我在bash脚本中运行sql时遇到了一些问题。有人可以建议需要更改哪种语法吗?
{
echo "listing"
sshpass -p 'XXXXXX' ssh jlefler@12.345.67.890 'mysql -h host -u user -pXXXXXX database -e "select user_id from users where concat(FIRST,LAST) like '%${username}%';"'
} > $log
以下是我收到的错误消息:
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%jaylefler%' at line 1
当我按照下面的建议对脚本进行更改时,我收到以下错误:
bash: -c: line 0: syntax error near unexpected token `('
bash: -c: line 0: `mysql -h host-u user -pxxxxxxx database -e select user_id from users where concat(FIRST,LAST) like '%name_here%';'
我原来的“工作段”如下:
echo "environment"
sshpass -p $ldappw ssh $ldapuser@54.123.456.123 'mysql -h host -u user -ppassword database -e "select concat(FIRST,LAST) from users;"' | (grep -i ${username} || echo "NO USER IDENTIFIED")
我只是想修改它,这样我就可以打印出找到的用户ID,而不是每次找到名字和名字组合时打印出的用户名。
答案 0 :(得分:2)
你已经熟悉SQL注入攻击了。
尽管如此,sql需要在模式周围使用单引号。此外,您不需要引用发送到ssh的命令。所以:
sshpass -p 'XXXXXX' ssh jlefler@12.345.67.890 mysql -h host -u user -pXXXXXX database -e "select user_id from users where concat(FIRST,LAST) like '%${username}%';"
# ............................................^ remove quote ........................................................................................ remove quote ^