Script issue utilizing bash parameters in sql string

Question

I'm having some problems running a sql in my bash script. Can someone advise what syntax needs to change?

{
echo "listing"
sshpass -p 'XXXXXX' ssh jlefler@12.345.67.890 'mysql -h host -u user -pXXXXXX database -e "select user_id from users where concat(FIRST,LAST) like '%${username}%';"'
} > $log

Here is the error message I receive:

ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%jaylefler%' at line 1

When I made changes to the script as recommended below I received the following errors:

bash: -c: line 0: syntax error near unexpected token `('
bash: -c: line 0: `mysql -h host-u user -pxxxxxxx database -e select user_id    from users where concat(FIRST,LAST) like '%name_here%';'

My original 'working segment' is as follows:

echo "environment"
sshpass -p $ldappw ssh $ldapuser@54.123.456.123  'mysql -h host -u user -ppassword database -e "select concat(FIRST,LAST) from users;"' | (grep -i ${username} || echo "NO USER IDENTIFIED")

I'm just trying to modify this so I can print out the user ID that is found, instead of the username being printed out for each time the first and last name combinatioin is found.

Answer 1

You're ripe for an SQL-injection attack.

Nevertheless, the sql needs single quotes around the pattern. Also, you don't need to quote the command you send to ssh. So:

sshpass -p 'XXXXXX' ssh jlefler@12.345.67.890 mysql -h host -u user -pXXXXXX database -e "select user_id from users where concat(FIRST,LAST) like '%${username}%';"
# ............................................^ remove quote ........................................................................................ remove quote ^