audiovisuaali Posted March 2, 2017 Share Posted March 2, 2017 When I'm doing this it can't handle the query line. When I change the :count to a number it works correctly. So I want to know how can I use a string to determine a number for the mysql request. Thank you! <?php // Error report ini_set('display_errors', 1); error_reporting(~0); // Getting video ID from URL $video = $_GET['v']; // Including database connection include 'db.php'; //$query = "SELECT file_name, videos FROM videos ORDER BY RAND() LIMIT 1;"; $query = "SELECT file_name, videos FROM videos LIMIT :count,1;"; // Prepare $statement = $handler->prepare($query); $statement->bindParam(":count",$video); // Execute $statement->execute(); // Fetch $videos = $statement->fetch(PDO::FETCH_ASSOC); $comment = $videos["file_name"]; $videos = $videos["videos"]; echo $comment; echo $videos; ?> Quote Link to comment https://forums.phpfreaks.com/topic/303328-mysql-code-injection-with-a-string-in-php/ Share on other sites More sharing options...
audiovisuaali Posted March 2, 2017 Author Share Posted March 2, 2017 Here's what I see when I go to the page: Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'NULL,1' at line 1' in FILE_LOCATION/test.php:21 Stack trace: #0 FILE_LOCATION/test.php(21): PDOStatement->execute() #1 {main} thrown in FILE_LOCATION/test.php on line 21 Quote Link to comment https://forums.phpfreaks.com/topic/303328-mysql-code-injection-with-a-string-in-php/#findComment-1543597 Share on other sites More sharing options...
Jacques1 Posted March 2, 2017 Share Posted March 2, 2017 You have an entire collection of errors. First, you're obviously accessing the script without a v parameter in the URL, because the value of $video is null. You have no check for that case either; you just assume that the parameter is always present (which it isn't, as you can see). Then you're using emulated prepared statements (which is the default) instead of real ones. This means the parameters are literally inserted into the query string instead of getting sent to the database. Since your parameter is null, you end up with a LIMIT of NULL -- which is syntactically wrong. The query itself is also fishy. Why are you doing an offset search when you want to look up a particular ID? This will give you nonsense results. You don't even have an ORDER BY clause, so the offset could start absolutely anywhere. Long story short: Validate the user input and handle missing parameters; don't just assume that you get what you expect Disable statement emulation Fix the query. You probably want a WHERE clause. Quote Link to comment https://forums.phpfreaks.com/topic/303328-mysql-code-injection-with-a-string-in-php/#findComment-1543598 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.