Error while using @ and space in sql query in shell script

Question

When I execute a MySQL query from the shell script using value as variable, it shows

ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com' at line 1

my code

#!/bin/bash

email='new_user@gmail.com'

# Checking - is the email already exists,
email_exists=$(mysql -u username -ppassword -e "SELECT id FROM db.user where email=$email;")

no problem when using inline (without using a variable).

FYI: I am using email as a variable because I need to reuse somewhere in code.

Answer 1

Add single quotes around the string (inside your existing double quotes) to make it valid SQL:

email_exists=$(mysql -u username -ppassword -e "SELECT id FROM db.user where email='$email';")

That said, note that this is only safe at all when you control the string and are certain it doesn't contain any literal quotes inside its content. (new_user@gmail.com is safe, but new_user@gmail.com'; DROP TABLE db; -- ' would not be). Bill Kelwin's answer on "Injection proof SQL statements from command line" provides one way to avoid this pitfall.

Answer 2

Single-quotes and double-quotes are used in bash to escape certain characters, they are not used to signal a string. The single-quotes in your case will not be used in your mysql statement, therefore you get a syntax error (you don't have a string your mysql statement).

#!/bin/bash

email=new_user@gmail.com

# Checking - is the email already exists,
email_exists=$(mysql -u username -ppassword -e "SELECT id FROM db.user where email='$email';")