I am a MySQL and PHP newbie. I am having trouble getting the $w variable in
my code below passed to mysql. When I use the value of $w directly in the
Where clause, the correct rows are returned. However, when I try to use the
variable in the Where clause, either an error occurs or no rows are
returned. Any thoughts greatly appreciated!
I am using php-4.4.2 and MySQL-4.1.18-0 on Suse 9.1
Jerry
<html>
<body>
<?php
$link = mysql_connect('localhost:3306', 'mysql');
mysql_select_db('test_ermd') or die('Could not select database');
$w = 'exec';
// I have tried all the variations below to get the value of $w to process
in the WHERE clause
//------------------------------------------------------------------------------------------
//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = "exec"';
//--This works: all rows with 'exec' in GRP column are selected
//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = $w';
//--Invalid query: Unknown column '$w' in 'where clause'
//--Whole query: SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX,
EMAIL FROM officers WHERE GRP = $w
//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = \"$w\"';
//--Invalid query: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use
near '\"$w\"' at line 1
//--Whole query: SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX,
EMAIL FROM officers WHERE GRP = \"$w\"
//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = \$w';
//--Parse error: syntax error, unexpected T_STRING
in /usr/local/bin/apache2/htdocs/test_ermd.php on line 34
//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = "\$w"';
//--No rows are selected
//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = \'$w\'';
//--No rows are selected
//------------------------------------------------------------------------------------------
echo 'Raw query: ' . $query;
$result = mysql_query($query);
if (!$result) {
$message = 'Invalid query: ' . mysql_error() . "<br>";
$message .= 'Whole query: ' . $query;
die($message);
}
while ($row = mysql_fetch_assoc($result)) {
foreach ($row as $key => $value) {
if ($value) {
echo "$value";
echo "<br>";
}
}
echo "<p>";
}
mysql_free_result($result);
mysql_close($link);
?>
</body>
</html>
//================================================== ================== 8 2829
> //$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL FROM officers WHERE GRP = $w';
When a string is between 'single quotes', variables are not parsed.
This means that after
$query = 'SELECT $w'
The variable query literaly contains SELECT $w. To use the value of the
variable w instead, use double quotes:
$query = "SELECT $w"
This becomes SELECT and then the value of variable w.
Another option is to use the concatination operator, which is a dot.
$query = 'SELECT '.$w
This way, the string 'SELECT ' and the variable w are concatenated
together.
Carved in mystic runes upon the very living rock, the last words of
Sjoerd of comp.lang.php make plain: //$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL FROM officers WHERE GRP = $w';
When a string is between 'single quotes', variables are not parsed. This means that after $query = 'SELECT $w' The variable query literaly contains SELECT $w. To use the value of the variable w instead, use double quotes: $query = "SELECT $w" This becomes SELECT and then the value of variable w.
Another option is to use the concatination operator, which is a dot. $query = 'SELECT '.$w This way, the string 'SELECT ' and the variable w are concatenated together.
And don't forget to enclose the value in single quotes within the query:
"...WHERE GRP = '$w'";
--
Alan Little
Phorm PHP Form Processor http://www.phorm.com/
Alan Little wrote: Carved in mystic runes upon the very living rock, the last words of Sjoerd of comp.lang.php make plain:
//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL FROM officers WHERE GRP = $w';
When a string is between 'single quotes', variables are not parsed. This means that after $query = 'SELECT $w' The variable query literaly contains SELECT $w. To use the value of the variable w instead, use double quotes: $query = "SELECT $w" This becomes SELECT and then the value of variable w.
Another option is to use the concatination operator, which is a dot. $query = 'SELECT '.$w This way, the string 'SELECT ' and the variable w are concatenated together.
And don't forget to enclose the value in single quotes within the query:
"...WHERE GRP = '$w'";
Only if it's non-numeric.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
WHERE GRP = '$w' . Had the same problem, but tinkered it into
submission =)
TristaSD wrote: WHERE GRP = '$w' . Had the same problem, but tinkered it into submission =)
Thanks to all! The single-quoted variable (textual value) within a
double-quoted SQL statement returns all the desired rows.
Jerry
On Thu, 18 May 2006 15:01:31 -0400, Jerry Stuckle wrote: And don't forget to enclose the value in single quotes within the query:
"...WHERE GRP = '$w'"; Only if it's non-numeric.
It's actually a good idea to do it even if the field is non-numeric. Say
you have a form that does:
DELETE FROM PrivateMessages
WHERE ID=$id AND OwnedByID=$_SESSION["memberid"];
You think you're being safe as you're ensuring a member can only delete
PrivateMessages that are owned by themselves.
However, what if a malicious user changed the value of $id from "2" to
"ID OR 1=1". Easy enough to do by saving the page, editing the field
value and hitting submit. You then get the SQL statement:
DELETE FROM PrivateMessages
WHERE ID=ID OR 1=1 AND OwnedByID=$_SESSION["memberid"];
This would delete all PrivateMessages (as the value of the ID column
always equals itself and the additional OR 1=1 gives a positive left hand
side to the following AND).
The next question could easily be "but how would the attacker know the
name of the field, I don't use ID as my field name". Easy, a)it could
have been revealed in an error message if they're displayed on the site
and b)this error message may have been fixed, but previously cached by
Google.
Even if the attacker doesn't know the field name, they could set the
variable contents to be something like "0 OR 1=1 OR 1=1" which then gives
the SQL statement:
DELETE FROM PrivateMessages
WHERE ID=0 OR 1=1 OR 1=1 AND OwnedByID=$_SESSION["memberid"];
Which then always works.
It's always a good idea to wrap field values in '', even if they're
numeric as it stops this kind of attack. If you did so, the SQL statement
would be:
DELETE FROM PrivateMessages
WHERE ID='ID OR 1=1' AND OwnedByID=$_SESSION["memberid"];
And the numeric ID column will never equal that string, no records deleted.
Of course, you also need to ensure the field is safe using
mysql_real_escape_string, but that's a separate conversation to this one
about wrapping numeric field values in ''.
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos
On Thu, 18 May 2006 20:20:14 +0000, Andy Jeffries wrote: And don't forget to enclose the value in single quotes within the query:
"...WHERE GRP = '$w'"; Only if it's non-numeric.
It's actually a good idea to do it even if the field is non-numeric.
I mean "is numeric" there, I guess it's obvious from the rest of the post,
but hey I'm a programmer I have to try and correct my mistakes... :-)
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos
Carved in mystic runes upon the very living rock, the last words of
Jerry Stuckle of comp.lang.php make plain: Alan Little wrote: And don't forget to enclose the value in single quotes within the query:
"...WHERE GRP = '$w'";
Only if it's non-numeric.
In his example it was "exec".
Plus what Andy said.
--
Alan Little
Phorm PHP Form Processor http://www.phorm.com/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Peter Horst |
last post by:
I have a tiny custom 404 script I'm working on; I'd like to imitate the
standard Apache 404 page insofar as I'd like "Apache/1.3.29 Server at
www.example.com Port 80" to appear below my 404...
|
by: red |
last post by:
within an object function, this code:
$test2='test';
echo "$test";
$this->test2='test2';
echo "$this->test2\n";
produces this result:
test2
|
by: bartek |
last post by:
Hello,
I've been pondering with this for quite some time now, and finally
decided to ask here for suggestions. I'm kind of confused, actually...
Maybe I'm thinking too much...
Brain dump...
|
by: Charles Banas |
last post by:
I'm not sure if this is the right place to ask about this, but I've
seen several posts in the past regarding Akima's Bivariate
Interpolations routines, and i'm wondering if someone can give me some...
|
by: msnews.microsoft.com |
last post by:
I'm trying to fill an array of objects but when I add the first object I get
a NullReferenceException.
----------------------------------------------------------------------------...
| |
by: crjunk |
last post by:
I've got an aspx page that allows the user to select different options
whenever they want to run a report. On this page, I have added an
additional text box for the user to enter in comments about...
|
by: swtstrawberry |
last post by:
All the basic stuff I get like cin/cout...but the interpolation formula, the for/while loop, and reading in the desired altitude...i dont get it....please help...anybody
here are the directions I...
|
by: John Passaniti |
last post by:
(Note: This is not the same message I posted a week or so ago. The
problem that prevented my previous attempt to work was a silly error in
the template system I was using. This is a problem...
|
by: August Karlstrom |
last post by:
Hi,
Does anyone know the correct syntax to interpolate a class variable, $x
say, inside a string? I tried
"{self::$x}"
but it produces the string
{self::x}
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |