473,321 Members | 1,708 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,321 software developers and data experts.

HELP: pesky SQL syntax error using PHP variables

Hello:

New user here...first post to group.

I'm getting an SQL syntax error when I try to run the following query:

$query = sprintf("SELECT itemNumber, entryDate, modifyDate, thumbnailURL,
title, price FROM '%s' WHERE itemNumber = '%s'", $_POST['selectCategory'],
$_POST['tfItemNum']);

I've tested the variables and they are populated.

Strangely, the query works with a variable in the WHERE clause, but not in
the FROM clause.

Any tips appreciated,

Frank H
Austin, TX
Jul 10 '06 #1
11 1843
Frankie wrote:
Hello:

New user here...first post to group.

I'm getting an SQL syntax error when I try to run the following query:

$query = sprintf("SELECT itemNumber, entryDate, modifyDate, thumbnailURL,
title, price FROM '%s' WHERE itemNumber = '%s'", $_POST['selectCategory'],
$_POST['tfItemNum']);

I've tested the variables and they are populated.

Strangely, the query works with a variable in the WHERE clause, but not in
the FROM clause.

Any tips appreciated,

Frank H
Austin, TX

Your FROM clause would be FROM 'foo'. It should be FROM foo instead.

Try:
$query = sprintf("SELECT itemNumber, entryDate, modifyDate,
thumbnailURL, title, price FROM %s WHERE itemNumber = '%s'",
$_POST['selectCategory'], $_POST['tfItemNum']);

-david-

Jul 10 '06 #2
Thank you soooo much!

Those darn quotes...so confusing. I'm delirious from staring at this query
all morning.

F.H.

"David Haynes" <da***********@sympatico.cawrote in message
news:pv*******************@fe76.usenetserver.com.. .
Your FROM clause would be FROM 'foo'. It should be FROM foo instead.

Try:
$query = sprintf("SELECT itemNumber, entryDate, modifyDate,
thumbnailURL, title, price FROM %s WHERE itemNumber = '%s'",
$_POST['selectCategory'], $_POST['tfItemNum']);

Jul 10 '06 #3
Rik
Frankie wrote:
Thank you soooo much!

Those darn quotes...so confusing. I'm delirious from staring at this
query all morning.
Rule of thumb:
backticks(``) around names derived from the database (fields, database,
tables)
quotes('') around strings

Grtz,
--
Rik Wasmus
Jul 10 '06 #4
Frankie wrote:
Hello:

New user here...first post to group.

I'm getting an SQL syntax error when I try to run the following query:

$query = sprintf("SELECT itemNumber, entryDate, modifyDate, thumbnailURL,
title, price FROM '%s' WHERE itemNumber = '%s'", $_POST['selectCategory'],
$_POST['tfItemNum']);

I've tested the variables and they are populated.

Strangely, the query works with a variable in the WHERE clause, but not in
the FROM clause.

Any tips appreciated,

Frank H
Austin, TX

I hope you're checking those $_POST variables before blindly making the
SQL call!

Robin
Jul 11 '06 #5

"Robin" <an**@somewhere.comwrote in message
news:e8**********@gemini.csx.cam.ac.uk...
>
<snip>

I hope you're checking those $_POST variables before blindly making the
SQL call!
Yes, $_POST['selectCategory'] comes from a select menu while
$_POST['tfItemNum'] is checked by "ereg", and then again by "strip_tags" if
re-displayed.

Thanks again to all who responded.

F.H.

Jul 12 '06 #6
Frankie wrote:
"Robin" <an**@somewhere.comwrote in message
news:e8**********@gemini.csx.cam.ac.uk...
>><snip>

I hope you're checking those $_POST variables before blindly making the
SQL call!


Yes, $_POST['selectCategory'] comes from a select menu while
$_POST['tfItemNum'] is checked by "ereg", and then again by "strip_tags" if
re-displayed.

Thanks again to all who responded.

F.H.
By "comes from a select menu" do you mean is the product of a <select
name="selectCategory"tag?

You cannot guarantee that this value will only be one of your <option>
tag values. Posted data is easily forged.

Robin
Jul 13 '06 #7
----- Original Message -----
From: "Robin" <an**@somewhere.com>
Newsgroups: comp.lang.php
Sent: Thursday, July 13, 2006 3:25 AM
Subject: Re: HELP: pesky SQL syntax error using PHP variables

><snip>

You cannot guarantee that this value will only be one of your <option>
tag values. Posted data is easily forged.
Hmmm.

So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input? In this case, a bogus POST value
would only cause the query to fail, right? Or could a malicious user gain
access to the server this way?

At the moment, I only clean data that allows direct user input, such as text
fields.

F.H.
Jul 14 '06 #8
Rik
Frankie wrote:
----- Original Message -----
From: "Robin" <an**@somewhere.com>
Newsgroups: comp.lang.php
Sent: Thursday, July 13, 2006 3:25 AM
Subject: Re: HELP: pesky SQL syntax error using PHP variables

><snip>

You cannot guarantee that this value will only be one of your
<optiontag values. Posted data is easily forged.

Hmmm.

So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input?
Yes. I could send raw headers to your script, but much simpler is to make my
own form with the apropriate names, and post it to your url...
In this case, a bogus
POST value would only cause the query to fail, right?
Nope.
Or could a
malicious user gain access to the server this way?
Yes and no. If the POST values are used for db queries, one could pretty
much do anything to your database very easily if you haven't protected
yourself against it. Depending on how the rest of your server is setup, and
how sensitive data is kept, maybe even more.
At the moment, I only clean data that allows direct user input, such
as text fields.

You should check, escape & clean all data that comes from the users.

Grtz,
--
Rik Wasmus
Jul 14 '06 #9
Frankie wrote:
----- Original Message -----
From: "Robin" <an**@somewhere.com>
Newsgroups: comp.lang.php
Sent: Thursday, July 13, 2006 3:25 AM
Subject: Re: HELP: pesky SQL syntax error using PHP variables
>><snip>

You cannot guarantee that this value will only be one of your <option>
tag values. Posted data is easily forged.

Hmmm.

So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input? In this case, a bogus POST value
would only cause the query to fail, right? Or could a malicious user gain
access to the server this way?

At the moment, I only clean data that allows direct user input, such as text
fields.
As Rik says, trust nothing that has come from the user as users cannot
be trusted! Don't rely on the standard way browsers restrict the posted
data (such as select tags), or even javascript validation before submission.

Note: (often forgotten) that $_SERVER['PHP_SELF'] comes from the user
too and can be used for cross site scripting attacks (see
http://en.wikipedia.org/wiki/XSS ).

Robin
Jul 14 '06 #10
"Rik" <lu************@hotmail.comwrote in message
news:ec***************************@news2.tudelft.n l...

So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input?

Yes. I could send raw headers to your script, but much simpler is to make
my
own form with the apropriate names, and post it to your url...
Would it be more secure to send data as SESSION variables instead of POST
variables (after initial data validation)?

IF.HE.
Jul 16 '06 #11
Rik
Frankie wrote:
"Rik" <lu************@hotmail.comwrote in message
news:ec***************************@news2.tudelft.n l...
>>>
So you're suggesting all POST data be cleaned, even if it comes
from a select menu which doesn't allow user input?

Yes. I could send raw headers to your script, but much simpler is to
make my own form with the apropriate names, and post it to your
url...

Would it be more secure to send data as SESSION variables instead of
POST variables (after initial data validation)?
You can't 'send' SESSION variables like that.
It would just mean extra code with no benefits.

Just validate your POST data with the tools that are there (is_int(),
preg_match(), mysql_real_escape_string() before using the in a
mysql_database etc.). When a value is invalid, either stop further
processing and provide a usefull error message, or set it to a default value
and use that.

Grtz,
--
Rik Wasmus
Jul 16 '06 #12

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: Ted | last post by:
I've written a little function to remove everything after the 2nd decimal place for prices which is as follows: - ReturnConvertedCurrency = (fix(iSterling * session("ExchangeRate") * 100) / 100)...
8
by: baustin75 | last post by:
Posted: Mon Oct 03, 2005 1:41 pm Post subject: cannot mail() in ie only when debugging in php designer 2005 -------------------------------------------------------------------------------- ...
8
by: Dalan | last post by:
Please help - just take a quick look at the function code below. It probably just needs some minor tweaking. The function module is based on an intermediate query to provide a group record...
3
by: Jerry | last post by:
Well, here is some weirdness. First, I noticed that I have 2 Set keywords (silly me). so I removed the 2nd "Set" but still got a syntax error. Then I removed the Where clause, and now it works...
16
by: danu | last post by:
I have a structure : typedef struct{ char magicNum; int width; int height; int maxGrey; int pixels; } ImageT;
1
by: Rahul | last post by:
Hi Everybody I have some problem in my script. please help me. This is script file. I have one *.inq file. I want run this script in XML files. But this script errors shows . If u want i am...
3
by: Jon | last post by:
All, I'm currently building a custom Content Management system for a site we're working on, and am stuck. Currently, I am using a couple of classes to run most of the queries throughout the...
6
by: AppleBag | last post by:
I'm having the worst time trying to login to myspace through code. Can someone tell me how to do this? Please try it yourself before replying, only because I have asked this a couple of times in...
1
by: mshroom12 | last post by:
Hello to all. I am having difficulty trying to do this Java project using Eclipse. The following is what I have to do. Election Day It's almost election day and the election officials need a...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.