'1064:You have an error in your SQL syntax
1064:You have an error in your SQL syntax
Is this error sql injectiable because personally I'm afraid I dont know how to fix it and if it is injectable i need to fix it fast?
1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' or categoryMark like '%'%' or packageName like '%'%')' at line 1 [ SQL ] : select count(id) as count from microvirt_app_i18n where advertiser = 'google' and color0 and countrycode = 'US' and (name like '%'%' or categoryMark like '%'%' or packageName like '%'%') 错误位置
FILE: /var/www/html/home/ThinkPHP/Library/Think/Db/Driver.class.php LINE: 350 TRACE
#0 /var/www/html/home/ThinkPHP/Library/Think/Db/Driver.class.php(350): E('1064:You have a...') #1 /var/www/html/home/ThinkPHP/Library/Think/Db/Driver.class.php(180): Think\Db\Driver->error() #2 /var/www/html/home/ThinkPHP/Library/Think/Model.class.php(1382): Think\Db\Driver->query('select count(id...') #3 /var/www/html/home/Application/Home/Controller/SearchController.class.php(31): Think\Model->query('select count(id...') #4 [internal function]: Home\Controller\SearchController->index(''', 'en') #5 /var/www/html/home/ThinkPHP/Library/Think/App.class.php(171): ReflectionMethod->invokeArgs(Object(Home\Controller\SearchController), Array) #6 /var/www/html/home/ThinkPHP/Library/Think/App.class.php(110): Think\App::invokeAction(Object(Home\Controller\SearchController), 'index') #7 /var/www/html/home/ThinkPHP/Library/Think/App.class.php(204): Think\App::exec() #8 /var/www/html/home/ThinkPHP/Library/Think/Think.class.php(120): Think\App::run() #9 /var/www/html/home/ThinkPHP/ThinkPHP.php(97): Think\Think::start() #10 /var/www/html/home/index.php(33): require('/var/www/html/h...')
Solution 1:[1]
The error tells you where to look...
- near '
%' or categoryMark like '%'%' or packageName like '%'%')'
The strings '%'%' have a ' in the middle, which you haven't escaped.
- Try
'%''%'instead
(Where '' is treated as a literal character, rather than a string terminator).
As for whether it's injectable, any time you substitute strings in to queries, it's injectable.
Use parameterisation instead.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | MatBailie |