Good Day
I am using a program called Site Lock from Vibraloxig works great for what I need but have a question maybe someone can assist me.
The site allows me to draw certain information of the user using simple PHP echo commands
<?php echo $slusername; ?>
Will echo the user name for me and so on. What I would like to do is use this to filter a query in msql tables this is my current code
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$query = "SELECT * FROM members WHERE ussd_dealer = '<?php echo
$slcustom1; ?>' ";
$result = mysql_query($query);
echo " ".mysql_num_rows($result)." ";
?>
My table has the ussd_dealer and the custom1 i am calling works on the site but does not work in the query to filter the table for me. Not sure if I need to use "" instead of '' after the WHERE ussd_dealer = . Assistance would be greatly appreciated.
You don't need to echo inside your string creation:
$query = "SELECT * FROM members WHERE ussd_dealer = '$slcustom1' ";
When you want to echo it to the HTML, you use the echo function, but when you simply want to use the value inside the variable - and you are in a PHP code structure, you can simply refer to it as it is.
Be aware though that this is terribly insecure.
You should read this question/wiki on what SQL injection is, and why doing what you are asking is opening a can of worms to have your site hosed.
you can use variable name directly in your query
$query = "SELECT * FROM members WHERE ussd_dealer = '{$slcustom1}' ";
SIDENOTE : use mysqli instead of mysql
Related
I am trying to inject the script given below and i am giving something like -
userid="abcd" and pid="'; drop table shubh //"
but it is not deleting the table. and i have seen many answers on stackoverflow everyone is using these comments "--" but as per PHP Manual comments are these "//,#,/* */"
i am referring to this resource -- http://www.w3resource.com/sql/sql-injection/sql-injection.php
<?php
$host="localhost";
$username="root";
$password="";
$db_name="hr";
$con=mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$uid = $_POST['uid'];
$pid = $_POST['passid'];
$sql = "select * from user_details where userid = '".$uid."' and password = '".$pid."'";
//$sql = "select * from user_details where userid = '".shubham."'";//shubham"' drop table shubh";//.$uid."' and password = '".$pid."'";
echo $sql;
$result = mysql_query($sql);
if(mysql_num_rows($result)>0)
{echo "<h4>"."-- Personal Information -- "."</h4>","</br>";
while ($row=mysql_fetch_row($result))
{echo "<p>"."User ID : ".$row[1]."</p>";
echo "<p>"."Password : ".$row[2]."</p>";
echo "<p>"."First Name : ".$row[3]." Last Name : ".$row[4]."</p>";
echo "<p>"."Gender : ".$row[5]." Date of Birth :".$row[6]."</p>";
echo "<p>"."Country : ".$row[7]." User rating : ".$row[8]."</p>";
echo "<p>"."Email ID : ".$row[9]."</p>";
echo "--------------------------------------------";
}
}
else
echo "Invalid user id or password";
?>
userid="abcd" and pid="'; drop table shubh //"
but it is not deleting the table.
mysql_query only accepts a single statement.
SQL injection via that function needs to use a different approach (such as subqueries).
i have seen many answers on stackoverflow everyone is using these comments "--" but as per PHP Manual comments are these "//,#,/* */"
SQL is not PHP. It has a different comment syntax.
I am very new to coding PHP, HTML, and CSS and am just making a basic website with very basic functions that I will change and make better as I learn more about how to code these languages. My question is why my responses to a thread I have created in my forum response page does not appear when I view the forum? The code I used was not mine - I got it from
this website :www.phpgang.com/create-a-simple-forum-in-php_158.html
Everything else with this code works, no errors, and I can create a topic, view the topic, and respond to the topic but the response does not appear when I view the topic. It does however add a comment to the comment area of the forum table that shows all of the current topics. Please offer any ideas of how I can make the response display. If you have any questions on what exactly it is doing please comment.
(the code that is supposed to display and add the response to the topic)
add_answer.php:
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="greatdebate"; // Database name
$tbl_name="fanswers"; // Table name
// Connect to server and select databsae.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Get value of id that sent from hidden field
$id=$_POST['id'];
// Find highest answer number.
$sql="SELECT MAX(a_id) AS Maxa_id FROM $tbl_name WHERE question_id='$id'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
// add + 1 to highest answer number and keep it in variable name "$Max_id". if there no
answer yet set it = 1
if ($rows) {
$Max_id = $rows['Maxa_id']+1;
}
else {
$Max_id = 1;
}
// get values that sent from form
$a_name=$_POST['a_name'];
$a_email=$_POST['a_email'];
$a_answer=$_POST['a_answer'];
$datetime=date("d/m/y H:i:s"); // create date and time
// Insert answer
$sql2="INSERT INTO $tbl_name(question_id, a_id, a_name, a_email, a_answer,
a_datetime)VALUES('$id', '$Max_id', '$a_name', '$a_email', '$a_answer', '$datetime')";
$result2=mysql_query($sql2);
if($result2){
echo "Successful<BR>";
echo "<a href='view_topic.php?id=".$id."'>View your answer</a>";
// If added new answer, add value +1 in reply column
$tbl_name2="fquestions";
$sql3="UPDATE $tbl_name2 SET reply='$Max_id' WHERE id='$id'";
$result3=mysql_query($sql3);
}
else {
echo "ERROR";
}
// Close connection
mysql_close();
?>
Please contact me if you need to see the main_forum.php or the new_topic.php,
So I'm having a problem with the logic behind this statement on my PHP login website. Here is the code:
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$results=mysql_query("SELECT temporary_password FROM $tbl_name");
$row = mysql_fetch_array($results);
if($_GET['temp_password'] != $row['temporary_password'] && $_GET['temp_username'] != $row['temporary_username']){
mysql_close();
header("Location: index.php");
}
basically I have a registration webpage that should only be accessed if the users URL contains both temp_username AND temp_password and that both of those variables exist inside the database. Currently I can get this to work using OR (||) instead of AND (&&) this statement only works if either password OR username exists, but I want the person to access this site only if both temp_username and temp_password are true, otherwise forward to the index page.
what's wrong with my logic?
P.S. I know mysql_* is not secure, I currently don't have time to transition to mysqli.
Your query should be this:
$results=mysql_query("SELECT temporary_password,temporary_username FROM $tbl_name");
Or you can make your like this:
$results=mysql_query("SELECT temporary_password,temporary_username FROM $tbl_name where temporary_username = '".$_GET['temp_username']."'");
As you are not selecting the temporary_username from the Database so it is not checking the last condition in if condition.
That's it is working for OR condition and not for AND.
So use the above query and it will work for And condition also.
Given:
if($_GET[...snip...] && $_GET['temp_username'] != $row['temporary_username']){
^^^^^^^^^^^^^^^^^^---this
Don't you think you might want to add it:
$results=mysql_query("SELECT temporary_password FROM $tbl_name");
^----- here?
You should add a WHERE statement into your query:
"SELECT count(*) from $tbl_name WHERE temporary_username = :username AND temporary_password = :password"
You need to check username and password from database
$results=mysql_query("SELECT temporary_password FROM $tbl_name where temp_username = $_GET['temp_username'] AND temporary_password = $_GET['temp_password'] ");
then if it both matched then grant it access else redirected to index.php
or it will be better to check rowcount >0
if($_GET['temp_password'] == $row['temporary_password'] && $_GET['temp_username'] == $row['temporary_username']){
// access granted
}
else {
//wrong credential
header("Location: index.php");
}
you should use pdo or mysqli since mysql_* is deprecated
http://jsfiddle.net/Fd9wx/
I made this to help solve my problem
so I have some php code and html code that should send sql Query's to the database upon the html table I have created like to set up new databases but then I fill out my form and click run it does not want to work for me. I did some google research and got nothing back now before you say "use PDO and This is no longer supported" PDO is hard for me to use because I dont understand some of it I will use it later on but not now, also I did make this script here from hand so dont say "contact script dev" if some one could point me in right direction to solving my problem or just way to make my sql errors show in my script? like the line what to remove and all
here is main part of my script
$tablename=$_POST['tablename'];
$value=$_POST['value'];
$type=$_POST['type'];
$length=$_POST['length'];
$collation=$_POST['collation'];
$attributes=$_POST['attributes'];
$null=$_POST['null'];
$extra=$_POST['extra'];
// Insert data into mysql
$sql="CREATE TABLE `a7972613_db`.`$tablename` (
`field1` $type( $length ) $null $extra
) ENGINE = MYISAM";
$result=mysql_query($sql);
// if successfully insert data into database, displays message "Successful".
if($result){
echo "Successful";
}
else {
echo "Please Go Back And Check Your Errors!";
}
thats my main part
The problem with your code is you have not selected the database.
$host = "xxxxx";
$database = "xxxxx";
$user = "xxxx";
$password = "xxxxx";
// Connect to server and select database.
mysql_connect("$host", "$user", "$password")or die("cannot connect");
Use below code for selecting database
// Connect to server and select database.
$conn = mysql_connect("$host", "$user", "$password")or die("cannot connect");
mysql_select_db($database,$conn);
and another problem is when your query fails, you have hardcoded the error,but use below code for checking where is the problem in your query
$result=mysql_query($sql) or die(mysql_error());
Change your query to
$result = mysql_query($sql) or die("Error with $sql: " . mysql_error());
with mysql_error(), you will see what your problem is.
You can dump your $sql string in order to see, whether it is correct
echo $sql;
I am trying to see if there is a match from a form to my database. here is my php code:
<?php
$host="localhost"; // Host name
$username="****"; // Mysql username
$password="*****"; // Mysql password
$db_name="*****"; // Database name
$tbl_name="public"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$door=$_POST['door'];
$postcode=$_POST['postcode'];
// To protect MySQL injection (more detail about MySQL injection)
$door = stripslashes($door);
$postcode = stripslashes($postcode);
$door = mysql_real_escape_string($door);
$postcode = mysql_real_escape_string($postcode);
$sql="SELECT * FROM $tbl_name WHERE door ='$door' AND postcode='$postcode' AND active = 'not_activated' AND ref = '". $_SESSION['ref']."'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
header("location:securityquestion.php");
}
?>
the error message i am getting is as follows:
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /home/jahedhus/public_html/system/checkdetails.php on line 36
line 36 is $count=mysql_num_rows($result);
what am i doing wrong here?
Because, just like many, many others here, the code blindly assumes that the query succeeded and everything is fine. Check for errors after each operation. Most of the functions return false when they fail.
Because your query failed.
php.net/mysql-query: "For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error."
Try this:
$result=mysql_query($sql) or die(mysql_error());
You need to do two things:
Find out what the MySQL error is, as already suggested
$result=mysql_query($sql) or die(mysql_error());
You need to sanitize everything that goes into the query. Although you sanitize $door and $postcode, you don't sanitize $_SESSION['ref']. You should and run it through mysql_real_escape_string(). I don't know what you are storing in it, but perhaps that's where the code is breaking because of unescaped characters?
In theory I guess $_SESSION is stored server side, but personally I still wouldn't trust it, and I'd escape everything that goes into a MySQL query.
I think answer lies in the curly braces:
$sql="SELECT * FROM $tbl_name WHERE door ='{$door}' AND postcode='{$postcode}' AND active = 'not_activated' AND ref = '". $_SESSION['ref']."'";
$result=mysql_query($sql);