This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 2 years ago.
So I'm building a website and i need to access a table which holds the information about products
I'm using to navigate to the page
<a href="productDetails.php?table=FeaturedProducts&id=1" >
then in products details page I'm using this to run the php query
<?php
require "connection.php";
$table = $_GET["table"];
$id = $_GET["id"];
$sql = "select * from '.$table.' where ID = '.$id.'";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_array($result);
$pname= $row['Product_name'];
?>
this doesn't seem to work please tell me how i can do this.
You made mistake in your concatenation of string. Take a look to your code here :
$sql = "select * from '.$table.' where ID = '.$id.'";
You try to concatanate the $table and $id variable. (we agree it's a SQL Injection problem).
But PHP will interpret the string result like this : select * from '.FeaturedProducts.' where ID = '.1.'
So you have the ' are not necessary in your code for the table name, and it's add point to your values. Because MySQL does to give you error message.
So your correct code will be (and make modification for use prepare statement to avoid SQL Injection) :
$sql = "select * from $table where ID = '$id'";
Related
This question already has answers here:
How can I get an unknown username given an ID?
(2 answers)
Closed 1 year ago.
i want to display only login data from database at a time without showing all data from database.
so that when i tried login by giving username and password all the data of that user will show at a time.
this is my code connection is working fine help me with query.
<?php
session_start();
$con = mysqli_connect('localhost', 'root', 'Admin#12345');
mysqli_select_db($con, 'userregistration');
$selectquery = " select * from usertable where email";
$query = mysqli_query($con,$selectquery);
$nums = mysqli_num_rows($query);
while($res = mysqli_fetch_array($query)){
echo $res['user'] . <"br">;//
help me with query please.
Change the query to:
select * from usertable where email = ?
But then you have to tell PHP which emailaddress you want to show:
something like:
$emailToFind = "someone#example.com";
$selectquery = " select * from usertable where email = ?";
$query = mysqli_prepare($con,$selectquery);
mysqli_stmt_bind_param($query, "s", $emailToFind);
mysqli_stmt_execute($query);
But , in the article How can I prevent SQL injection, you will see also the possibility of using PDO, which also can be used for other database than MySQL.
But if you want to use PDO or MySQLi is a long, and old, discussion, see: mysqli or PDO - what are the pros and cons?
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
I have a query like this:
update T_table set detail = 'XXXX' where num = 155;
which on my php file looks like this:
$sql = "update T_table set ".$_GET['field']." = '".$_GET['value']."' where num = ".$_GET['num'];
$output = mysql_query($sql);
I would like to know if it is possible to inject SQL where the XXXX are in the query. Because they will be replaced by a sting from $_GET, and if it is possible how would you do?
Important: My MYSQL database is not allowing double pipes (||) as a concatenation operator.
you should use PDO's prepared statements
$query = $db->prepare("update T_table set detail = :detail where num = :num;");
$query->bindParam(":detail", $_GET['detail']);
$query->bindParam(":num", $_GET['num']);
$query->execute();
if you need multiple fields this gets a little more complicated as the user's input can't really be trusted with arbitrary fields:
$allowedFields = ["detail", "cost", "name"];
$field = $_GET['field'];
if(in_array($field, $allowedFields) {
$query = $db->prepare("update T_table set $field = :value where num = :num;");
$query->bindParam(":value", $_GET['value']);
$query->bindParam(":num", $_GET['num']);
$query->execute();
}
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I'm developing a mobile application for android and I'm trying to compare a variable on the phone to a variable already in the database, so that I can insert it if it's new and update it if it already exists.
$name_check = $_POST['Name'];
$result = mysqli_query($con, "SELECT * FROM Data WHERE Name = $name_check");
if($result && mysqli_num_rows($result) > 0)
{
// Update entry
}
This code doesn't seem to work as this block is skipped over and goes to my else block where a new entry is written, so I end up with loads of entries instead of updating one.
I have another field in the table called "Level", and when I compare against that it seems to work, which just confuses me further.
If anyone has any insight into how to do this or why it's not working for me I'd be very grateful.
Use quotes:
$result = mysqli_query($con, "SELECT * FROM Data WHERE Name = '$name_check'");
$result = mysqli_query($con, "SELECT * FROM Data WHERE Name = '".$name_check."'");
This should work fine
Use this:
$result = mysqli_query($con, "SELECT * FROM Data WHERE Name = '" . $name_check . "'");
I have php script like this
$query = "select * where userid = 'agusza' ";
$result = mysql_query($query) or die(mysql_error());
while($row=mysql_fetch_array($result)) {
echo $result;
}
when I execute, the result like this
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where userid = 'agusza'' at line 1
But when I run that sql in sqlserver, it running well
Anybody has solution ?
$query = "select * from table_name where userid = 'agusza' ";
See the corrections I have made. You haven't used the right syntax for SELECT query
You didn't select a table using FROM. Without that, it does not know which table you are selecting data from.
You should also stop using mysql as it is deprecated. Use mysqli or PDO as they are safer.
You are also echoing the wrong variable in your while loop, try this:
while ($row = mysql_fetch_array($result) {
echo $row['column_name'];
}
$query = "select * from table where userid = 'agusza'";
Right now, you're not telling which table SQL should look in.
You should format your query like so:
select * from `TableName` where userid='agusza'
In your query below you doesnt state the database table where you should get that data using FROM
$query = "select * where userid = 'agusza' "; // instead of this
$query = "select * FROM declaredtable where userid = 'agusza' "; used this
I have a query on my page that uses a GET variable to pull data from my table...
If I echo my GET var the data is there so im doing something wrong with my query, instead of or die can I show an error in the browser?
// Get USER ID of person
$userID = $_GET['userID'];
// Get persons
$sql = 'SELECT * FROM persons WHERE id = $userID';
$q = $conn->query($sql) or die('failed!');
$sql = "SELECT * FROM persons WHERE id = $userID";
You must use double quotes to use variables inside the query string.
You can also do this:
$sql = "SELECT * FROM persons WHERE id = ".$userID;
What you should do is this (to protect yourself from sql injection):
$safeuid = $conn->prepare($userID);
$sql = "SELECT * FROM persons WHERE id = ".$safeuid;
You can always debug using this at the top of your php page:
ini_set('display_errors',1);
error_reporting(E_ALL);
Have you tried $q = $conn->query($sql) or die($conn->error()); ?
Yes you can, but you should only do it for debugging. Crackers can gain a lot of insight by purposefully feeding bad input and reading the error.
I'm assuming you're using MySQLi; the command is $conn->error(). So your line would be:
$q = $conn->query($sql) or die($conn->error());
Also, what you're doing wrong is you're using single quotes to define $sql. You need to use double quotes to write $userID into the string. So what you want is:
$sql = "SELECT * FROM persons WHERE id = $userID";
or
$sql = 'SELECT * FROM persons WHERE id = ' . $userID;
You need to use double quotes to evaluate variables within the string. That is,
$sql = 'SELECT * FROM persons WHERE id = $userID';
should be
$sql = "SELECT * FROM persons WHERE id = $userID";
Rather than removing the die you should make sure the query is always valid. In other words: validate the userID parameter. $_GET can contain anything the user wants to provide - it could be an array, it could be a string, it could be a string with a malicious payload that can drop your tables. So check it is an integer. If not, return a relevant message to the user.
Not a php expert but you might try:
// Get USER ID of person
$userID = $_GET['userID'];
// Get persons
$sql = 'SELECT * FROM persons WHERE id = $userID';
$q = $conn->query($sql) or die('failed!' . mysql_error());
The error should append to the end of your die message.