I've been trying to search for an explanation here and on google for some real answer, but havent found any thread so here it goes..
Im trying to inject some vulnerable code into a parameter on my dummy server, however the sanitation works fine, so it does not give an error with ' or ''
after the id login.asp?id= however, when i just use \ to inject after the id parameter, it gives the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[MySQL][ODBC 5.3(a) Driver][mysqld-5.5.47]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\'' at line 1
/usr/login.asp, line 31
Is this a false positive? How can it give an error with a backslash and not while i use either ' '' 1=2 etc only with the blackslash..
Can someone explain why this happens and can an attacker exploit this, because i manually tried to exploit it but it didnt work.
Related
I am attempting to copy data from a csv file into a postgresql database, and am using the following line to do so:
\copy album_tracks FROM 'C:\Users\wMogerty\Desktop\test.csv' WITH (format csv, header true);
However, I am getting the following error and am unsure why:
Error: ERROR: syntax error at or near "\"
Position: 1
SQLState: 42601
ErrorCode: 0
Thanks for any help
\copy is a command in the psql client. It is not supported by the PostgreSQL server. Nor is it part of libpq so it's not supported by alternative clients like PgAdmin-III etc.
You'll need to copy the file to the server yourself and use the COPY command to load it into the database. Or if your client has another interface to the underlying COPY ... FROM STDIN feature used by \copy, like an "import table" or "bulk load" option, you can use that.
I wonder if we should make the PostgreSQL server's parser detect attempts to run \copy as a SQL query and give a better error? Sounds like a great patch for a new developer to try.
I have been working in SAS connecting to DB2 via ODBC for a while now and this PROC SQL step generally works:
proc sql;
connect to odbc(dsn=DSQ user="UserID" password="Password");
execute (set current degree = 'ANY' ) by ODBC;
create table tempTable as select * from connection to odbc (
select *
from schemaName.tableName
);
quit;
However, occassionally I get the following error, and when I get this error I won't be able to run another ODBC query for quite some time because everytime I try to run the query I get the same error:
ERROR: CLI error trying to establish connection: [IBM][CLI Driver] SQL1042C An unexpected system
error occurred. SQLSTATE=58004
After some time the error either resolves itself or I do something that I am not aware of that fixes the issue. This is a very frustrating issue and since I never know how long this issue is going to persist I would like a more robust solution to this issue. I have checked the db2diag.log file and here is the part that describes this error:
2015-06-03-08.17.34.345000-300 I60888H446 LEVEL: Error
PID : 4452 TID : 7804 PROC : sas.exe
INSTANCE: DB2 NODE : 000
HOSTNAME:
EDUID : 7804
FUNCTION: DB2 Common, Cryptography, cryptDynamicLoadGSKitCrypto, probe:998
MESSAGE : ECF=0x90000007=-1879048185=ECF_UNKNOWN
Unknown
DATA #1 : unsigned integer, 4 bytes
60
DATA #2 : String, 11 bytes
gsk8sys.dll
I was trying to find an example to put in this post so I ran this snippet of code in SAS to see if the error would come back, however it seemed to have resolved the error because after running this piece of code, I ran the initial code and it worked. Here is the code that seemed to have resolved the issue.
proc sql;
connect to odbc(dsn=DSQ user="UserID" password="Password");
execute (set current degree = 'ANY' ) by ODBC;
create table column_names as select * from connection to odbc (
select * from sysibm.syscolumns
);
quit;
I have tried googling this issue, but there isn't much help on this particular error. Is there any reason that the second SAS code would have fixed the issue I was having? Is there any way to fix this problem so it won't come back in the future?
Please note, when the error occurs, I am still able to run queries via ODBC in Microsoft Access without any problems. It appears this is an issue with just a particular instance.
System Setup:
Windows 7 64-bit
SAS 9.3 (32)
DB2 v10.5.300.125
Thanks in advance for your help!
Update:
On a few occasions, I was able to go into task manager and delete some processes that were still running and then this issue would resolve itself, however today when this problem occurred, those processes weren't there. Any thoughts on this would be greatly appreciated.
The symptom may be depended on the installation order of Db2 connect and a program (sas.exe). If DB2 connect is installed first, it should not be occurred. So it is suggested to remove and re-install both products once then install Db2 connect first.
Hope this helps.
If I open up MySQL Workbench 6.1 on Ubuntu 14.04, and try to execute even a simple statement like
UPDATE articles SET published = 1;
It throws a syntax error when using the explain option:
Error executing explain
("You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE articles SET published = 1' at line 1", 1064)
I know there is no syntax error because I can copy and paste that exact statement into MySQL command line and it works.
Select statements are fine, but not updates or inserts. I have no idea what's wrong and it's incredibly frustrating.
I am trying to run basic postgresql commands which start with a backslash within Squirrel SQL sql client. For example, I'd like to be able to type
\dt
to mean "SHOW TABLES" instead of
"SELECT * FROM information_schema.tables WHERE table_schema = 'public';"
This works from the psql command line. However, when I try to run "\dt" within Squirrel I get a syntax error message:
Error: ERROR: syntax error at or near "\"
Position: 1
SQLState: 42601
ErrorCode: 0
I assume there's some kind of SQL syntax checking going on here on the part of Squirrel? Does any one know a way to make PostgreSQL commands which start with a backslash work in Squirrel SQL? I have the Postgres plugin installed...
Thanks,
The backslash commands are part of the psql client, not the PostgreSQL backend server. psql translates them into batches of SQL, which you can see by running psql with the -E flag, and uses the results to produce the displayed output.
This means you can't use these commands from other clients.
Alongside the inability to use pg_dump from within a PostgreSQL protocol session, or get equivalent functionality from the backend server, this is a bit of an FAQ.
At this point the only real option is to use a client that understands the information_schema or PostgreSQL's catalogs (pg_catalog) and can produce the display you want its self. A popular choice is PgAdmin-III, though I stick with psql myself.
I am using the ZF + Doctrine 2.1 implementation by Ralph Schindler (https://github.com/ralphschindler/NOLASnowball/tree/doctrine2-managed-crud).
My MySQL database uses some reserved words, a column named order. I need to tell Doctrine to quote identifiers, but I can't seem to get it to work in the application itself nor in the scripts/doctrine.php (https://github.com/ralphschindler/NOLASnowball/blob/doctrine2-managed-crud/scripts/doctrine.php) to use the command line tool.
Note: I'm reverse engineering my database by using the command:
php scripts/doctrine.php orm:convert-mapping --from-database annotation library/app/Entity/
which gives the error:
Syntax error or access violation: 1064 You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near 'order' at line 1
because the column order doesn't get quoted with ticks.
I have finally found it.
It appears the NOLASnowBall demo app uses an older Doctrine than the current stable. With Doctrine 2.1.4 the ticks are added, without the need to set the extra option.
I have updated Doctrine and took the new Bisna library from Guilherme Blanco's repository at https://github.com/guilhermeblanco/ZendFramework1-Doctrine2