Sunday, December 15, 2024

Convert a MySQL Injection Script for Use in Microsoft SQL Server

Share

MySQL Server is the most widely used database management system in the world, primarily because it is open source and free.

Hence, most databases you may get from outside sources will probably be in the form of a MySQL injection script. This is fine if you use MySQL for your own website databases, but if you use Microsoft SQL Server the script will require a little editing before it will work.

The first thing you’ll need to do is remove any comment lines from the script. MySQL comment lines begin with a pound character (“#”) and MSSQL comment lines begin with a double dash (“–“), which makes them completely incompatible and will product a syntax error if you try to import a MySQL injection as-is into MSSQL Server. So to get started, open up Query Analyzer if you haven’t already (the easiest way to run scripts in MSSQL Server), load up the injection script you are working with, and remove any comment lines (look for the pound symbol). It is easier just to remove them than it is to try and convert them to propery MSSQL syntax, and they are just comment lines anyway so it won’t affect anything.

The bulk of your script will most likely be a series of INSERT statements, and these aren’t very different in MSSQL as compared to MySQL. However, your script may also include at the beginning a small section that creates the database table where the data will be inserted, and this CREATE TABLE statement is likely to be VERY different in MSSQL, depending on how complicated it is (there could be primary and secondary keys, constraints, even triggers — the more of these the more the syntax changes from MySQL to MSSQL). Since this is likely to give you the most trouble, it is recommended that you create the database tables manually in Enterprise Manager rather than trying to convert the syntax of the script snippet. Looking at the code, you should be able to easily identify the fields and their types (such as int, varchar, text, etc). Once you have the database table created in Enterprise Manager, delete the snippet of code from the injection script that deals with the creation of the table.

Now all that remains is to convert the INSERT statements to the proper syntax for MSSQL Server. There are a few different steps to accomplish this, but none of them are very complicated. The first difference in syntax between MySQL and MSSQL is that in MySQL, all statements must end with a semicolon (“;”). In MSSQL, this is a syntax error. The easiest way to remove these semicolons is to do a search and replace, and since the INSERT statements should be passing a series of values for each record of data, each line of the MySQL script will most likely end with a paranthesis and semicolon (“);”). So, do a search and replace and replace all instances of “);” with just the parenthesis “)”.

Another difference that you will have to correct for is that your MySQL injection script will most likely use an acute accent / reverse apostrophe (ANSI character 180) around the table name on each line. In MSSQL Server, you can encapsulate an object’s name (such as a table’s) with either square brackets (“[” and “]”) or nothing at all. However, you probably don’t want to do a blanket search-and-replace of the reverse apostrophe character, because that character might be used in the data of each record (especially if the data contains text, such as an article body). The easiest way to correct for this difference in syntax, then, is to do another search and replace, and replace all instances of the reverse apostrophe AND the table name, for example “`articles`” with just the table name “articles”.

Finally, there will also be numerous occurrences of apostrophes throughout the text fields of the data, and the apostrophe character is used to encapsulate strings in the script. In MySQL, the way to escape an apostrophe so that the script knows it is part of the text and not the end of the string, is to use a backslash followed by the apostrophe (“‘”). In a MSSQL Server script, the proper way to escape an apostrophe is to use a double apostrophe (“””). So, one more search and replace is called for — this time, replace all instances of [‘] with [”] (double apostrophe, NOT an actual quotation mark).

Once these steps are all complete, you are ready to run the script! There shouldn’t be any other syntax changes you’ll have to make, but don’t worry if there are because when you execute the injection script it will tell you if there are any errors. If everything was corrected properly and there are no errors, you should get a series of “1 row(s) affected” responses — one for each INSERT statement in the script. If you want to verify that the proper number of records are in the database table, you can execute a “select count(*) from tablename” statement to count the rows of the table — it should match the number of lines in the injection script, give or take a few for blank lines, etc.

That’s it! Your options are now increased tremendously, because now you can use either MySQL or MSSQL injection scripts to import acquired databases into your database system. If you use MySQL as your dbms, you can do this process in reverse to convert a MSSQL injection script into a MySQL one. Either way, you now can import data using an injection script from either of the two most popular database management systems in the world. Now, where to obtain such databases or injection scripts is another question entirely, and beyond the scope of this article. Suffice it to say that there are numerous sources on the internet where you can purchase or acquire databases — a good one is www.WebContents.org. I think you will find that not only is it much easier to acquire content databases for your users than it is to build them from scratch, but it also is an easy way to add a lot of new, fresh content for your users with a minimal amount of time and effort. Using this method, you can get databases of articles, jokes, quotes, recipes, etc, and put them right on your website or any other database-integrated application, with very little work. Good luck!

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark murdok:

This article was written by Lucas Green, a professional private web developer who lives off his internet income. To visit his website and learn more about how he is creating multiple streams of passive income using the internet, please visit www.lucasgreen.com !

Table of contents

Read more

Local News