在sql字符串中使用bash參數的腳本問題

Question

我在我的bash腳本中運行sql時遇到了一些問題。有人可以建議什麼語法需要改變？

{ 
echo "listing" 
sshpass -p 'XXXXXX' ssh jlefler@12.345.67.890 'mysql -h host -u user -pXXXXXX database -e "select user_id from users where concat(FIRST,LAST) like '%${username}%';"' 
} > $log 

以下是錯誤消息我收到：

ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%jaylefler%' at line 1 

當我更改了腳本推薦下面我收到以下錯誤：

bash: -c: line 0: syntax error near unexpected token `(' 
bash: -c: line 0: `mysql -h host-u user -pxxxxxxx database -e select user_id from users where concat(FIRST,LAST) like '%name_here%';' 

我原來的「工作段'如下：

echo "environment" 
sshpass -p $ldappw ssh $ldapuser@54.123.456.123 'mysql -h host -u user -ppassword database -e "select concat(FIRST,LAST) from users;"' | (grep -i ${username} || echo "NO USER IDENTIFIED") 

我只是想修改這個，所以我可以打印出找到的用戶標識，而不是每次找到姓和名時都打印出的用戶名。

Answer 1

你已經成熟了SQL注入攻擊。

不過，sql需要單引號圍繞模式。另外，你不需要引用你發送給ssh的命令。所以：

sshpass -p 'XXXXXX' ssh jlefler@12.345.67.890 mysql -h host -u user -pXXXXXX database -e "select user_id from users where concat(FIRST,LAST) like '%${username}%';" 
# ............................................^ remove quote ........................................................................................ remove quote^