我的脚本被设计为在环境中循环,访问数据库并检查是否有任何名字/姓氏组合有关联的用户ID。我不确定为什么会出现下面列出的错误。
#/bin/bash
#specify user to search for *******DO NOT PUT SPACE, ie. jaylefler
echo "Please enter user first name: "
read first_name
echo "Please enter user last name: "
read last_name
echo "Please enter LDAP User ID: "
read ldapuser
echo "Please enter LDAP password: "
stty -echo
read ldappw
stty echo
#logs to write output to
log="ui_${username}_access.log"
finallog="${username}_ui_access.txt"
#create file if not exist, else null it
[[ -f ${log} ]] && cat /dev/null > ${log} || touch ${log}
[[ -f ${finallog} ]] && cat /dev/null > ${finallog} || touch ${log}
#log it all
{
echo "environment"
sshpass -p $ldappw ssh $ldapuser@54.123.777.567 'mysql -h host -u user - ppassword database -e
"select user_id from users where first like "%'${first_name}'%" and last like "%'${last_name}'%";"'
} > $log
当我执行脚本时,我收到以下错误:
Please enter user first name:
jay
Please enter user last name:
lefler
Please enter LDAP User ID:
jlefler
Please enter LDAP password:
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%jay% and last like %lefler%' at line 1
jlefler@ubuntu:~/Desktop$
我不太熟悉这种类型的脚本,但在我看来,大约%jay%和%lefler%需要引号,以便SQL显示为:
select user_id from users where first like '%jay%' and last like '%lefler%';
代码中的主要问题是引号位于百分号内。:)
第二个问题是,您创建了一些易受SQL注入攻击的东西。我完全不知道如何从Bash脚本创建绑定参数,但你需要弄清楚!
MySQL的查询应该输出如下内容:
SELECT * FROM pet WHERE name LIKE '%w%';
在bash中,连接的方法之一如下:
mystring="some ${string1} arbitrary ${string2} text"
编辑:所以组合所有的Plus制作一些东西来扩展"内部的字符串。问题是shell不能在单引号之间展开字符串。像这样的东西应该起作用:
CommandFinale=$($sqlCommand -e "select user_id from users where first like '%${first_name}%' and last like '%${last_name}%';")
然后在连接链中使用变量CommandFinale
。
我还没能测试它,但它应该是那样或非常相似。