By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,615 Members | 1,961 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,615 IT Pros & Developers. It's quick & easy.

HELP: pesky SQL syntax error using PHP variables

P: n/a
Hello:

New user here...first post to group.

I'm getting an SQL syntax error when I try to run the following query:

$query = sprintf("SELECT itemNumber, entryDate, modifyDate, thumbnailURL,
title, price FROM '%s' WHERE itemNumber = '%s'", $_POST['selectCategory'],
$_POST['tfItemNum']);

I've tested the variables and they are populated.

Strangely, the query works with a variable in the WHERE clause, but not in
the FROM clause.

Any tips appreciated,

Frank H
Austin, TX
Jul 10 '06 #1
Share this Question
Share on Google+
11 Replies


P: n/a
Frankie wrote:
Hello:

New user here...first post to group.

I'm getting an SQL syntax error when I try to run the following query:

$query = sprintf("SELECT itemNumber, entryDate, modifyDate, thumbnailURL,
title, price FROM '%s' WHERE itemNumber = '%s'", $_POST['selectCategory'],
$_POST['tfItemNum']);

I've tested the variables and they are populated.

Strangely, the query works with a variable in the WHERE clause, but not in
the FROM clause.

Any tips appreciated,

Frank H
Austin, TX

Your FROM clause would be FROM 'foo'. It should be FROM foo instead.

Try:
$query = sprintf("SELECT itemNumber, entryDate, modifyDate,
thumbnailURL, title, price FROM %s WHERE itemNumber = '%s'",
$_POST['selectCategory'], $_POST['tfItemNum']);

-david-

Jul 10 '06 #2

P: n/a
Thank you soooo much!

Those darn quotes...so confusing. I'm delirious from staring at this query
all morning.

F.H.

"David Haynes" <da***********@sympatico.cawrote in message
news:pv*******************@fe76.usenetserver.com.. .
Your FROM clause would be FROM 'foo'. It should be FROM foo instead.

Try:
$query = sprintf("SELECT itemNumber, entryDate, modifyDate,
thumbnailURL, title, price FROM %s WHERE itemNumber = '%s'",
$_POST['selectCategory'], $_POST['tfItemNum']);

Jul 10 '06 #3

P: n/a
Rik
Frankie wrote:
Thank you soooo much!

Those darn quotes...so confusing. I'm delirious from staring at this
query all morning.
Rule of thumb:
backticks(``) around names derived from the database (fields, database,
tables)
quotes('') around strings

Grtz,
--
Rik Wasmus
Jul 10 '06 #4

P: n/a
Frankie wrote:
Hello:

New user here...first post to group.

I'm getting an SQL syntax error when I try to run the following query:

$query = sprintf("SELECT itemNumber, entryDate, modifyDate, thumbnailURL,
title, price FROM '%s' WHERE itemNumber = '%s'", $_POST['selectCategory'],
$_POST['tfItemNum']);

I've tested the variables and they are populated.

Strangely, the query works with a variable in the WHERE clause, but not in
the FROM clause.

Any tips appreciated,

Frank H
Austin, TX

I hope you're checking those $_POST variables before blindly making the
SQL call!

Robin
Jul 11 '06 #5

P: n/a

"Robin" <an**@somewhere.comwrote in message
news:e8**********@gemini.csx.cam.ac.uk...
>
<snip>

I hope you're checking those $_POST variables before blindly making the
SQL call!
Yes, $_POST['selectCategory'] comes from a select menu while
$_POST['tfItemNum'] is checked by "ereg", and then again by "strip_tags" if
re-displayed.

Thanks again to all who responded.

F.H.

Jul 12 '06 #6

P: n/a
Frankie wrote:
"Robin" <an**@somewhere.comwrote in message
news:e8**********@gemini.csx.cam.ac.uk...
>><snip>

I hope you're checking those $_POST variables before blindly making the
SQL call!


Yes, $_POST['selectCategory'] comes from a select menu while
$_POST['tfItemNum'] is checked by "ereg", and then again by "strip_tags" if
re-displayed.

Thanks again to all who responded.

F.H.
By "comes from a select menu" do you mean is the product of a <select
name="selectCategory"tag?

You cannot guarantee that this value will only be one of your <option>
tag values. Posted data is easily forged.

Robin
Jul 13 '06 #7

P: n/a
----- Original Message -----
From: "Robin" <an**@somewhere.com>
Newsgroups: comp.lang.php
Sent: Thursday, July 13, 2006 3:25 AM
Subject: Re: HELP: pesky SQL syntax error using PHP variables

><snip>

You cannot guarantee that this value will only be one of your <option>
tag values. Posted data is easily forged.
Hmmm.

So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input? In this case, a bogus POST value
would only cause the query to fail, right? Or could a malicious user gain
access to the server this way?

At the moment, I only clean data that allows direct user input, such as text
fields.

F.H.
Jul 14 '06 #8

P: n/a
Rik
Frankie wrote:
----- Original Message -----
From: "Robin" <an**@somewhere.com>
Newsgroups: comp.lang.php
Sent: Thursday, July 13, 2006 3:25 AM
Subject: Re: HELP: pesky SQL syntax error using PHP variables

><snip>

You cannot guarantee that this value will only be one of your
<optiontag values. Posted data is easily forged.

Hmmm.

So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input?
Yes. I could send raw headers to your script, but much simpler is to make my
own form with the apropriate names, and post it to your url...
In this case, a bogus
POST value would only cause the query to fail, right?
Nope.
Or could a
malicious user gain access to the server this way?
Yes and no. If the POST values are used for db queries, one could pretty
much do anything to your database very easily if you haven't protected
yourself against it. Depending on how the rest of your server is setup, and
how sensitive data is kept, maybe even more.
At the moment, I only clean data that allows direct user input, such
as text fields.

You should check, escape & clean all data that comes from the users.

Grtz,
--
Rik Wasmus
Jul 14 '06 #9

P: n/a
Frankie wrote:
----- Original Message -----
From: "Robin" <an**@somewhere.com>
Newsgroups: comp.lang.php
Sent: Thursday, July 13, 2006 3:25 AM
Subject: Re: HELP: pesky SQL syntax error using PHP variables
>><snip>

You cannot guarantee that this value will only be one of your <option>
tag values. Posted data is easily forged.

Hmmm.

So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input? In this case, a bogus POST value
would only cause the query to fail, right? Or could a malicious user gain
access to the server this way?

At the moment, I only clean data that allows direct user input, such as text
fields.
As Rik says, trust nothing that has come from the user as users cannot
be trusted! Don't rely on the standard way browsers restrict the posted
data (such as select tags), or even javascript validation before submission.

Note: (often forgotten) that $_SERVER['PHP_SELF'] comes from the user
too and can be used for cross site scripting attacks (see
http://en.wikipedia.org/wiki/XSS ).

Robin
Jul 14 '06 #10

P: n/a
"Rik" <lu************@hotmail.comwrote in message
news:ec***************************@news2.tudelft.n l...

So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input?

Yes. I could send raw headers to your script, but much simpler is to make
my
own form with the apropriate names, and post it to your url...
Would it be more secure to send data as SESSION variables instead of POST
variables (after initial data validation)?

IF.HE.
Jul 16 '06 #11

P: n/a
Rik
Frankie wrote:
"Rik" <lu************@hotmail.comwrote in message
news:ec***************************@news2.tudelft.n l...
>>>
So you're suggesting all POST data be cleaned, even if it comes
from a select menu which doesn't allow user input?

Yes. I could send raw headers to your script, but much simpler is to
make my own form with the apropriate names, and post it to your
url...

Would it be more secure to send data as SESSION variables instead of
POST variables (after initial data validation)?
You can't 'send' SESSION variables like that.
It would just mean extra code with no benefits.

Just validate your POST data with the tools that are there (is_int(),
preg_match(), mysql_real_escape_string() before using the in a
mysql_database etc.). When a value is invalid, either stop further
processing and provide a usefull error message, or set it to a default value
and use that.

Grtz,
--
Rik Wasmus
Jul 16 '06 #12

This discussion thread is closed

Replies have been disabled for this discussion.