Is there anyway I can see a query once it has been run and all variables have been instantiated?
e.g. I want to see the end result (String) of
$query = $this->db->query("SELECT email, password FROM users
WHERE email = '$email' AND password = 'PASSWORD($password)'");
I would like to see the query string after PASSWORD($password) has been done.
The query string doesn't change inside MySql, but you can do something like this to see what the password will look like:
$query = $this->db->query("SELECT PASSWORD('".mysql_real_escape_string($password)."')");
You can store the string as a variable before hand.
eg)
$query = "SELECT email, password FROM users
WHERE email = '$email' AND password = 'PASSWORD($password)'";
and then output the query with var_dump($query).
$this->db->query($query);
It is better practice though to use prepared statements and feed in escaped variables.
I needed to change
'PASSWORD($password)'
to:
PASSWORD('$password')
This fixed my issue.
Related
$account = "proot";
$sql_check_account = mysqli_query($connect, "SELECT username FROM proot_accounts WHERE username = $account");
if(!$sql_check_account)
die(mysqli_error($connect));
Return :
Unknown column 'proot' in 'where clause'
Same with :
$sql_check_account = mysqli_query($connect, 'SELECT username FROM proot_accounts WHERE username = "'.$account.'"');
Or
$sql_check_account = mysqli_query($connect, "SELECT username FROM proot_accounts WHERE username =".$account);
What can make the variable $account perform as a column ? I don't get the problem here...
Thanks !
You need to put quotes around it.
mysqli_query($connect, "SELECT username FROM proot_accounts WHERE username = '$account'");
You should also explore prepared SQL statements in PHP. They will save a lot of these formatting headaches.
I think this is a quoting issue. This:
"SELECT username FROM proot_accounts WHERE username = $account"
will get you this string:
SELECT username FROM proot_accounts WHERE username = proot
In this case MySQL is thinking proot is a column name, because proot is not in quotes at all.
This:
'SELECT username FROM proot_accounts WHERE username = "'.$account.'"'
will get you this string:
SELECT username FROM proot_accounts WHERE username = "proot"
In this case, MySQL may still think "proot" is a column name, depending on the SQL mode. Since you are still getting the same error when you use this code, it looks like your database is set to ANSI_QUOTES mode. In this mode, text inside quotation marks will be interpreted as an column identifier, not a literal value.
Using this:
"SELECT username FROM proot_accounts WHERE username = '$account'"
will get you this string:
SELECT username FROM proot_accounts WHERE username = 'proot'
Using ' instead of " should ensure that MySQL will treat proot like a literal value instead of a column identifier regardless of the SQL mode.
I am just trying to write a simple script that verifies the username and password of a user that has attempted to login...and then starts a session. However, I am running into some trouble.
When I try to run the script below, SUCCESS does not print out. As if the username and password is incorrect, however, I know for a fact that the username and passwords entered are, in fact, correct.
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM users WHERE username='.$username.' AND password='.$password.'");
while($row = mysql_fetch_array($result)){
echo 'SUCCESS';
}
When I try to run the script below however, success prints out twice (which is the number of sample users I have in my db so far), which is correct.
I am guess I have a problem with the AND mySQL query above, however, it seems correct to me... is there a problem with my first query above? if not, than what else might be the problem?
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM users");
while($row = mysql_fetch_array($result)){
echo 'SUCCESS';
}
You're parsing variables, not concatenating them, you don't need the ..
"SELECT * FROM users WHERE username='$username' AND password='$password'"
username is a protected keyword, try this:
$result = mysql_query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password'");
Ignoring the gaping SQL injection vulnerability, you're constructing your query string incorrectly:
$result = mysql_query("SELECT * FROM users WHERE username='.$username.' AND password='.$password.'");
^ ^
You're still in "string mode" where the indicated periods are (and for the password section too), so you're embedding literal periods into your query string, instead of doing string concatenation.
Remote the periods, and you'll be better off (but still vulnerable to sql injection):
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
Try this instead:
$result = mysql_query("SELECT * FROM users WHERE username=\"$username\" AND password=\"$password\"");
Obviously, this isn't a great way of inserting data. You should look at mysqli to insert data as a minimum.
try this line instead:
$result = mysql_query("SELECT * FROM `users` WHERE `username`='".$username."' AND `password`='".$password."'");
Notice the extra "'s I've added in. before it was looking for '.$username.'
$sql = "SELECT email FROM family WHERE family = '$family'";
$result = mysql_query($sqll)or die(mysql_error());
Is this the right way to get php variable into mysql query?
That could work. However, it's vulnerable to SQL injection.
This is safer:
$sql = sprintf("SELECT email FROM family WHERE family = '%s'",
mysql_real_escape_string($family));
$result = mysql_query($sql);
If you starting with PHP/MySQL I would recommend you to check PDO or MySQLi extension as it allows you to use more smart database queries and easier to maintain.
The code has a type error
$sqll is not defined.it must be $result = mysql_query($sql).
I believe this is the reason you are looking for...(since the question is too vague which is probably because you got an error that you couldnt track)
From my knowledge best way to use like this:
if $family is not string
$sql = "SELECT email FROM family WHERE family = ".$family;
if there is a string comparison then,
$sql = "SELECT email FROM family WHERE family = '".$family."'";
'$family' no need of single quotes here
Should numbers from user input be quoted in MySQL queries to help avoid SQL injection attacks?
Say i have a form on a page asking for someone's age. They enter their age and hit submit. The following php code deals with the form submission: (age is an int field in the db table.)
$Number = mysqli_real_escape_string($dbc, $_POST["age"]);
$Query = "INSERT INTO details (age) VALUES ($Number)";
$Result = mysqli_query($dbc, $Query);
Instead of this, is there anything to be gained to enclosing the user input in single quotes, even though it is not a string? Like this:
...
$Query = "INSERT INTO details (age) VALUES ('$Number')"; <-- quotes
...
What about performing a SELECT? Is this:
$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = '$ID'";
$Result = mysqli_query($dbc, $Query);
better than:
$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = $ID"; <-- no quotes
$Result = mysqli_query($dbc, $Query);
NOTE: I am aware of prepared statements and usually use them over string concatenation but this is legacy code i'm dealing with. I want to secure it as best as i can.
If you add numbers, use the intval/floatval functions, don't use mysql_real_escape_string for those.
For everything you use mysql_real_escape_string for, you must use quotes, example:
$input = "foo'bar";
$input = mysql_real_escape_string($input);
//foo\'bar
mysql_query("SELECT $input");
//SELECT foo\'bar
//which is still an SQL syntax error.
You really shoud use sprintf, even if in legacy code it takes 2 mins to modify and is in my opinion totally worth the time.
Shamelessly ripped from php.net:
// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
Your query is now pretty much safe from being passed the wrong types to it's fields and unescaped caracters.
You SHOULD use the PHP filters, and filter for numbers - even for ranges, regular expressions; with default values, NULL on failure, etc.
http://hu.php.net/manual/en/ref.filter.php
if the values come from a request variable, e.g. $_POST, see:
http://hu.php.net/manual/en/function.filter-input.php
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING is the message. It came up from this line of code:
$query = ("SELECT *
FROM users
WHERE user_name = $_POST['user_name']
& password = $_POST['password']
& user_type = $_POST['user_type']");
Does anyone out there know the meaning of all this? If so, does anyone know how to deal with this?
Use:
$query = sprintf("SELECT u.*
FROM USERS u
WHERE u.user_name = '%s'
AND u.password = '%s'
AND u.user_type = '%s' ",
mysql_real_escape_string($_POST['user_name']),
mysql_real_escape_string($_POST['password']),
mysql_real_escape_string($_POST['user_type']) );
$result = mysql_query($query);
Reference
sprintf
You can't interpolate a $_POST like that. You need to wrap them with braces ({ and }). You also don't need to quote the key names when already in a string like that.
You should also quote those values, and swap & with AND.
You also need a ; at the end.
You also don't need to wrap it in parenthesis.
$query = "SELECT *
FROM users
WHERE user_name = '{$_POST[user_name]}'
AND password = '{$_POST[password]}'
AND user_type = '{$_POST[user_type]}'";
But...
...don't interpolate user input directly like that. Use a escaping mechanism.
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$user_type = mysql_real_escape_string($_POST['user_type']);
$query = "SELECT *
FROM users
WHERE user_name = '$username'
AND password = '$password'
AND user_type = '$user_type'";
I would recommend using PDO and binding parameters instead of building the SQL yourself.
Also, it would appear you your passwords that are user inputted are being directly used to compare in the database. Use some form of one way message digest, such as bcrypt.
For interpolation of one-dimensional array values into strings, use this syntax:
"foo = $_POST[bar]"
Notice no quotes.
For interpolating nested arrays or generally using the normal syntax, use braces:
"foo = {$_POST['bar']}"
In no case though do any of this with SQL queries, you need to escape values before plugging them into queries. So, do this:
$query = sprintf('SELECT foo FROM bar WHERE baz = "%s"',
mysql_real_escape_string($_POST['baz']));
Make sure to account for SQL injection.
Try:
$username = mysql_real_escape_string($_POST["user_username"]);
$password = mysql_real_escape_string($_POST["user_password"]);
$type = mysql_real_escape_string($_POST["uesr_type"]);
$query = "SELECT * FROM users WHERE user_name='$username' AND password='$password' AND
user_type='$type'";
$result = mysql_query($query);
I'd also suggesting reading the manual a bit: http://us.php.net/manual/de/language.types.string.php#language.types.string.parsing. That link will explain to you how PHP parses variables in strings.
$username = mysql_real_escape_string($_POST["user_username"]);
$password = mysql_real_escape_string($_POST["user_password"]);
$type = mysql_real_escape_string($_POST["user_type"]);
mysql_query("SELECT * FROM users WHERE user_name='$username' AND user_password='$password' AND user_type='$type' LIMIT 1");