hopbop Posted August 2, 2012 Share Posted August 2, 2012 ok so what im trying to do is pass a posted value for the name of the table in a mysql_query this is the code i have $dbt = $_POST[arc]; $sql = mysql_query("SELECT id, fname, mi, lname ". "FROM $dbt". "ORDER BY date DESC ". "LIMIT $offset, $rec_limit "); I think i am missing something form the FROM area i just dont know what any help ? Quote Link to comment Share on other sites More sharing options...
scootstah Posted August 2, 2012 Share Posted August 2, 2012 You're just messing up the quotes. You don't need to concatenate new lines like that in PHP. $sql = mysql_query("SELECT id, fname, mi, lname FROM $dbt ORDER BY date DESC LIMIT $offset, $rec_limit"); EDIT: Also, you need to put quotes around array indexes. $_POST[arc] should be $_POST['arc']. And, you should be sanitizing all user input before using it in a query, to prevent SQL injection. Normally you would use mysql_real_escape_string, but I'm not sure if that would work for the table name. You might just have to strip special characters (like quotes or slashes) from the input completely. One last thing - you should probably put backticks around the table name, in case it has a space in the name. FROM `$dbt` Quote Link to comment Share on other sites More sharing options...
Psycho Posted August 2, 2012 Share Posted August 2, 2012 EDIT:scootstah beat me to it, but I'll post this anyway as I included some additional info You need to implement good coding standards. 1. Use 'correct' indexes in arrays. $_POST[arc] should be $_POST['arc']. What you have will work but is inefficient and poor practice 2. Create your queries as a string variable so you can echo to the page 3. Check for errors if your queries fail. 4. ALWAYS, ALWAYS escape user submitted data used in tables. If you had echo'd out the query the problem would be obvious. By concatenating strings on separate lines it *looks* proper. But, there is no spaces between the table name and "ORDER BY'. $dbt = mysql_real_escape_string($_POST['arc']); $query = "SELECT id, fname, mi, lname FROM `{$dbt}` ORDER BY `date` DESC LIMIT {$offset}, {$rec_limit}"; $result = mysql_query($query); if(!$result) { echo "There was an error running the query<br>\n"; echo "Query: {$query}<br>\n"; echo "Error: " . mysql_error(); } else { //Continue with processing results } Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 2, 2012 Share Posted August 2, 2012 As to escaping the table name being put into the query statement. A table name is not string data. It's an identifier. It's not enclosed within quotes inside the query statement, so there's nothing that escaping special characters in it would protect against. The term 'escape' as it applies to data means to prevent leaving/exiting from the quoted data. A) You should not be suppling the table name from external submitted data. That implies that you have same-meaning data spread out in a number of tables, rather than all same-meaning data in one table. B) To prevent sql injection, you would need to validate that the supplied table name is only and exactly an expected table name. Quote Link to comment Share on other sites More sharing options...
Psycho Posted August 2, 2012 Share Posted August 2, 2012 As to escaping the table name being put into the query statement. A table name is not string data. It's an identifier. It's not enclosed within quotes inside the query statement, so there's nothing that escaping special characters in it would protect against. The term 'escape' as it applies to data means to prevent leaving/exiting from the quoted data. A) You should not be suppling the table name from external submitted data. That implies that you have same-meaning data spread out in a number of tables, rather than all same-meaning data in one table. B) To prevent sql injection, you would need to validate that the supplied table name is only and exactly an expected table name. While I will agree that you are technically correct that a table name would not be escaped. However, if the data is user submitted then escaping will at least prevent SQL Injection. But, I completely agree that comparing the value against valid names is definitely the way to go. However, regarding the comment about a table name being an identifier and not needing to be quoted, I have to disagree. A column name is also an identifier. The reason for quoting them is to prevent issues when the name is a reserved word or has certain characters (e.g. a space). While using reserved words or certain characters is probably bad practice - it IS valid. So, adding quotes to cover those situations is valid. From the MySQL manual: http://dev.mysql.com/doc/refman/5.0/en/identifiers.html Certain objects within MySQL, including database, table, index, column, alias, view, stored procedure, partition, and other object names are known as identifiers. . . . An identifier may be quoted or unquoted. If an identifier contains special characters or is a reserved word, you must quote it whenever you refer to it. In this case the table name is a variable. I don't know what table names he is using now (or in the future). So, quoting the table name is appropriate. EDIT: OK, I have to go back on what I said about escaping the table name would at least prevent SQL Injection. If the table name did have certain special characters then escaping the name would actually prevent the table name to be used in the query. But, again, it's just bad practice to use it like that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.