okrobie Posted April 22, 2010 Share Posted April 22, 2010 Hello, I have a query: $sql = "select id, first_name, last_name, teacher from table where id='$_SESSION[user_id]'"; but instead of "id='$_SESSION[user_id]'" I want the where statement to say: where id=(a number specified in the URL) Like this http://www.mydomain.com/myfile.php?user_id=53 where 53 is the number of the id I want. How do I accomplish this? Thanks for your help. Link to comment https://forums.phpfreaks.com/topic/199348-modifying-a-query/ Share on other sites More sharing options...
oni-kun Posted April 22, 2010 Share Posted April 22, 2010 Here, Note the security to sanitize (escape) the string should be needed on all user input: $sql = "SELECT id, first_name, last_name, teacher FROM table WHERE `id`='" . mysql_real_escape_string($_GET['user_id']) . "'"; Queries should generally be neat (Commands in capitals and column names in backticks) for readability/maintainability, and escaping really should be done before the query. Here is some more info on the subjects mysql_real_escape_string http://dev.mysql.com/doc/refman/5.0/en/security.html http://www.bitrepository.com/sanitize-data-to-prevent-sql-injection-attacks.html http://www.tizag.com/mysqlTutorial/mysqlquery.php Link to comment https://forums.phpfreaks.com/topic/199348-modifying-a-query/#findComment-1046253 Share on other sites More sharing options...
okrobie Posted April 22, 2010 Author Share Posted April 22, 2010 Thanks oni-kun, The only problem is I don't know what to put for the real escape string. (mysql_real_escape_string) What additional information do I need to give you? Regards, okrobie Link to comment https://forums.phpfreaks.com/topic/199348-modifying-a-query/#findComment-1046255 Share on other sites More sharing options...
oni-kun Posted April 22, 2010 Share Posted April 22, 2010 Thanks oni-kun, The only problem is I don't know what to put for the real escape string. (mysql_real_escape_string) What additional information do I need to give you? Regards, okrobie Only the variable, In this case the $_GET['user_id'] which is gotten from the URL. Take a look at this example: //Grab user ID from url and apply escaping: $userid = mysql_real_escape_string($_GET['user_id']); //Use user ID in query: $sql = "SELECT id, first_name, last_name, teacher FROM table WHERE `id`='$userid' "; Consider this malicious url: http://www.domain.com/myfile.php?user_id=20' and DROP TABLE table It would change the query (The single quote) and thus allow malicous SQL code to be injected. mysql_real_escape_string sanitizes and nullifies the effects of the single quite thus allowing the query to be secure, that's all that's needed. Link to comment https://forums.phpfreaks.com/topic/199348-modifying-a-query/#findComment-1046256 Share on other sites More sharing options...
okrobie Posted April 22, 2010 Author Share Posted April 22, 2010 O.K. Thanks, I think I understand. It's working perfectly now. Best regards, okrobie Link to comment https://forums.phpfreaks.com/topic/199348-modifying-a-query/#findComment-1046257 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.