$befal = mysql_query("SELECT * FROM users WHERE username = $_GET[username]");
$rad = mysql_fetch_assoc($befal);
Equals
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in C:\profile.php on line 4
I have a user called Admin in the field username and it still dont work. profile.php?user=Admin...
This works if I use the ID though:
$befal = mysql_query("SELECT * FROM users WHERE user_id = $_GET[id]");
$rad = mysql_fetch_assoc($befal);
What can be the problem?
Thanks
Errr... that's a recipe for getting hacked. I would like to introduce you to SQL injection as characterized by this very funny yet poignant cartoon.
Try this instead.
$username = mysql_escape_string($_GET['username']);
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
Try it like this:
$befal = mysql_query("SELECT * FROM users WHERE username = '$_GET[username]'");
You have to encapsulate a string parameter in apostrophes.
[UPDATE]
Just like cletus and Olaf pointed out, with the above sql statement you are very prone to SQL Injection. Check out their posted answers to see what I mean.
Now that you've got your answer, try entering
Something' OR '1' = '1
as username - you've managed to produce a nice SQL-injectable application.
Related
This question already has answers here:
How to insert values in a PHP array to a MySQL table?
(2 answers)
Closed 5 years ago.
I'm using PHP session variable to track character ID's between two tables, characters and character_data_store.
The session ID definitely has the correct ID as I have had to print its value before it goes into the mySQL query.
For testing I selected a user I knew had a rapsheet and used
$usersql = "SELECT *
FROM character_data_store
WHERE character_data_store.`key` = 'RapSheet'
AND character_data_store.character_id = '216'";
Obviously I can't use this for all users as I need to confirm the right one has been selected so thats where the session variable comes in.
I've tried using:
$correctPlayer = $_SESSION['selpid'];
echo $correctPlayer; #confirm it's the right id and then remove
$usersql = "SELECT *
FROM character_data_store
WHERE character_data_store.'key' = 'RapSheet'
AND character_data_store.character_id = '$correctPlayer'";
I did some searching on SO and I found that int's need to have double quotes around them not single quotes, I tried that and had no luck but someone else suggested putting the session ID in exactly which I tried next:
$usersql = "SELECT *
FROM character_data_store
WHERE character_data_store.'key' = 'RapSheet'
AND character_data_store.character_id = {$_SESSION['selpid']}";
Each time I do this I get mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given which SO tells me is because this operation results to false, I assume because it's not accepting the playerID from selpid or $correctPlayer?
It definitely works with the testing user where the playerID is inserted directly into the query. But I can't think of a way to do that since I need to match the playerID from table "characters" where the search is done against their first and last name and then pull the rapsheet data against the same playerID in table "character_data_store".
How do I use a variable in the WHERE condition of a MySQL query using a php variable?
You have obvious error in your code. You are missing quotes in {$_SESSION['selpid']} and you are using quotes in column name. Your query should be
$usersql = "SELECT * FROM character_data_store WHERE character_data_store.`key` = 'RapSheet' AND character_data_store.character_id = '{$_SESSION['selpid']}'";
You should not use quotes in column name, instead use backquotes(`) if you really need. I recommend prepared statements.
There are multiple ways to do this. A naive way to do this would be-
$usersql = "SELECT * FROM character_data_store WHERE character_data_store.'key' = 'RapSheet' AND character_data_store.character_id = ".$correctPlayer;
But to avoid sql injections I would recommend you use bindparam function to bind paramaters in a statement.
$sql="SELECT * FROM character_data_store WHERE character_data_store.'key' = 'RapSheet' AND character_data_store.character_id = ?";
if($stmt = $dbh->prepare($sql)){
$stmt->bindParam(1, $correctPlayer, PDO::PARAM_STR);
$ql = $stmt->execute() or die("ERROR: " . implode(":", $dbh->errorInfo()));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$result['data'] = $row;
currently I've been using this:
SELECT * FROM `meow` WHERE profile LIKE '%$username%'
But the problem I'm facing is if someone puts the letters 'a' it will pull everything that contains a and that's a bit of a security risk on my end, How do i search just 1 column to see if it matches $username exactly? not the whole table?
For exact string matching you should the = operator instead of the like operator:
SELECT * FROM `meow` WHERE profile = '$username'
Stop using string concatenation to build your query. It's evil. Instead use mysqli or pdo and use prepared statements.
$pdo = new PDO('mysql:host=localhost;dbname=yourdb', 'your_username', 'your_password');
$stmt = $pdo->prepare("SELECT * FROM `meow` WHERE profile = ?");
$stmt->execute(array($username));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
Also, use equality, instead of like, if you wish to check for exact matches.
Instead of using like use equal to
try this :
SELECT * FROM meow WHERE profile = '$username'
Try with -
"SELECT * FROM `meow` WHERE profile LIKE '$username'"
for exact match.
I am allowing people to input either their username, account number or email address before typing their password, so i need to compare their input against 3 fields in my table but i am not getting any results.
i first tried this ...
$result = mysqli_query($con,"SELECT * FROM useraccounts WHERE username='$thisuser' or accnum='$thisuser' or email='$thisuser'");
then i read on here that brackets should be placed around OR statements, so tried this ...
$result = mysqli_query($con,"SELECT * FROM useraccounts WHERE (username='$thisuser' or accnum='$thisuser' or email='$thisuser')");
but neither work, can someone help please
just for comparison, this does work when i type in the username value ...
$result = mysqli_query($con,"SELECT * FROM useraccounts WHERE username='$thisuser'");
What is the datatype of accnum? Are you sure it is varchar?
If accnum is of type numeric then try
$result = mysqli_query($con,"SELECT * FROM useraccounts WHERE (username='$thisuser' or accnum=$thisuser or email='$thisuser')");
Seems no problem. Please check '$thisuser' has value. Try printing the sql statement.
You may try running query directly on database.
I also think first check the value of $thisuser, and then try below query
$result = mysqli_query($con,"SELECT * FROM useraccounts WHERE (username='".$thisuser."' or accnum='".$thisuser."' or email='".$thisuser."')");
Rathere then using at server side if it done at client side in js file by checking it emailid or username oraccount number according to that u can pass value
I am having some difficulty running some SQL code.
What I am trying to do is, find a row that contains the correct username, and then get a value from that correct row.
This is my SQL in the php:
mysql_query("SELECT * FROM users WHERE joined='$username' GET name")
As you can see, it looks for a username in users and then once found, it must GET a value from the correct row.
How do I do that?
You need some additional PHP code (a call to mysql_fetch_array) to process the result resource returned by MySQL.
$result = mysql_query("SELECT name FROM users WHERE joined='$username'");
$row = mysql_fetch_array($result);
echo $row['name'];
mysql_query("SELECT `name` FROM users WHERE joined='$username' ")
Just select the right column in your 'select clause' like above.
Edit: If you are just starting out though, you might want to follow a tutorial like this one which should take you through a nice step by step (and more importantly up to date functions) that will get you started.
mysql_query("SELECT name FROM users WHERE joined='$username'")
$q = mysql_query("SELECT * FROM users WHERE joined='$username'");
$r = mysql_fetch_array($q);
$name = $r['user_name']; // replace user_name with the column name of your table
mysql_query("SELECT name FROM users WHERE joined='$username' ")
Read documentation : http://dev.mysql.com/doc/refman/5.0/en/select.html
When is the correct time to use mysql_real_escape_string?
Should I be using it when I use isset(mysql_escape_string($_GET['param'])),
Should I be using it when I use $foo = mysql_real_escape_string($_GET['bar']);
Thanks
You need to call this function when building SQL queries with string literals.
You should not call it anywhere else.
The point of calling this function is to prevent you from executing SQL like SELECT * FROM Students WHERE Name = 'Robert'); DROP TABLE Students;--'.
mysql_real_escape_string will escape the ' character so that the evil string is treated entirely as a string.
You should use it whenever you don't trust the data you are inserting in a mysql query to prevent sql injections. For example all user forms data.
In your first example: no.
Second example: yes, if you are going to use the $foo variable in a query.
You should use it whenever you are inserting data into a database query (POST/GET data), but not if you just need to check the data.
You use mysql_real_escape_string whenever you have input from a user that you want to use in a query.
Here's how to use it:
$user = mysql_real_escape_string('$_GET['user']);
$password = MD5($user.$_GET['password']);
$query = "SELECT * FROM users WHERE user = '$user' AND password = '$password' ";
//the quotes are vital !! ^ ^ or you will not be safe!
Here's example code that doesn't work:
Broken code
$user = mysql_real_escape_string('$_GET['user']);
$password = MD5($user.$_GET['password']);
$query = "SELECT * FROM users WHERE user = $user AND password = '$password' ";
In the example I can login into your system by entering any password whatsoever and
user or (1=1) --. This will make the query to read:
SELECT * FROM users WHERE user = user or (1=1) -- AND password = '$password
And will approve all logins because the password never gets checked.
When using mysql_query, you can only ever execute one SQL-statement at a time, so:
$query = "SELECT * FROM a; DELETE FROM a WHERE (1=1)"
mysql_query($query);
Will result in an error, because cannot be a part after the ;.
This code however will work:
Danger
$query = "SELECT * FROM a; DELETE FROM a WHERE (1=1)"
mysqli_query($query);
Because the improved mysqli_query does allow two or more statements to be executed in one go.