Jump to content

some quck help


hopbop

Recommended Posts

ok so what im trying to do is pass a posted value for the name of the table in a mysql_query

 

this is the code i have

 
$dbt = $_POST[arc]; 

$sql = mysql_query("SELECT id, fname, mi, lname ".
					   "FROM $dbt".
					   "ORDER BY date DESC ".
					   "LIMIT $offset, $rec_limit "); 

 

I think i am missing something form the FROM area i just dont know what any help ?

Link to comment
Share on other sites

You're just messing up the quotes. You don't need to concatenate new lines like that in PHP.

$sql = mysql_query("SELECT id, fname, mi, lname
FROM $dbt
ORDER BY date DESC
LIMIT $offset, $rec_limit");

 

EDIT: Also, you need to put quotes around array indexes. $_POST[arc] should be $_POST['arc'].

 

And, you should be sanitizing all user input before using it in a query, to prevent SQL injection. Normally you would use mysql_real_escape_string, but I'm not sure if that would work for the table name. You might just have to strip special characters (like quotes or slashes) from the input completely.

 

One last thing - you should probably put backticks around the table name, in case it has a space in the name. FROM `$dbt`

Link to comment
Share on other sites

EDIT:scootstah beat me to it, but I'll post this anyway as I included some additional info

 

You need to implement good coding standards.

 

1. Use 'correct' indexes in arrays. $_POST[arc] should be $_POST['arc']. What you have will work but is inefficient and poor practice

2. Create your queries as a string variable so you can echo to the page

3. Check for errors if your queries fail.

4. ALWAYS, ALWAYS escape user submitted data used in tables.

 

If you had echo'd out the query the problem would be obvious. By concatenating strings on separate lines it *looks* proper. But, there is no spaces between the table name and "ORDER BY'.

$dbt = mysql_real_escape_string($_POST['arc']); 

$query = "SELECT id, fname, mi, lname
          FROM `{$dbt}`
          ORDER BY `date` DESC
          LIMIT {$offset}, {$rec_limit}";
$result = mysql_query($query);

if(!$result)
{
    echo "There was an error running the query<br>\n";
    echo "Query: {$query}<br>\n";
    echo "Error: " . mysql_error();
}
else
{
    //Continue with processing results

}

Link to comment
Share on other sites

As to escaping the table name being put into the query statement. A table name is not string data. It's an identifier. It's not enclosed within quotes inside the query statement, so there's nothing that escaping special characters in it would protect against. The term 'escape' as it applies to data means to prevent leaving/exiting from the quoted data.

 

A) You should not be suppling the table name from external submitted data. That implies that you have same-meaning data spread out in a number of tables, rather than all same-meaning data in one table.

 

B) To prevent sql injection, you would need to validate that the supplied table name is only and exactly an expected table name.

Link to comment
Share on other sites

As to escaping the table name being put into the query statement. A table name is not string data. It's an identifier. It's not enclosed within quotes inside the query statement, so there's nothing that escaping special characters in it would protect against. The term 'escape' as it applies to data means to prevent leaving/exiting from the quoted data.

 

A) You should not be suppling the table name from external submitted data. That implies that you have same-meaning data spread out in a number of tables, rather than all same-meaning data in one table.

 

B) To prevent sql injection, you would need to validate that the supplied table name is only and exactly an expected table name.

 

While I will agree that you are technically correct that a table name would not be escaped. However, if the data is user submitted then escaping will at least prevent SQL Injection. But, I completely agree that comparing the value against valid names is definitely the way to go. However, regarding the comment about a table name being an identifier and not needing to be quoted, I have to disagree. A column name is also an identifier. The reason for quoting them is to prevent issues when the name is a reserved word or has certain characters (e.g. a space). While using reserved words or certain characters is probably bad practice - it IS valid. So, adding quotes to cover those situations is valid.

 

From the MySQL manual: http://dev.mysql.com/doc/refman/5.0/en/identifiers.html

Certain objects within MySQL, including database, table, index, column, alias, view, stored procedure, partition, and other object names are known as identifiers.

. . .

An identifier may be quoted or unquoted. If an identifier contains special characters or is a reserved word, you must quote it whenever you refer to it.

 

In this case the table name is a variable. I don't know what table names he is using now (or in the future). So, quoting the table name is appropriate.

 

EDIT: OK, I have to go back on what I said about escaping the table name would at least prevent SQL Injection. If the table name did have certain special characters then escaping the name would actually prevent the table name to be used in the query. But, again, it's just bad practice to use it like that.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.