# Problem with shell (os.execute) command



## Sisler_Ohan (Oct 6, 2011)

I have a small problem with a lua script and im using a query.

Code: [Select]

os.execute("mysql -u root -ppassword --execute='UPDATE user.users SET email = "..email .." WHERE id = ".. get_email() ..";'")


So, the problem is, if i type numbers as the email e.g "2134124412" the query is success and change the email to "2134124412".
If i type characters like "qwertz" i got a sql problem.
I saw, at
Code: [Select]

 SET email = "..email.."

the " " do not escape, because every SET xy = xy statemant needs two ' ' to escape the string.
So, how i can do this, because i start the command with two " ", in the command a execute command with two ' ' and now i need two ' ' or two " " again at the SET email step?


----------



## Sisler_Ohan (Oct 6, 2011)

So the fault is this:

[cmd=]mysql -u root -ppassword -e "UPDATE mysql.user SET Password = Password ('password') WHERE user='root';[/cmd]

All working fine but in the Password ('password') the two ' ' are missing if I run my lua command .. I hope you'll know >.<


----------



## SirDice (Oct 6, 2011)

Why don't you use databases/luasql-mysql?


----------



## Sisler_Ohan (Oct 6, 2011)

dont need it, i only fail at the syntax!!


----------



## SirDice (Oct 6, 2011)

Think of it this way, you have root's password on the commandline, you have a user's password on the commandline. If I do a ps(1) at the right time I'll have the keys to your database.

Your syntax is also quite difficult now because of all the quotations needed. Save yourself a lot of headaches.


----------



## Carpetsmoker (Oct 6, 2011)

In addition, it's also slow. os.execute starts a new process (== overhead), it also may start a shell (== even more overhead).

This is not an issue for a single command, but if you start doing SQL queries this way ....


----------



## Sisler_Ohan (Oct 8, 2011)

Man,

there is only a fail in the syntax and i need your help -.- please read it again and try 2 help my


----------



## Carpetsmoker (Oct 8, 2011)

> All working fine if I type numbers for the password but if I am typing a word for the password mysql says error



"mysql says error" is vague at best, when asking a question you should post as much information as possible. You posted as little information as possible (No error message, not the full code).

As a generic hint, you can use:

```
query = 'SELECT ...'
cmd = 'mysql -u ...etc... ' + query
os.execute(cmd)
```

I am not familiar with Lua, so the syntax may not be correct, but this allows you to print the query and cmd to the terminal ans *see* what gets executed. This is often helpful in debuging.


----------



## Sisler_Ohan (Oct 9, 2011)

The problem is, if I type

[cmd=]os.execute("mysql -u root -ppassword --execute='UPDATE users.users SET Password = Password (.. pass ..) WHERE id = ".. username ..";'")[/cmd]

The syntax is wrong, because mysql needs this at password=password ('password1234' or ("password1234") and if I type ('..pass ..') or ("..pass..") it does not work, because I started the syntax with (" and close it with ") and in the syntax between " " I open the next syntax for the --execute command.
So I need a solusion for this


----------



## Carpetsmoker (Oct 9, 2011)

So you just need to escape the quotes? Again, I'm not familiar with Lua, but in most languages you can place a backslash before the quote (*\"*).


----------



## Sisler_Ohan (Oct 9, 2011)

Carpetsmoker said:
			
		

> So you just need to escape the quotes? Again, I'm not familiar with Lua, but in most languages you can place a backslash before the quote (*\"*).



Already try this. DonÂ´t work.


----------



## Sisler_Ohan (Oct 12, 2011)

I have a small problem with a lua script and im using a query.


```
os.execute("mysql -u root -ppassword --execute='UPDATE user.users SET email = "..email .." WHERE id = ".. get_email() ..";'")
```

So, the problem is, if i type numbers as the email e.g "2134124412" the query is success and change the email to "2134124412".
If i type characters like "qwertz" i got a sql problem.
I saw, at


```
SET email = "..email.."
```

the " " do not escape, because every SET xy = xy statemant needs two ' ' to escape the string.
So, how i can do this, because i start the command with two " ", in the command a execute command with two ' ' and now i need two ' ' or two " " again at the SET email step?


----------



## Carpetsmoker (Oct 12, 2011)

So now you're using this for general queries against your database? :q

I would *seriously* recommend you use a MySQL interface library such as luasql-mysql

It is obvious you're having great difficulty with your current solution. This is always a good moment to stop and rethink if there isn't a better way.

Also, both of the queries you posted contain *SQL injection* security vulnerabilities. These will be extremely hard, if not impossible, to fix with your current solution.


----------



## Sisler_Ohan (Oct 12, 2011)

Thats only for my use.

So, please help me and do not advise me with some secure informations, i already know that.
I just need to know how i can escape the SET email = email value.


----------



## SirDice (Oct 12, 2011)

Try reading the documentation


> As a matter of style, you should use always the same kind of quotes (single or double) in a program, unless the string itself has quotes; then you use the other quote, *or escape those quotes with backslashes*.


http://www.lua.org/pil/2.4.html


----------



## Sisler_Ohan (Oct 12, 2011)

Sorry but my english is not the best, can you explain me with a example


----------



## SirDice (Oct 12, 2011)

```
os.execute("some command \"with\" embedded \"quotes\"")
```


----------



## Sisler_Ohan (Oct 12, 2011)

SirDice said:
			
		

> ```
> os.execute("some command \"with\" embedded \"quotes\"")
> ```





			
				Sisler_Ohan said:
			
		

> os.execute("mysql -u root -ppassword --execute='update xyz set email = \"quotes\"'")
> 
> ?



so?


----------



## Carpetsmoker (Oct 12, 2011)

According to http://lua-users.org/wiki/OsLibraryTutorial



> Execute an operating system *shell* command.



So you'll need to add, ehh, 4 or 5 backslashes because you also need to escape the quotes and backslashes for the shell.

I'll say it again, the way you're doing it now is really awkward. Rethink your approach.


----------



## Lan (Nov 1, 2011)

you can also use
[[
"This" is a 'string'
]]
instead of escaping backlashes


----------

