actually send prepared statements to the database, such as PDO, which could conceivably allow you to use a placeholder anywhere (since the placeholder gets replaced before being sent to the database in those systems), the value of the table placeholder would be a string, and enclosed as such within the SQL sent to the database, so SELECT * FROM ? with mytable as the param would actually end up sending SELECT * FROM 'mytable' to the database, which is invalid SQL.
Your best bet is just to continue with
SELECT * FROM {$mytable}
but you absolutely should have a white-list of tables that you check against first if that $mytable is coming from user input.
The same rule applies when trying to create a "database".
You cannot use a prepared statement to bind a database.
I.e.:
CREATE DATABASE IF NOT EXISTS ?
will not work. Use a safelist instead.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
After R&D I didn't get solution for this flaw. Please guide me in solving this flaw
Description
This database query contains a SQL injection flaw. The function call constructs a dynamic SQL query using a variable derived from user-supplied input. An attacker could exploit this flaw to execute arbitrary SQL queries against the
database.
Recommendations
Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate user-supplied input to
ensure that it conforms to the expected format, using centralized data validation routines when possible.
public void EditUser(User f)
{
string connectionString
= ConfigurationSettings.AppSettings["ConnectionString"];
SqlConnection conn = new SqlConnection(connectionString);
SqlCommand cmd = conn.CreateCommand();
string adm = (f.IsAdmin?"1":"0");
string phone="",email="";
if(f.PhoneList.Count > 0)
phone = f.PhoneList[0].ToString();
if(f.EmailList.Count > 0)
email = f.EmailList[0].ToString();
for(int i = 1; i < f.PhoneList.Count; i++)
phone = phone + ";" + f.PhoneList[i].ToString();
for(int i = 1; i < f.EmailList.Count; i++)
email = email + ";" + f.EmailList[i].ToString();
cmd.CommandText = "UPDATE Users SET is_admin="+adm+",login='"+f.Login+"',passwd='"+f.Password+
"',firstname='"+f.FirstName+"',lastname='"+f.LastName+"',email='"+email+"',phone='"+phone+"',address='"+f.Address+"' where user_id="+f.UserId;
conn.Open();
int affected = cmd.ExecuteNonQuery();
cmd.ExecuteNonQuery();
}
Your code builds up the SQL command by appending strings together
cmd.CommandText
= "UPDATE Users SET is_admin="+adm+",login='"+f.Login+"',passwd='"+f.Password+
"',firstname='"+f.FirstName+"',lastname='"+f.LastName+"',email='"+email+"',phone='"+phone+"',address='"+f.Address+"' where user_id="+f.UserId;
Suppose someone called your function with a User value where lastname equaled
"Presser';DROP TABLE Users --"
Your SQL command will now destroy the Users table.
See here, where MSDN describes how to avoid this problem.
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
I've been staring at this thing for a while now and I can't seem to figure out what the syntax error is. I've been in this situation before and last time it was something so unbelievably simple I felt stupid afterwards. But here's to another attempt:
//update database
$q = "
UPDATE
users
SET
id='$edit_id',
name='$edit_name',
bdm='$edit_bdm',
add='$edit_add',
pc='$edit_pc',
location='$edit_outletL',
style='$edit_outletS',
coName='$edit_coName',
coNum='$edit_coTel',
coEmail='$edit_coEmail',
password='$edit_pass'
WHERE
id='$query_title'
";
$edit_query = mysql_query($q) or die("Database Query Error: ". mysql_error());
Database Query Error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'add='Llancadle, Nr Barry', pc='CF62 3AQ', location='rural', style='food', coName' at line 1
You neeed to backquote add since it is a keyword:
`add` = ...
I think add is a reserved word in MySQL.
your problem is that "add" is a MySQL reserved word. See: http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html. If you have a column named "add", escape it like this:
//update database
$edit_query = mysql_query("UPDATE users SET id='$edit_id', name='$edit_name', bdm='$edit_bdm', `add`='$edit_add', pc='$edit_pc', location='$edit_outletL', style='$edit_outletS', coName='$edit_coName', coNum='$edit_coTel', coEmail='$edit_coEmail', password='$edit_pass' WHERE id='$query_title'") or die("Database Query Error: ". mysql_error());
as bobby noted in a comment, add is a mysql reserved word
`add`='$edit_add'
will tell mysql you are talking about a column