twilitegxa Posted January 29, 2010 Share Posted January 29, 2010 I have this page: <?php session_start(); //connect to server and select database $conn = mysql_connect("localhost", "root", "") or die(mysql_error()); $db = mysql_select_db("smrpg", $conn) or die(mysql_error()); //show scouts characters $get_scouts = "select * from scouts where username = '".$_SESSION['userName']."'"; $get_scouts_res = mysql_query($get_scouts, $conn) or die(mysql_error()); while ($list_scouts = mysql_fetch_array($get_scouts_res)) { $identity = ucwords($list_scouts['identity']); $topic_id = $list_scouts['id']; echo "<ul class=\"character_list\"><li><a href=\"fight.php?identity=$identity\">$identity</li></ul> "; } ?> And it goes to this page: <?php session_start(); //connect to server and select database $conn = mysql_connect("localhost", "root", "") or die(mysql_error()); $db = mysql_select_db("smrpg", $conn) or die(mysql_error()); //check for required info from the query string if (!$_GET['identity']) { header("Location: train_fight.php"); exit; } //get derived values $derived = "select * from derived_values where identity = $_GET[identity]"; $derived_res = mysql_query($derived, $conn) or die(mysql_error()); $display_block = "<ul>"; while ($derived_info = mysql_fetch_array($derived_res)) { $derived_id = $derived_info['id']; $derived_identity = $derived_info['identity']; $derived_health = $derived_info['health']; $derived_energy = $derived_info['energy']; $derived_acv1 = $derived_info['acv1']; $derived_acv2 = $derived_info['acv2']; $derived_dcv1 = $derived_info['dcv1']; $derived_dcv2 = $derived_info['dcv2']; $derived_total_cp = $derived_info['total_cp']; $display_block .= "<li>$derived_identity</li>"; } $display_block .= "</ul>"; ?> But I am getting this error: You have an error in your SQL syntax; check the manual that correspondsto your MySQL server version for the right syntax to use atline 1 What am I doing wrong here? If I change my where statement or take it out, it is displaying the information, but I can't figure out what's wrong with my where statement or where I'm getting my "identity" from. Something's wrong but I can't find it. Can anyone help? Link to comment https://forums.phpfreaks.com/topic/190180-error-in-sql-syntax-help/ Share on other sites More sharing options...
taquitosensei Posted January 29, 2010 Share Posted January 29, 2010 if $_GET['identity'] could be a string you need single quotes $derived = "select * from derived_values where identity = '".$_GET[identity]."'"; Link to comment https://forums.phpfreaks.com/topic/190180-error-in-sql-syntax-help/#findComment-1003408 Share on other sites More sharing options...
twilitegxa Posted January 29, 2010 Author Share Posted January 29, 2010 Okay, that worked! Thank you! But now I get this error: Notice: Use of undefined constant identity - assumed 'identity' How can I get rid of this error? Link to comment https://forums.phpfreaks.com/topic/190180-error-in-sql-syntax-help/#findComment-1003411 Share on other sites More sharing options...
Alex Posted January 29, 2010 Share Posted January 29, 2010 Use quotes. $_GET['identity'] Link to comment https://forums.phpfreaks.com/topic/190180-error-in-sql-syntax-help/#findComment-1003414 Share on other sites More sharing options...
oni-kun Posted January 29, 2010 Share Posted January 29, 2010 Why isn't anyone mentioning this?: $derived = "select * from derived_values where identity = $_GET[identity]"; foo.php?identity=1' or 1 == 1 and DROP TABLE `derived_values` Bam! Link to comment https://forums.phpfreaks.com/topic/190180-error-in-sql-syntax-help/#findComment-1003426 Share on other sites More sharing options...
twilitegxa Posted January 29, 2010 Author Share Posted January 29, 2010 Thank you, Alex. That did the trick. And I don't understand what you are saying oni. Link to comment https://forums.phpfreaks.com/topic/190180-error-in-sql-syntax-help/#findComment-1003438 Share on other sites More sharing options...
trq Posted January 29, 2010 Share Posted January 29, 2010 He is pointing out the fact that using un-sanitized data within your query like you are leaves your database open for attacks. Link to comment https://forums.phpfreaks.com/topic/190180-error-in-sql-syntax-help/#findComment-1003442 Share on other sites More sharing options...
premiso Posted January 29, 2010 Share Posted January 29, 2010 Why isn't anyone mentioning this?: Why don't you show him how to fix it instead of criticizing people for not mentioning it? At least explain what you are talking about. @twilltegxa: He is talking about SQL Injection, your code is prone to it with that syntax you will want to use mysql_real_escape_string to prevent it on any GET / POST data that you plan on entering into the database: $derived = "select * from derived_values where identity = '".mysql_real_escape_string($_GET['identity'])."'"; Will prevent that, but be sure to check that magic_quotes are off to prevent double escaping. (This can be checked with get_magic_quotes_gpc if they are on, I would stripslashes on the data before applying the escape string or turn them off) Link to comment https://forums.phpfreaks.com/topic/190180-error-in-sql-syntax-help/#findComment-1003443 Share on other sites More sharing options...
twilitegxa Posted January 29, 2010 Author Share Posted January 29, 2010 Thanks for the information all! Link to comment https://forums.phpfreaks.com/topic/190180-error-in-sql-syntax-help/#findComment-1003509 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.