jacko_162 Posted August 30, 2014 Share Posted August 30, 2014 (edited) i'm using a dropdown menu to add data to URL in order to run a separate query command depending on result. url comes in as: index.php?role=ceo i have the following form: <form action="<?php $_SERVER['PHP_SELF'] ?>" method="GET" > <select name="role"> <option value="all">ALL</option> <option value="ceo">CEO</option> <option value="coceo">Co-Ceo</option> <option value="director">Director</option> <option value="pos">POS Manager</option> <option value="member">Member</option> </select> <input type="submit" value="Filter Results" /> </form> and the following set of if commands; <?php //Check if it echo role (IT DOES!!) echo $role; // Perform the SQL query //if role is set then add WHERE clause to filter to specific role if (isset($_GET['role'])) { $results = mysql_query('SELECT * FROM `ecmt_memberlist` WHERE role = '. $_GET['role'].' ORDER BY CONCAT(MainToon, Name)'); } //if no role set in url return ALL results! else { $results = mysql_query('SELECT * FROM `ecmt_memberlist` ORDER BY CONCAT(MainToon, Name)'); } $results_array = array(); while ($row = mysql_fetch_array($results)) { $results_array[$row['characterID']] = $row; } ?> i get this error when trying to run the submit button: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /homepages/28/d208931384/htdocs/build/dev/index.php line 82: while ($row = mysql_fetch_array($results)) { why is it running the error? and not showing results? if i don't submit the form all the data is shown as it should be correctly. Edited August 30, 2014 by jacko_162 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 30, 2014 Share Posted August 30, 2014 (edited) It's a self-inflicted SQL injection, if you will. You can't just drop some URL parameter into a query string. If you're lucky, the script will simply crash due to a syntax error (which is what just happened). If you're less lucky, then people will actively exploit this bug and manipulate the query. They'll be able to fetch arbitrary data or even take over the entire server. People have actually pointed this mistake in your previous threads, but for some reason you've decided to try it again. What are you waiting for? An actual attack against your server? You need to at least escape and quote dynamic values before you insert them into a query. This is the absolute minimum. If you want proper code, then it's time to throw away those mysql_* functions and switch to PDO. The 90s are over. Edited August 30, 2014 by Jacques1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.