mIRC Home    About    Download    Register    News    Help

Print Thread
#255799 21/11/15 11:30 AM
Joined: Mar 2015
Posts: 19
R
Ravelux Offline OP
Pikka bird
OP Offline
Pikka bird
R
Joined: Mar 2015
Posts: 19
I cant find my error, please help! frown
Error:
Error executing query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '= 1' at line 1
Code: http://pastebin.com/dsQs1S0s

Joined: Oct 2003
Posts: 3,918
A
Hoopy frood
Offline
Hoopy frood
A
Joined: Oct 2003
Posts: 3,918
1. You have an SQL injection vulnerability in your code.

2. The /set command does not accept "=" as an argument. It's either /var %2 = $2 or /set %2 $2. In this case, you actually want /var, because you want a local variable, not a global.

3. You can debug stuff by using /echo to see the full line. If you did this, you would see that the SQL you were attempting to execute was:

Quote:
SELECT id, datum, text FROM loonakia_quotes WHERE id = = 1


Note the 2nd "=" sign.

In general, when things don't work, you should visualize the data that you are working with. In this case, it means running /echo -a %sql in your script to see what the actual query was. That way you don't have to come here every time something doesn't work as intended.

But most importantly, you have an SQL injection vulnerability in your code. I realize I'm repeating the 1st point, but it's worth repeating. Someone could probably delete your entire database under the right conditions.

As a sidenote, I'm willing to bet that MySQL is a huge overkill for your current project. You can avoid SQL injection vulnerabilities and complexities like screwing up SQL statements by avoiding it entirely. The equivalent quotes script is literally a one liner without SQL:

Code:
on *:text:!quote *:#:msg # $read(quotes.txt,$2)


25 lines down to 1. No SQL injection. Way easier to understand, way harder to break, doesn't require running a MySQL server, and given the way the other script is written, this is still probably faster, too. You could make your script even faster by formatting your quotes in a .ini file and /hload'ing them into an in memory hash table, at which point performance will almost always be faster than MySQL, but this is probably not necessary given that you'd need more than 20k lines of quote data to actually make this a significant processing burden on mIRC.


- argv[0] on EFnet #mIRC
- "Life is a pointer to an integer without a cast"
Joined: Jan 2004
Posts: 1,360
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Jan 2004
Posts: 1,360
$read without the n switch is even worse than an sql injection wink

Code:
on *:text:!quote *:#:msg # $read(quotes.txt,n,$2)

Joined: Oct 2003
Posts: 3,918
A
Hoopy frood
Offline
Hoopy frood
A
Joined: Oct 2003
Posts: 3,918
Not nearly worse than SQL injection, no. You control all of the data in the file and therefore choose whether or not to return evaluated data, and it's unlikely that in arbitrary quote data there would be any combination of characters that do "damage" to a client. But good catch.

It is worth noting that without the n switch, mIRC will evaluate $identifiers and %variables in the file. This may be intended, (like adding $time or $nick to your quotes), but may not. Add the switch if you have monetary values or percentages in your quotes. If you accept user data to fill your quote file, you absolutely MUST use this switch, since that WOULD lead to an injection attack vector.

While we're on the topic, you still may also want guards for valid numeric ranges, and, possibly, guarding against $read() returning $null for empty lines and invalid line numbers. Of course this is all just an example.


- argv[0] on EFnet #mIRC
- "Life is a pointer to an integer without a cast"

Link Copied to Clipboard