[SOLVED] mysqli_fetch_array()

[The Little Guy]

<?php
$sql = mysqli_query($db,"SELECT * FROM web_search WHERE RLIKE '%{$_GET['q']}%'"); # Line 13
$row = mysqli_fetch_array($sql,MYSQLI_ASSOC); # Line 14
?>

 

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in C:\Program Files\xampp\htdocs\search\search.php on line 14

 

Anyone know what that means?

[genericnumber1]

Use

 

$sql = mysqli_query($db,"SELECT * FROM web_search WHERE RLIKE '%{$_GET['q']}%'") or die('error in query: ' . mysqli_error($db));

 

it would have helped you catch your error in your syntax (RLIKE probably should be LIKE)

 

As a side note this script is vulnerable to sql injection.

[The Little Guy]

Thanks, It was actually an SQL error, i didn't select a column before RLIKE.

 

I then didn't get any results, so I changed it to LIKE, and now it works.

[Maverickb7]

Sorry to break in on your topic. but genericnumber1.. why is it vulnerable to sql injection and what can you do to secure it?

[Maverickb7]

I use something simular so that's why I'm asking.

[genericnumber1]

Well what if someone posted something like

...

script.php?q=' UNION ALL evil things --

 

then your query would read

 

SELECT * FROM web_search WHERE RLIKE '%' UNION ALL evil things -- %'

 

and they could add whatever they wanted to your query...

to fix this you would want to use mysqli_real_escape_string() (or a similar function) to escape all the characters like the ' I used above

 

<?php
$query = $_GET['q'];
if(get_magic_quotes_gpc()) 
{
   $query = stripslashes($query); // pull off the slashes that magic_quotes added
}
$query = mysqli_real_escape_string($connection, $result);

$result = mysqli_query($connection, "SELECT * FROM table WHERE foo = '$bar'") or die(mysqli_error($connection));
?>

 

http://www.php.net/mysqli_real_escape_string

[Maverickb7]

so instead of:

$query = mysql_query("SELECT * FROM table") or die(mysql_error());

 

would be:

$query = mysqli_query("SELECT * FROM table") or die(mysql_error());

[genericnumber1]

no, no the only insecure part of his script is the fact that he used $_GET['q'] directly in his query, it has nothing to do with whether you are using the mysqli or mysql functions.

 

Both the things you posted are secure. (The second one is actually incorrect syntax, mysqli wants a connection identifier in the query function.)

 

the mysql functions are just as vulnerable to sql injection as mysqli when they're used in this way.

[Maverickb7]

oh alright. I see what your saying now. Your just sayin it's not good to use $_GET['q'] directly because of what it might hold. Basically all your saying is its better to filter out bad characters before using it within a query string?

[genericnumber1]

Yes, don't let the user post data directly into a query, you should always filter it first.

 

As they say in PHP security, "Filter input, escape output"

[Maverickb7]

Sadly I haven't taken any PHP classes. I'm just reading tutorials and getting help on phpfreaks. This place sure has been a great help to me. Seems like everytime I come here I'm learning something new because of someone elses problem. =P

[genericnumber1]

Teaching yourself is the best way imho.