Prerequisite – SQL Injection
While checking for SQL injection we all discover various error messages. Let us figure out the basic cause behind each error and how it appears in MySQL. Below are various error and their explanation.
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ” foo ‘ at line X.
If you entered a single quote and it altered the syntax of the database query, this is the expected error message. For MySQL, SQL injection may be present, but the same error message can appear in other contexts.
You have commented out or removed a variable that normally would be supplied to the database.
The used SELECT statements have different number of columns.
You will see this when you are attempting a UNION SELECT attack, and you specified different number of columns to the number in the original SELECT statement.
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ‘ XXX, YYY from SOME_TABLE’ at line 1
You commonly see this error message when your injection point occurs before the FROM keyword (Example, you have injected into the columns to be returned) and you have used the comment character to remove required SQL keywords. Try completing the SQL statement yourself while using your comment character. MySQL should helpfully reveal the column names XXX, YYY when this condition is encountered.
Table ‘DBNAME.SOMETABLE’ doesn’t exist.
Either you are trying to access a table or view that does not exist. Test your query against a table you know you have access to. MySQL should helpfully reveal the current database schema DBNAME when this condition is encountered.
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ‘ ‘ at line 1.
You were probably altering something in a WHERE clause, and your SQL injection attempt has disrupted the grammar.
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ‘ ‘ line 1.
Your SQL injection attempt has worked, but the injection point was inside parentheses. You probably commented out the the closing parentheses with injected comment characters (–).
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near XXXXX.
A general error message. The error messages listed previously all take precedence, so something else went wrong. It is likely that you can try alternative input and get a more meaningful message.
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.
- Difference between Structured Query Language (SQL) and Transact-SQL (T-SQL)
- SQL | Procedures in PL/SQL
- SQL | Difference between functions and stored procedures in PL/SQL
- Difference between SQL and T-SQL
- Common error in Group By
- Mitigation of SQL Injection Attack using Prepared Statements (Parameterized Queries)
- SQL | SELECT Query
- SQL | Distinct Clause
- SQL | WHERE Clause
- SQL | AND and OR operators
- SQL | INSERT INTO Statement
- SQL | DELETE Statement
- SQL | UPDATE Statement
- SQL | SELECT TOP Clause
- SQL | ORDER BY
- SQL | Aliases
- SQL | Wildcard operators
- SQL | Join (Inner, Left, Right and Full Joins)
- SQL | Union Clause
- SQL | Join (Cartesian Join & Self Join)
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.