Jump to content

Do you see my coding error?

phppup

By phppup
in PHP Coding Help

 Share

Recommended Posts

phppup Prolific Member

phppup

Posted
Posted

I have a simple form that (for test purposes) has fields for first_name and last_name and then can submit.
I want to validate whether a given name is in the table.

  


//$query  = "SELECT * FROM w WHERE id>='90'  ";
//$query  = "SELECT * FROM w WHERE first_name='steve'  ";
$query  = "SELECT * FROM w WHERE first_name='$first_name'  ";

$result = mysqli_query($link, $query);    

if (mysqli_num_rows($result) == 0) {
echo "NO RECORDS<br />";  
}

if (mysqli_num_rows($result) > 0) {

while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) {

echo "ID is ".$row['id']. " now<br /><br />";

}

}


I have a simple form that (for test purposes) has fields for first_name and last_name and then can submit.
I want to validate whether a given name is in the table.

Weird scenario:  When I $query by 'id' the four records in my table list.
When I query DIRECTLY by first_name='steve' I get the correct ECHO for his ID# 93
But when I query with $query  = "SELECT * FROM w WHERE first_name='$first_name'  ";
I get to one echo message for "ID is 21 now" and another for "ID is 77 now"
[Oddly, 21 + 77 = 93, which is Steve's ID]


Please help.

 

Link to comment
https://forums.phpfreaks.com/topic/307357-do-you-see-my-coding-error/
Share on other sites
maxxd Prolific Member

maxxd

Posted
Posted

Print out records 21 & 77, as well as the value of $first_name. My gut's saying that you're not using the values you think you're using, either in the processing script or the database. Of course, without seeing your full code and data set, it's difficult to know for sure.

gizmola Prolific Member

gizmola

Posted
Posted

Hopefully you already recognize that there is no mysterious math going on with your id's.

The answer most likely is that you have 2 rows with first name of 'steve'.  As suggested, you will gain insight by just doing a var_dump($row) inside your fetch loop until you are clear on what is happening.

As suggested, please use bind variables for your query rather than interpolating your string.  

 

Example: 

$link = mysqli_connect(...);
$stmt = mysqli_prepare($link, 'SELECT id, * FROM w WHERE first_name=?');
mysqli_stmt_bind_param($stmt, 's', $first_name);

mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) {
    var_dump($row);
}

 

 

Trying this input should show you the dangers of string interpolation and the way they lead to sql injection exploits:

Quote

' OR 1=1 OR last_name='$first_name

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.