The Little Guy Posted April 18, 2007 Share Posted April 18, 2007 <?php $sql = mysqli_query($db,"SELECT * FROM web_search WHERE RLIKE '%{$_GET['q']}%'"); # Line 13 $row = mysqli_fetch_array($sql,MYSQLI_ASSOC); # Line 14 ?> Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in C:\Program Files\xampp\htdocs\search\search.php on line 14 Anyone know what that means? Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/ Share on other sites More sharing options...
genericnumber1 Posted April 18, 2007 Share Posted April 18, 2007 Use $sql = mysqli_query($db,"SELECT * FROM web_search WHERE RLIKE '%{$_GET['q']}%'") or die('error in query: ' . mysqli_error($db)); it would have helped you catch your error in your syntax (RLIKE probably should be LIKE) As a side note this script is vulnerable to sql injection. Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231893 Share on other sites More sharing options...
The Little Guy Posted April 18, 2007 Author Share Posted April 18, 2007 Thanks, It was actually an SQL error, i didn't select a column before RLIKE. I then didn't get any results, so I changed it to LIKE, and now it works. Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231896 Share on other sites More sharing options...
Maverickb7 Posted April 18, 2007 Share Posted April 18, 2007 Sorry to break in on your topic. but genericnumber1.. why is it vulnerable to sql injection and what can you do to secure it? Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231897 Share on other sites More sharing options...
Maverickb7 Posted April 18, 2007 Share Posted April 18, 2007 I use something simular so that's why I'm asking. Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231905 Share on other sites More sharing options...
genericnumber1 Posted April 18, 2007 Share Posted April 18, 2007 Well what if someone posted something like ... script.php?q=' UNION ALL evil things -- then your query would read SELECT * FROM web_search WHERE RLIKE '%' UNION ALL evil things -- %' and they could add whatever they wanted to your query... to fix this you would want to use mysqli_real_escape_string() (or a similar function) to escape all the characters like the ' I used above <?php $query = $_GET['q']; if(get_magic_quotes_gpc()) { $query = stripslashes($query); // pull off the slashes that magic_quotes added } $query = mysqli_real_escape_string($connection, $result); $result = mysqli_query($connection, "SELECT * FROM table WHERE foo = '$bar'") or die(mysqli_error($connection)); ?> http://www.php.net/mysqli_real_escape_string Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231910 Share on other sites More sharing options...
Maverickb7 Posted April 18, 2007 Share Posted April 18, 2007 so instead of: $query = mysql_query("SELECT * FROM table") or die(mysql_error()); would be: $query = mysqli_query("SELECT * FROM table") or die(mysql_error()); Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231914 Share on other sites More sharing options...
genericnumber1 Posted April 18, 2007 Share Posted April 18, 2007 no, no the only insecure part of his script is the fact that he used $_GET['q'] directly in his query, it has nothing to do with whether you are using the mysqli or mysql functions. Both the things you posted are secure. (The second one is actually incorrect syntax, mysqli wants a connection identifier in the query function.) the mysql functions are just as vulnerable to sql injection as mysqli when they're used in this way. Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231916 Share on other sites More sharing options...
Maverickb7 Posted April 18, 2007 Share Posted April 18, 2007 oh alright. I see what your saying now. Your just sayin it's not good to use $_GET['q'] directly because of what it might hold. Basically all your saying is its better to filter out bad characters before using it within a query string? Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231920 Share on other sites More sharing options...
genericnumber1 Posted April 18, 2007 Share Posted April 18, 2007 Yes, don't let the user post data directly into a query, you should always filter it first. As they say in PHP security, "Filter input, escape output" Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231923 Share on other sites More sharing options...
Maverickb7 Posted April 18, 2007 Share Posted April 18, 2007 Sadly I haven't taken any PHP classes. I'm just reading tutorials and getting help on phpfreaks. This place sure has been a great help to me. Seems like everytime I come here I'm learning something new because of someone elses problem. =P Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231927 Share on other sites More sharing options...
genericnumber1 Posted April 18, 2007 Share Posted April 18, 2007 Teaching yourself is the best way imho. Quote Link to comment https://forums.phpfreaks.com/topic/47508-solved-mysqli_fetch_array/#findComment-231928 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.