0

1064:You have an error in your SQL syntax

Is this error sql injectiable because personally I'm afraid I dont know how to fix it and if it is injectable i need to fix it fast?

1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' or categoryMark like '%'%' or packageName like '%'%')' at line 1 [ SQL ] : select count(id) as count from microvirt_app_i18n where advertiser = 'google' and color0 and countrycode = 'US' and (name like '%'%' or categoryMark like '%'%' or packageName like '%'%') 错误位置

FILE: /var/www/html/home/ThinkPHP/Library/Think/Db/Driver.class.php  LINE: 350 TRACE

#0 /var/www/html/home/ThinkPHP/Library/Think/Db/Driver.class.php(350): E('1064:You have a...') #1 /var/www/html/home/ThinkPHP/Library/Think/Db/Driver.class.php(180): Think\Db\Driver->error() #2 /var/www/html/home/ThinkPHP/Library/Think/Model.class.php(1382): Think\Db\Driver->query('select count(id...') #3 /var/www/html/home/Application/Home/Controller/SearchController.class.php(31): Think\Model->query('select count(id...') #4 [internal function]: Home\Controller\SearchController->index(''', 'en') #5 /var/www/html/home/ThinkPHP/Library/Think/App.class.php(171): ReflectionMethod->invokeArgs(Object(Home\Controller\SearchController), Array) #6 /var/www/html/home/ThinkPHP/Library/Think/App.class.php(110): Think\App::invokeAction(Object(Home\Controller\SearchController), 'index') #7 /var/www/html/home/ThinkPHP/Library/Think/App.class.php(204): Think\App::exec() #8 /var/www/html/home/ThinkPHP/Library/Think/Think.class.php(120): Think\App::run() #9 /var/www/html/home/ThinkPHP/ThinkPHP.php(97): Think\Think::start() #10 /var/www/html/home/index.php(33): require('/var/www/html/h...')

O. Jones
  • 92,698
  • 17
  • 108
  • 152
AverageJoe
  • 1
  • 1
  • Show us the problem SQL... – jarlh Mar 29 '22 at 21:28
  • How could we possibly know that? You haven't shown us a single bit of SQL. – Tim Roberts Mar 29 '22 at 21:28
  • based on: `select count(id) as count from microvirt_app_i18n where advertiser = 'google' and color0 and countrycode = 'US' and (name like '%'%' or categoryMark like '%'%' or packageName like '%'%') ` I see no place where you have a value being passed in. If this is dynamic SQL and not using a paramaterized query (which it very well could be) then yes it is injectable. If it's using paramaters; then no; it's likely not injectable. but since the error shows the SQL executed and not the SQL before it's executed, we have no way of knowing) – xQbert Mar 29 '22 at 21:35
  • This seems to be ThinkPHP problem, not MySQL. ThinkPHP [seems to have vulnerabilities](https://www.akamai.com/blog/security/thinkphp-exploit-actively-exploited-in-the-wild), so you might be better off using some other library/software – Vesa Karjalainen Mar 29 '22 at 21:40
  • is it sql injectable thats the thing im scared of – AverageJoe Mar 29 '22 at 21:42
  • @xQbert - Huh? `like '%'%'` won't work; change to `like "%'%"`. – Rick James Mar 30 '22 at 19:41
  • @RickJames my query is directly from the OP. My comment was purely about I don't know if that SQL statement was generated dynamically and the ' was generated via a user variable in the building of an SQL string without parameters. if so; then yes... SQL injection is possible. – xQbert Mar 30 '22 at 22:04
  • @xQbert - Protection from sql injection, include, among other things, the escaping of single and double quotes. For example: `LIKE '%\'%'`. – Rick James Mar 31 '22 at 16:30
  • We seem to be using English but not communicating . If the sql statement is not dynamically generated in any way, sql injection can not occur. But we have no way of knowing if it is static or dynamic from the question. However if any part of it is dynamic then it MAY be injectable. If however parameters are being used in a paramaterized query then may once again becomes no. Simply put we lack the info to know. But this isn’t moving the question further so I’m done – xQbert Mar 31 '22 at 17:35

1 Answers1

2

The error tells you where to look...

  • near '%' or categoryMark like '%'%' or packageName like '%'%')'

The strings '%'%' have a ' in the middle, which you haven't escaped.

  • Try '%''%' instead

(Where '' is treated as a literal character, rather than a string terminator).


As for whether it's injectable, any time you substitute strings in to queries, it's injectable.

Use parameterisation instead.

MatBailie
  • 77,948
  • 17
  • 98
  • 134
  • is it sql injectable thats the thing im scared of.. – AverageJoe Mar 29 '22 at 21:42
  • 1
    @AverageJoe - I addressed that; use parameterisation. But, as pointed out by others, you haven't shown us any php code; if you don't show us what you're doing we can't tell you if it's vulnerable. – MatBailie Mar 29 '22 at 21:44
  • Can you explain as to how cause If is i would like to know how attacker could get off that data pasted in the questions above sir? – AverageJoe Mar 29 '22 at 21:57
  • however they insert the ' instead they insert `');DELETE FROM microvirt_app_i18n;--` or something similar. Maybe they put it in where google goes in if it's a variable. or somewhere else – xQbert Mar 30 '22 at 22:08