This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
i'm using a php script in my Android project to delete a lign from the database . here is the php file content :
<?php
$pseudo = $_POST['pseudo'];
define('HOST','localhost');
define('USER','root');
define('PASS','');
define('DB','ract');
$con = mysqli_connect(HOST,USER,PASS,DB);
$sql = "DELETE from utilisateur where pseudo=$pseudo";
$res = mysqli_query($con,$sql);
?>
I think that the main problem in comparing pseudo to $pseudo
For god sake, protect your query against SQL injection :
$sql = "DELETE from utilisateur where pseudo = '".mysqli_real_escape_string($con, $pseudo)."'";
$sql = "DELETE from utilisateur where pseudo = '$pseudo'";
Related
This question already has answers here:
How can I get an unknown username given an ID?
(2 answers)
Closed 1 year ago.
i want to display only login data from database at a time without showing all data from database.
so that when i tried login by giving username and password all the data of that user will show at a time.
this is my code connection is working fine help me with query.
<?php
session_start();
$con = mysqli_connect('localhost', 'root', 'Admin#12345');
mysqli_select_db($con, 'userregistration');
$selectquery = " select * from usertable where email";
$query = mysqli_query($con,$selectquery);
$nums = mysqli_num_rows($query);
while($res = mysqli_fetch_array($query)){
echo $res['user'] . <"br">;//
help me with query please.
Change the query to:
select * from usertable where email = ?
But then you have to tell PHP which emailaddress you want to show:
something like:
$emailToFind = "someone#example.com";
$selectquery = " select * from usertable where email = ?";
$query = mysqli_prepare($con,$selectquery);
mysqli_stmt_bind_param($query, "s", $emailToFind);
mysqli_stmt_execute($query);
But , in the article How can I prevent SQL injection, you will see also the possibility of using PDO, which also can be used for other database than MySQL.
But if you want to use PDO or MySQLi is a long, and old, discussion, see: mysqli or PDO - what are the pros and cons?
This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 2 years ago.
So I'm building a website and i need to access a table which holds the information about products
I'm using to navigate to the page
<a href="productDetails.php?table=FeaturedProducts&id=1" >
then in products details page I'm using this to run the php query
<?php
require "connection.php";
$table = $_GET["table"];
$id = $_GET["id"];
$sql = "select * from '.$table.' where ID = '.$id.'";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_array($result);
$pname= $row['Product_name'];
?>
this doesn't seem to work please tell me how i can do this.
You made mistake in your concatenation of string. Take a look to your code here :
$sql = "select * from '.$table.' where ID = '.$id.'";
You try to concatanate the $table and $id variable. (we agree it's a SQL Injection problem).
But PHP will interpret the string result like this : select * from '.FeaturedProducts.' where ID = '.1.'
So you have the ' are not necessary in your code for the table name, and it's add point to your values. Because MySQL does to give you error message.
So your correct code will be (and make modification for use prepare statement to avoid SQL Injection) :
$sql = "select * from $table where ID = '$id'";
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 months ago.
I'm practicing SQL injection.
http://localhost/injection/index.php?id=1%3BDELETE+FROM+users
with this injection, only the first code works.
with second code get this error:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM users' at line 3
$pdo = new PDO('mysql:host=localhost;dbname=injection', 'root', '');
$id = $_GET['id'];
$statement = $pdo->query("SELECT * FROM users WHERE id = ".$id."");
$row = $statement->fetch(PDO::FETCH_ASSOC);
echo htmlentities($row['users']);
require_once("conn.php");
$id = $_GET['id'];
$query = "SELECT *
FROM users
WHERE id = ".$id."";
$result = mysqli_query($conn,$query) or die("Error: ".mysqli_error($conn));
$row = mysqli_fetch_array($result);
echo htmlentities($row['users']);
It seems that mysqli_query does not support multiple query. You should try to use mysqli_multi_query(), but from a security point of view, it is not a good idea.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Binding multiple values in pdo
(3 answers)
Closed 6 years ago.
I have prepared a series of queries which work. Now I am in the process of securing these queries against injection. I can do it fine when I have one variable in the query but have not been able to find how to do it for more with trial and error.
This is what I am doing (See $sql and $handle->execute()):
<?php
$sql = "SELECT FORMAT (z.PriceMultiplier * p.BasicTicketPrice,2)
AS totalPrice
FROM Zone z JOIN Production p
WHERE p.Title = :n AND z.Name = :n";
$handle = $conn->prepare($sql);
$zone = "$_POST[Zone]";
$prod = "$_POST[Production]";
$handle->execute(array(":n"=> $zone, $prod))
$conn = null;
$res = $handle->fetchAll();
foreach($res as $row) {
echo "<input name='Price' type='text' readonly='readonly' value=£".$row['totalPrice']."><br>";
}
?>
How do I assign the variables $zone and $prod to the statement in handle->execute()?
Thank you in advance.
[edit1: SOLUTION: Use ? instead of :n p.Title = ? AND z.Name = ? and just do $handle->execute(array($zone, $prod))]
[edit2: I do not believe this is a duplicate - the question is not how to prevent an injection attack... it is how to deal with multiple variables in doing so.]
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Have a minor issue when updating records in MySQL using PDO. It fails to update when I use grammar so for an example, if I use: ' it fails me. I am using my prepare, but it's just the apostrophe that fails to work?
if($_POST['ourstory']) {
foreach($_POST['ourstory'] as $id => $ourstory) {
$sql = "UPDATE our_story SET content = '$ourstory' WHERE id = '$id'";
$q = $db->prepare($sql);
$q->execute(array($id,$ourstory));
}
}
That's not how you use prepared statements. You want to use a ? in your query.
$sql = "UPDATE our_story SET content = ? WHERE id = ?";
$q = $db->prepare($sql);
$q->execute(array($ourstory, $id));