br3nn4n Posted January 3, 2008 Share Posted January 3, 2008 First off, I'm not sure if this should be in the MySQL section or not, but it's a PHP error so here goes. My query: <?php $query = mysql_query (SELECT * FROM $_GET[section] WHERE date_year = $_GET[year], date_mon = $_GET[month]); ?> And I get the same, tired old: Parse error: syntax error, unexpected T_VARIABLE in /home/thenorth/public_html/test/archives.inc on line 9 The above query is line 9, by the way. TIA Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted January 3, 2008 Share Posted January 3, 2008 you forgot the quotes, the sql is a string... it should be as follows, also you put a comma it should be a "and" <?php $query = mysql_query ("SELECT * FROM {$_GET['section']} WHERE date_year = {$_GET['year']} and date_mon = {$_GET['month']}"); ?> Quote Link to comment Share on other sites More sharing options...
br3nn4n Posted January 3, 2008 Author Share Posted January 3, 2008 Ooh, I see Thank you Rajiv! Quote Link to comment Share on other sites More sharing options...
drummer101 Posted January 3, 2008 Share Posted January 3, 2008 Rule of thumb, when you use single quotes inside doubles (or the other way around) as part of an array, they need to be surrounded by { } took me a while to figure that out, but when I did I didn't get that annoying error anymore Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted January 3, 2008 Share Posted January 3, 2008 Yes I forgot to mentioned that its the curly syntax read more at http://php.net/manual/en/language.types.string.php Quote Link to comment Share on other sites More sharing options...
kopytko Posted January 3, 2008 Share Posted January 3, 2008 In my opinion it should by like this: <?php $query = mysql_query ('SELECT * FROM '.$_GET['section'].' WHERE date_year = '.$_GET['year'].' and date_mon = '.$_GET['month']); ?> Its faster and causes less mistakes. Quote Link to comment Share on other sites More sharing options...
br3nn4n Posted January 4, 2008 Author Share Posted January 4, 2008 Awesome guys, works perfectly! Thanks! Quote Link to comment Share on other sites More sharing options...
revraz Posted January 4, 2008 Share Posted January 4, 2008 And it's wide open to sql injections. In my opinion it should by like this: <?php $query = mysql_query ('SELECT * FROM '.$_GET['section'].' WHERE date_year = '.$_GET['year'].' and date_mon = '.$_GET['month']); ?> Its faster and causes less mistakes. Quote Link to comment Share on other sites More sharing options...
drummer101 Posted January 4, 2008 Share Posted January 4, 2008 kopytko: $_GET pulls the data from the url like: http://foo.bar/page.php?section=member&year=2008&month=january Now if you were authenticating that way, all I would have to do would be change ?section=member to ?section=admin. I now have access to your admin section. DO NOT USE GET for sql statments >:[ Quote Link to comment Share on other sites More sharing options...
kopytko Posted January 5, 2008 Share Posted January 5, 2008 @drummer101, @revraz I know it. I've just answered to @br3nn4n question. In real life you should user escape string function and validate all data - $_GET, $_POST and $_COOKIES. Quote Link to comment Share on other sites More sharing options...
br3nn4n Posted January 6, 2008 Author Share Posted January 6, 2008 Okay, this may sound naive, but how is that open to sql injections? I could always $_POST the month/year... I'm gonna try hacking it myself in the meantime Quote Link to comment Share on other sites More sharing options...
redarrow Posted January 6, 2008 Share Posted January 6, 2008 kopytko: $_GET pulls the data from the url like: http://foo.bar/page.php?section=member&year=2008&month=january Now if you were authenticating that way, all I would have to do would be change ?section=member to ?section=admin. I now have access to your admin section. DO NOT USE GET for sql statments >:[ as stated it easy to get things put in your database throw your url........... Quote Link to comment Share on other sites More sharing options...
br3nn4n Posted January 7, 2008 Author Share Posted January 7, 2008 Ohh, I get what he meant...about user authentication, and never using $_GET for it. Yeah I know how insecure that is Quote Link to comment Share on other sites More sharing options...
kopytko Posted January 7, 2008 Share Posted January 7, 2008 kopytko: $_GET pulls the data from the url like: http://foo.bar/page.php?section=member&year=2008&month=january Now if you were authenticating that way, all I would have to do would be change ?section=member to ?section=admin. I now have access to your admin section. DO NOT USE GET for sql statments >:[ Why not? If you validate all data from user, than you can't be hacked. Post variables also can be send to script, so if I create script with form or use telnet, I can send post variable named "section" with "admin" value and also get access to admin section. edit By the way. Don't use get, post, cookie variables to pass section and always check if user can view current page. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.