Error in SQL Syntax HELP!!!

[twilitegxa]

I have this page:

 

<?php

session_start();

//connect to server and select database
$conn = mysql_connect("localhost", "root", "")
    or die(mysql_error());
$db = mysql_select_db("smrpg", $conn) or die(mysql_error());

//show scouts characters
$get_scouts = "select * from scouts where username = '".$_SESSION['userName']."'";
$get_scouts_res = mysql_query($get_scouts, $conn) or die(mysql_error());
    while ($list_scouts = mysql_fetch_array($get_scouts_res)) {
    $identity = ucwords($list_scouts['identity']);
    $topic_id = $list_scouts['id'];
    echo "<ul class=\"character_list\"><li><a href=\"fight.php?identity=$identity\">$identity</li></ul> ";
    }
?>

 

And it goes to this page:

 

<?php

session_start();

//connect to server and select database
$conn = mysql_connect("localhost", "root", "")
    or die(mysql_error());
$db = mysql_select_db("smrpg", $conn) or die(mysql_error());

//check for required info from the query string
if (!$_GET['identity']) {
    header("Location: train_fight.php");
    exit;
}

//get derived values

$derived = "select * from derived_values where identity = $_GET[identity]";
$derived_res = mysql_query($derived, $conn) or die(mysql_error());

$display_block = "<ul>";

while ($derived_info = mysql_fetch_array($derived_res)) {
$derived_id = $derived_info['id'];
$derived_identity = $derived_info['identity'];
$derived_health = $derived_info['health'];
$derived_energy = $derived_info['energy'];
$derived_acv1 = $derived_info['acv1'];
$derived_acv2 = $derived_info['acv2'];
$derived_dcv1 = $derived_info['dcv1'];
$derived_dcv2 = $derived_info['dcv2'];
$derived_total_cp = $derived_info['total_cp'];

$display_block .= "<li>$derived_identity</li>";

}

$display_block .= "</ul>";

?>

 

But I am getting this error:

 

You have an error in your SQL syntax; check the manual that correspondsto your MySQL server version for the right syntax to use atline 1

 

What am I doing wrong here? If I change my where statement or take it out, it is displaying the information, but I can't figure out what's wrong with my where statement or where I'm getting my "identity" from. Something's wrong but I can't find it. Can anyone help?

[taquitosensei]

if $_GET['identity'] could be a string you need single quotes

$derived = "select * from derived_values where identity = '".$_GET[identity]."'";

[twilitegxa]

Okay, that worked! Thank you! But now I get this error:

 

Notice:  Use of undefined constant identity - assumed 'identity'

 

How can I get rid of this error?

[Alex]

Use quotes.

 

$_GET['identity']

[oni-kun]

Why isn't anyone mentioning this?:

$derived = "select * from derived_values where identity = $_GET[identity]";

 

foo.php?identity=1' or 1 == 1 and DROP TABLE `derived_values`

 

Bam!

[twilitegxa]

Thank you, Alex. That did the trick. And I don't understand what you are saying oni.

[trq]

He is pointing out the fact that using un-sanitized data within your query like you are leaves your database open for attacks.

[premiso]

Why isn't anyone mentioning this?:

 

Why don't you show him how to fix it instead of criticizing people for not mentioning it? At least explain what you are talking about.

 

@twilltegxa:

He is talking about SQL Injection, your code is prone to it with that syntax you will want to use mysql_real_escape_string to prevent it on any GET / POST data that you plan on entering into the database:

 

$derived = "select * from derived_values where identity = '".mysql_real_escape_string($_GET['identity'])."'";

 

Will prevent that, but be sure to check that magic_quotes are off to prevent double escaping. (This can be checked with get_magic_quotes_gpc if they are on, I would stripslashes on the data before applying the escape string or turn them off)

[twilitegxa]

Thanks for the information all!