Help with variable interpolation in WHER clause

Jerry

I am a MySQL and PHP newbie. I am having trouble getting the $w variable in
my code below passed to mysql. When I use the value of $w directly in the
Where clause, the correct rows are returned. However, when I try to use the
variable in the Where clause, either an error occurs or no rows are
returned. Any thoughts greatly appreciated!

I am using php-4.4.2 and MySQL-4.1.18-0 on Suse 9.1

Jerry

<html>
<body>
<?php
$link = mysql_connect('localhost:3306', 'mysql');
mysql_select_db('test_ermd') or die('Could not select database');
$w = 'exec';
// I have tried all the variations below to get the value of $w to process
in the WHERE clause
//------------------------------------------------------------------------------------------
//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = "exec"';
//--This works: all rows with 'exec' in GRP column are selected

//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = $w';
//--Invalid query: Unknown column '$w' in 'where clause'
//--Whole query: SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX,
EMAIL FROM officers WHERE GRP = $w

//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = \"$w\"';
//--Invalid query: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use
near '\"$w\"' at line 1
//--Whole query: SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX,
EMAIL FROM officers WHERE GRP = \"$w\"

//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = \$w';
//--Parse error: syntax error, unexpected T_STRING
in /usr/local/bin/apache2/htdocs/test_ermd.php on line 34

//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = "\$w"';
//--No rows are selected

//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL
FROM officers WHERE GRP = \'$w\'';
//--No rows are selected
//------------------------------------------------------------------------------------------

echo 'Raw query: ' . $query;
$result = mysql_query($query);
if (!$result) {
$message = 'Invalid query: ' . mysql_error() . "<br>";
$message .= 'Whole query: ' . $query;
die($message);
}
while ($row = mysql_fetch_assoc($result)) {
foreach ($row as $key => $value) {
if ($value) {
echo "$value";
echo "<br>";
}
}
echo "<p>";
}
mysql_free_result($result);
mysql_close($link);
?>
</body>
</html>
//================================================== ==================

May 18 '06 #1

Subscribe Reply

2829

Sjoerd

> //$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX, EMAIL

FROM officers WHERE GRP = $w';

When a string is between 'single quotes', variables are not parsed.
This means that after
$query = 'SELECT $w'
The variable query literaly contains SELECT $w. To use the value of the
variable w instead, use double quotes:
$query = "SELECT $w"
This becomes SELECT and then the value of variable w.

Another option is to use the concatination operator, which is a dot.
$query = 'SELECT '.$w
This way, the string 'SELECT ' and the variable w are concatenated
together.

May 18 '06 #2

Alan Little

Carved in mystic runes upon the very living rock, the last words of
Sjoerd of comp.lang.php make plain:

//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX,
EMAIL FROM officers WHERE GRP = $w';

When a string is between 'single quotes', variables are not parsed.
This means that after
$query = 'SELECT $w'
The variable query literaly contains SELECT $w. To use the value of
the variable w instead, use double quotes:
$query = "SELECT $w"
This becomes SELECT and then the value of variable w.

Another option is to use the concatination operator, which is a dot.
$query = 'SELECT '.$w
This way, the string 'SELECT ' and the variable w are concatenated
together.

And don't forget to enclose the value in single quotes within the query:

"...WHERE GRP = '$w'";

--
Alan Little
Phorm PHP Form Processor
http://www.phorm.com/

May 18 '06 #3

Jerry Stuckle

Alan Little wrote:

Carved in mystic runes upon the very living rock, the last words of
Sjoerd of comp.lang.php make plain:

//$query = 'SELECT TITLE, NAME, INST, ADD1, ADDR2, ADDR3, PH, FAX,
EMAIL FROM officers WHERE GRP = $w';

When a string is between 'single quotes', variables are not parsed.
This means that after
$query = 'SELECT $w'
The variable query literaly contains SELECT $w. To use the value of
the variable w instead, use double quotes:
$query = "SELECT $w"
This becomes SELECT and then the value of variable w.

Another option is to use the concatination operator, which is a dot.
$query = 'SELECT '.$w
This way, the string 'SELECT ' and the variable w are concatenated
together.

And don't forget to enclose the value in single quotes within the query:

"...WHERE GRP = '$w'";

Only if it's non-numeric.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

May 18 '06 #4

TristaSD

WHERE GRP = '$w' . Had the same problem, but tinkered it into
submission =)

May 18 '06 #5

Jerry

TristaSD wrote:

WHERE GRP = '$w' . Had the same problem, but tinkered it into
submission =)

Thanks to all! The single-quoted variable (textual value) within a
double-quoted SQL statement returns all the desired rows.

Jerry

May 18 '06 #6

Andy Jeffries

On Thu, 18 May 2006 15:01:31 -0400, Jerry Stuckle wrote:

And don't forget to enclose the value in single quotes within the query:

"...WHERE GRP = '$w'";

Only if it's non-numeric.

It's actually a good idea to do it even if the field is non-numeric. Say
you have a form that does:

DELETE FROM PrivateMessages
WHERE ID=$id AND OwnedByID=$_SESSION["memberid"];

You think you're being safe as you're ensuring a member can only delete
PrivateMessages that are owned by themselves.

However, what if a malicious user changed the value of $id from "2" to
"ID OR 1=1". Easy enough to do by saving the page, editing the field
value and hitting submit. You then get the SQL statement:

DELETE FROM PrivateMessages
WHERE ID=ID OR 1=1 AND OwnedByID=$_SESSION["memberid"];

This would delete all PrivateMessages (as the value of the ID column
always equals itself and the additional OR 1=1 gives a positive left hand
side to the following AND).

The next question could easily be "but how would the attacker know the
name of the field, I don't use ID as my field name". Easy, a)it could
have been revealed in an error message if they're displayed on the site
and b)this error message may have been fixed, but previously cached by
Google.

Even if the attacker doesn't know the field name, they could set the
variable contents to be something like "0 OR 1=1 OR 1=1" which then gives
the SQL statement:

DELETE FROM PrivateMessages
WHERE ID=0 OR 1=1 OR 1=1 AND OwnedByID=$_SESSION["memberid"];

Which then always works.

It's always a good idea to wrap field values in '', even if they're
numeric as it stops this kind of attack. If you did so, the SQL statement
would be:

DELETE FROM PrivateMessages
WHERE ID='ID OR 1=1' AND OwnedByID=$_SESSION["memberid"];

And the numeric ID column will never equal that string, no records deleted.

Of course, you also need to ensure the field is safe using
mysql_real_escape_string, but that's a separate conversation to this one
about wrapping numeric field values in ''.

Cheers,
Andy

--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

May 18 '06 #7

Andy Jeffries

On Thu, 18 May 2006 20:20:14 +0000, Andy Jeffries wrote:

And don't forget to enclose the value in single quotes within the
query:

"...WHERE GRP = '$w'";

Only if it's non-numeric.

It's actually a good idea to do it even if the field is non-numeric.

I mean "is numeric" there, I guess it's obvious from the rest of the post,
but hey I'm a programmer I have to try and correct my mistakes... :-)

Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

May 18 '06 #8

Alan Little

Carved in mystic runes upon the very living rock, the last words of
Jerry Stuckle of comp.lang.php make plain:

Alan Little wrote:

And don't forget to enclose the value in single quotes within the
query:

"...WHERE GRP = '$w'";

Only if it's non-numeric.

In his example it was "exec".

Plus what Andy said.

--
Alan Little
Phorm PHP Form Processor
http://www.phorm.com/

May 19 '06 #9

Similar topics

4432

variable interpolation syntax (SERVER_SIGNATURE)

by: Peter Horst | last post by:

I have a tiny custom 404 script I'm working on; I'd like to imitate the standard Apache 404 page insofar as I'd like "Apache/1.3.29 Server at www.example.com Port 80" to appear below my 404...

PHP

1969

interpolation doesn't work for a variable in an array in an object

by: red | last post by:

within an object function, this code: $test2='test'; echo "$test"; $this->test2='test2'; echo "$this->test2\n"; produces this result: test2

PHP

1803

design - class to represent a variable

by: bartek | last post by:

Hello, I've been pondering with this for quite some time now, and finally decided to ask here for suggestions. I'm kind of confused, actually... Maybe I'm thinking too much... Brain dump...

C / C++

5174

bivariate interpolation

by: Charles Banas | last post by:

I'm not sure if this is the right place to ask about this, but I've seen several posts in the past regarding Akima's Bivariate Interpolations routines, and i'm wondering if someone can give me some...

C / C++

4079

Help with System.NullReferenceException

by: msnews.microsoft.com | last post by:

I'm trying to fill an array of objects but when I add the first object I get a NullReferenceException. ----------------------------------------------------------------------------...

ASP.NET

4608

Pass Session Variable Value to Crystal Report?

by: crjunk | last post by:

I've got an aspx page that allows the user to select different options whenever they want to run a report. On this page, I have added an additional text box for the user to enter in comments about...

ASP.NET

1888

Need Help writing a program...don't know where to start

by: swtstrawberry | last post by:

All the basic stuff I get like cin/cout...but the interpolation formula, the for/while loop, and reading in the desired altitude...i dont get it....please help...anybody here are the directions I...

C / C++

12762

JavaScript Variable Interpolation, Take II

by: John Passaniti | last post by:

(Note: This is not the same message I posted a week or so ago. The problem that prevented my previous attempt to work was a silly error in the template system I was using. This is a problem...

Javascript

4448

Class variable interpolation

by: August Karlstrom | last post by:

Hi, Does anyone know the correct syntax to interpolate a class variable, $x say, inside a string? I tried "{self::$x}" but it produces the string {self::x}

PHP

6908

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...

Windows Server

6741

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...

Windows Server

5341

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...

Career Advice

4782

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...

Microsoft Access / VBA

4483

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...

C# / C Sharp

2995

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...

Networking - Hardware / Configuration

2985

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

1300

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...

C# / C Sharp

182

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...

General