I'm currently testing Vulnerabiltys to SQL Injections for my companys application as an it-trainee.
So I found, that the application is indeed vulnerable to injections because I can alter some of the insert statements.
So I altered the insert Statement to this:
INSERT INTO tablename( column, column1, column2, column3, column4,column5, column6, column7, column8 )
VALUES ( 10965972, 185796154, 25, 23,2023, '', CURRENT_DATE, 'v0201100',
18);
DELETE *
FROM tablename;-- , 2023,'a', CURRENT_DATE, 'v0201100', 18 )
I thought this should be a correct statement, but the MySQL Server returned this Error:
MySQL Error: 1064 (You have an error in your SQL syntax;[...]
Would be nice if somebody could help and tell my why the syntax is wrong...
Thanks for your help :-)
Edit:
Thanks for all your answers. :) Unfortunatly the * wasn't the Problem.
I tried to execute the statement (statement is executed by php) without the delete part
so the statement looks like this:
[...] VALUES( 10963455, 182951959, 23, 23,2023, '', CURRENT_DATE, 'v0201100', 18)--, 2023, '', CURRENT_DATE, 'v0201100', 18 )
But even then the MySQL Server returned the Same Error.
Here is the Full Error Message:
MySQL Error: 1064 (You have an error
in your SQL syntax; check the manual
that corresponds to your MySQL server
version for the right syntax to use
near '--, 2023, '', CURREN' at line
17) Session halted.
Would really appreciate it if anyone knew the problem.
If that sample chunk of query is executed in a SINGLE ->query() call, MySQL's driver doesn't allow multiple queries within a single query call. It eliminates the bobby tables type injection attacks, but doesn't prevent injecting values that would manipulate where clauses and whatnot.
Having a look at the MySQL spec for DELETE, there is no suggestion that you can include * immediately proceeding the DELETE statement. Try removing it.
The * is used in a select statement to select all columns. Specifying it here makes no sense, as you are deleting rows.
I believe the -- commented-out line will be ignored by the parser (I would certainly expect it to be), so that bit of code should be ok. If in doubt remove it as a test.
When I split your sql statement on multiple lines using ; as seperator, I get:
1) VALUES( 10965972, 185796154, 25, 23,2023, '', CURRENT_DATE, 'v0201100', 18);
2) DELETE * FROM tablename;
3) -- , 2023, 'a', CURRENT_DATE, 'v0201100', 18 )
To me, 3) doesn't look like valid sql to me...
MySQL doesn't allow a delete query without a where statement. You can use:
DELETE * FROM tablename WHERE 1 = 1
You may also have to remove the * after delete, it doesn't look like MySQL supports that.
#freddy: DELETE * FROM tablename should be DELETE FROM tablename.
ANSI SQL definition for DELETE statements does not include an asterix *
Try, DELETE FROM tablename
Additionally you are using a SQL-Injection. The reason why SQL-Injections are possible at your company is a secret (just use preapred statements), but this isn't the question. Most SQL-Injections are caused by using mysql_query() without filtering/escaping. mysql_query() allows only 1 query. There has to be mysql_multi_query() if this should work.
Modifying data in SELECT-Statements is prohibited by MySQL.
Related
I have read a ton of Actian PSQL docs but cannot find out how to duplicate this simple SQL verb:
SELECT column_name(s)
FROM table_name
WHERE column_name IN (value1, value2, ...);
Does Actian PSQL 13.31 have the equivalent of SQL Server IN in the WHERE clause?
They do have an IN verb but it does something totally different.
This seems to work fine. The formatting of the statement has no impact.
select * from "Class" WHERE ID IN (160, 161 )
If you run that SQL in PCC in the DemoData db I get only two records. Not sure what I was doing wrong but you guys got me going. Thank you.
We can write select column1,column2 into #temp from tableName in SQL Server. But I am unable to write the same query in an Oracle database.
I want to store the result of select/insert/delete/update or any result set into a local temporary table in oracle database. How I can do this?
I am executing below query in my Oracle sql developer tool:
select * into #temp
from bmi;
but I am getting the error as follow please help to find this error.
when I execute the same query in Microsoft SQL Server it get executed & #temp table get created which is not present in the database but it can hold the data for that particular session. so i want same scenario in ORACLE database.
ORA-00911: invalid character
00911. 00000 - "invalid character"
*Cause: identifiers may not start with any ASCII character other than
letters and numbers. $#_ are also allowed after the first
character. Identifiers enclosed by doublequotes may contain
any character other than a doublequote. Alternative quotes
(q'#...#') cannot use spaces, tabs, or carriage returns as
delimiters. For all other contexts, consult the SQL Language
Reference Manual.
*Action:
Error at Line: 1 Column: 15
I want to store the result of select/insert/delete/update or any result set into a local temporary table in oracle database,How I can Do This?
You can't. Oracle doesn't have local temporary tables, it doesn't work like that. But it doesn't need to. Oracle has a very different internal model from SQL Server which means a lot of SQL Server practices are unnecessary in Oracle. (To be fair SQL Server has neat things which Oracle doesn't, like ANSI 92 Joins for DML.)
The key insight is: you don't want to store the result of select/insert/delete/update or any result set into a local temporary table. That is something you had to do in T-SQL to achieve the end goal of implementing some business logic. But what you actually wanted to do in SQL Server and what you want to do in Oracle is write some code which delivers value to your organisation.
So, with that mindset in place, what do you need to do?
If you want to loop round a result set then perhaps a Cursor Loop is what you're looking for?
for rec in ( select * from some_table
where the_date = date '2018-02-01' )
loop
...
If you want to work on some data prior to inserting it into a data then perhaps you should use a PL/SQL collection:
type l_recs is table of some_table%rowtype;
But maybe you just need to understand Oracle's Transaction Management model. A lot of things are possible in pure SQL without any need for procedural framework.
Create temporary table :
create global temporary table
results_temp (column1, column2)
on commit preserve rows;
and then insert to it from your table:
insert into results_temp (column1, column2 )
SELECT column1,column2
FROM source_table
create global temporary table temp_table_name
on commit preserve rows as select column1,column2,columnN from your_table;
I am am using sql server 2005 and doing a simple insert into and getting an incorrect syntax error. I See nothing wrong with my code Can someone give me some ideas what could be wrong with it?
insert into inonhd
(fpartno,fpartrev,flocation,fonhand,fcudrev)
Values
('CRV109','1','11','01','1'),
('CRV110','0','11','01','0')
the error is Incorrect syntax near ','.
You must add each row in separate command.
insert into inonhd
(fpartno,fpartrev,flocation,fonhand,fcudrev)
Values
('CRV109','1','11','01','1')
and:
insert into inonhd
(fpartno,fpartrev,flocation,fonhand,fcudrev)
Values
('CRV110','0','11','01','0')
It is really important to note that the syntax in the question is fine for more recent versions of SQL Server. This is acceptable:
insert into inonhd(fpartno, fpartrev, flocation, fonhand, fcudrev)
Values ('CRV109','1','11','01','1'),
('CRV110','0','11','01','0');
If you want to do this in one statement, you can use select . . . union all:
insert into inonhd(fpartno, fpartrev, flocation, fonhand, fcudrev)
select 'CRV109','1','11','01','1' union all
select 'CRV110','0','11','01','0';
Of course, multiple inserts are another possibility.
I am writing a project and using generation sql for testing, but SQLite explains to my code.
INSERT INTO Categories
(CategoryId, Name, UrlName, CategoryIndex)
VALUES
('b2cc232c-0d5c-4f35-bb6f-29c67d7d40c2', 'Using Forums', 'usingforums', 0),
('ad9b355d-77bf-4a30-b3fe-7d562df2899f', '.NET Development', 'netdevelopment', 1),
('c4882e5e-4eb5-4e5e-b73a-3bf358bda60e', 'Visual Studio', 'visualstudio', 2),
('8c611ec3-5c2c-45c2-be01-6595b43155ee', 'Visual C#', 'visualcsharp', 3),
('c96cea21-de98-4d68-b22b-90eea66d6b77', 'Visual C++', 'visualcpp', 4),
('c6fb52d5-d4c6-48c2-8892-75f9cb330106', 'Architecture', 'architecture', 5),
('20616eb8-2273-449b-8f65-a49621b92ea4', 'SQL Server', 'sqlserver', 6)
Error:
SQL Execution Error.
Executed SQL statement: INSERT INTO Categories...
Error Source: System.Data.SQLite
Error Message: SQLite error
near "," syntax error
Schema of this table:
table Categories (
CategoryId UNIQUEIDENTIFIER not null,
Name TEXT not null,
UrlName TEXT not null,
CategoryIndex INTEGER not null,
primary key (CategoryId)
)
Why?
SQLite doesn't allow you to insert multiple rows with the values clause.
Try a union all select instead:
INSERT INTO Categories
(CategoryId, Name, UrlName, CategoryIndex)
select 'b2cc232c-0d5c-4f35-bb6f-29c67d7d40c2', 'Using Forums', 'usingforums', 0
union all select 'ad9b355d-77bf-4a30-b3fe-7d562df2899f', '.NET Development', 'netdevelopment', 1
....
SQLite doesn't support the multi-values insert syntax - that's a MySQL extension to SQL syntax. You'll have to rewrite this as one-query-per-value-set, so 7 different queries.
Because your SQL is not valid. You can only insert a single tuple of values in each INSERT statement.
I don't think anyone here has answered thew question - 'why does sql lite complain...' because if you look at the sqlite documentation, it DOES allow multiple values on insert: http://www.sqlite.org/lang_insert.html, excerpt:
"The first form (with the "VALUES" keyword) creates one or more new rows in an existing table."
So what is wrong with this code?
INSERT INTO "roles" ("description", "name", "rid") VALUES ('Administrator','admin',2), ('Member','member',3)
gies this error: Query Error: near ",": syntax error Unable to execute statement
but this works:
INSERT INTO "roles" ("description", "name", "rid") VALUES ('Administrator','admin',2)
For future reference SQLite has somewhat recently added a feature which allows for multiple entries per query delimited by commas as in your example. See user2241515s answer for further info and link.
That said, I have tested this. With new versions of SQLite3 it does work ( 3.7.11+ ) from the console, at least in my case. The problem is it will probably take a while for various SQL parsers to catch up. As an example, I am using Qt for this. The same statement that works in console does not work when executed by a Qt application. The error is the same as above:
Database error: near ",": syntax error Unable to execute statement
Another possible issue is that SQLite does not allow for large queries (I think the limit is around 500 created rows per query right now). But the error for that looks different.
I'm currently using the Java Version of General SQL Parser for Oracle for some relatively complex Oracle SQL Queries.
As in my case I have no access to any Oracle DB but only have the SQL statements in a file I encounter some statements where the parser fails, one particular boils down to following.
select id from (
with foo as (
select bar from sometable
)
select *
from foo
)
The with clause can be parsed without problem, if not nested.
with foo as (
select bar from sometable
)
select *
from foo
So do I have a bug in the parser or in the statement?
Best,
Will
The SQL statement is valid, so I guess the parser just can't handle it.
To be sure, try running the SQL in SQL Plus.
This is a perfectly valid statement in Oracle (I just tried it).
But it might not be valid ANSI SQL and that might be the reason why the parser doesn't understand it.