Problem with shell (os.execute) command

[Sisler_Ohan]

I have a small problem with a lua script and im using a query.

Code: [Select]

os.execute("mysql -u root -ppassword --execute='UPDATE user.users SET email = "..email .." WHERE id = ".. get_email() ..";'")


So, the problem is, if i type numbers as the email e.g "2134124412" the query is success and change the email to "2134124412".
If i type characters like "qwertz" i got a sql problem.
I saw, at
Code: [Select]

SET email = "..email.."

the " " do not escape, because every SET xy = xy statemant needs two ' ' to escape the string.
So, how i can do this, because i start the command with two " ", in the command a execute command with two ' ' and now i need two ' ' or two " " again at the SET email step?

 

[Sisler_Ohan]

So the fault is this:

[cmd=]mysql -u root -ppassword -e "UPDATE mysql.user SET Password = Password ('password') WHERE user='root';[/cmd]

All working fine but in the Password ('password') the two ' ' are missing if I run my lua command .. I hope you'll know >.<

 

[SirDice]

Why don't you use databases/luasql-mysql?

 

[Sisler_Ohan]

dont need it, i only fail at the syntax!!

 

[SirDice]

Think of it this way, you have root's password on the commandline, you have a user's password on the commandline. If I do a ps(1) at the right time I'll have the keys to your database.

Your syntax is also quite difficult now because of all the quotations needed. Save yourself a lot of headaches.

 

[arp242]

In addition, it's also slow. os.execute starts a new process (== overhead), it also may start a shell (== even more overhead).

This is not an issue for a single command, but if you start doing SQL queries this way ....

 

[Sisler_Ohan]

Man,

there is only a fail in the syntax and i need your help -.- please read it again and try 2 help my

 

[arp242]

All working fine if I type numbers for the password but if I am typing a word for the password mysql says error

"mysql says error" is vague at best, when asking a question you should post as much information as possible. You posted as little information as possible (No error message, not the full code).

As a generic hint, you can use:

query = 'SELECT ...'
cmd = 'mysql -u ...etc... ' + query
os.execute(cmd)

I am not familiar with Lua, so the syntax may not be correct, but this allows you to print the query and cmd to the terminal ans *see* what gets executed. This is often helpful in debuging.

 

[Sisler_Ohan]

The problem is, if I type

[cmd=]os.execute("mysql -u root -ppassword --execute='UPDATE users.users SET Password = Password (.. pass ..) WHERE id = ".. username ..";'")[/cmd]

The syntax is wrong, because mysql needs this at password=password ('password1234' or ("password1234") and if I type ('..pass ..') or ("..pass..") it does not work, because I started the syntax with (" and close it with ") and in the syntax between " " I open the next syntax for the --execute command.
So I need a solusion for this

 

[arp242]

So you just need to escape the quotes? Again, I'm not familiar with Lua, but in most languages you can place a backslash before the quote (\").

 

[Sisler_Ohan]

So you just need to escape the quotes? Again, I'm not familiar with Lua, but in most languages you can place a backslash before the quote (\").

Already try this. Don´t work.

 

[Sisler_Ohan]

I have a small problem with a lua script and im using a query.

os.execute("mysql -u root -ppassword --execute='UPDATE user.users SET email = "..email .." WHERE id = ".. get_email() ..";'")

So, the problem is, if i type numbers as the email e.g "2134124412" the query is success and change the email to "2134124412".
If i type characters like "qwertz" i got a sql problem.
I saw, at

 SET email = "..email.."

the " " do not escape, because every SET xy = xy statemant needs two ' ' to escape the string.
So, how i can do this, because i start the command with two " ", in the command a execute command with two ' ' and now i need two ' ' or two " " again at the SET email step?

 

[arp242]

So now you're using this for general queries against your database? :q

I would seriously recommend you use a MySQL interface library such as luasql-mysql

It is obvious you're having great difficulty with your current solution. This is always a good moment to stop and rethink if there isn't a better way.

Also, both of the queries you posted contain SQL injection security vulnerabilities. These will be extremely hard, if not impossible, to fix with your current solution.

 

[Sisler_Ohan]

Thats only for my use.

So, please help me and do not advise me with some secure informations, i already know that.
I just need to know how i can escape the SET email = email value.

 

[SirDice]

Try reading the documentation

As a matter of style, you should use always the same kind of quotes (single or double) in a program, unless the string itself has quotes; then you use the other quote, or escape those quotes with backslashes.

http://www.lua.org/pil/2.4.html

 

[Sisler_Ohan]

Sorry but my english is not the best, can you explain me with a example

 

[SirDice]

os.execute("some command \"with\" embedded \"quotes\"")

 

[Sisler_Ohan]

os.execute("some command \"with\" embedded \"quotes\"")

os.execute("mysql -u root -ppassword --execute='update xyz set email = \"quotes\"'")

?

so?

 

[arp242]

According to http://lua-users.org/wiki/OsLibraryTutorial

Execute an operating system shell command.

So you'll need to add, ehh, 4 or 5 backslashes because you also need to escape the quotes and backslashes for the shell.

I'll say it again, the way you're doing it now is really awkward. Rethink your approach.

 

[Lan]

you can also use
[[
"This" is a 'string'
]]
instead of escaping backlashes