Jump to content

Recommended Posts

i'm using a dropdown menu to add data to URL in order to run a separate query command depending on result.

url comes in as: index.php?role=ceo

i have the following form:

<form action="<?php $_SERVER['PHP_SELF'] ?>" method="GET" > 
<select name="role">
<option value="all">ALL</option>
<option value="ceo">CEO</option>
<option value="coceo">Co-Ceo</option>
<option value="director">Director</option>
<option value="pos">POS Manager</option>
<option value="member">Member</option>
</select> 
<input type="submit" value="Filter Results" /> 
</form>

and the following set of if commands;

 

<?php
//Check if it echo role (IT DOES!!)
echo $role;


// Perform the SQL query
//if role is set then add WHERE clause to filter to specific role
if (isset($_GET['role'])) {
$results = mysql_query('SELECT * FROM `ecmt_memberlist` WHERE role = '. $_GET['role'].' ORDER BY CONCAT(MainToon, Name)');
}
//if no role set in url return ALL results!
else {
$results = mysql_query('SELECT * FROM `ecmt_memberlist` ORDER BY CONCAT(MainToon, Name)');
}
$results_array = array();
while ($row = mysql_fetch_array($results)) {
$results_array[$row['characterID']] = $row;
}
?>

 

i get this error when trying to run the submit button:

 

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /homepages/28/d208931384/htdocs/build/dev/index.php

 

 

line 82:

while ($row = mysql_fetch_array($results)) {

why is it running the error? and not showing results?

if i don't submit the form all the data is shown as it should be correctly.

Edited by jacko_162
Link to comment
https://forums.phpfreaks.com/topic/290745-_get-giving-me-warning-message/
Share on other sites

It's a self-inflicted SQL injection, if you will.

 

You can't just drop some URL parameter into a query string. If you're lucky, the script will simply crash due to a syntax error (which is what just happened). If you're less lucky, then people will actively exploit this bug and manipulate the query. They'll be able to fetch arbitrary data or even take over the entire server.

 

People have actually pointed this mistake in your previous threads, but for some reason you've decided to try it again. What are you waiting for? An actual attack against your server?

 

You need to at least escape and quote dynamic values before you insert them into a query. This is the absolute minimum. If you want proper code, then it's time to throw away those mysql_* functions and switch to PDO. The 90s are over.

Edited by Jacques1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.