[SOLVED] Same old syntax error, just need query structure help

[br3nn4n]

First off, I'm not sure if this should be in the MySQL section or not, but it's a PHP error so here goes.

 

My query:

 

<?php
$query = mysql_query (SELECT * FROM $_GET[section] WHERE date_year = $_GET[year], date_mon = $_GET[month]);
?>

 

And I get the same, tired old:

 

Parse error: syntax error, unexpected T_VARIABLE in /home/thenorth/public_html/test/archives.inc on line 9

 

The above query is line 9, by the way.

 

TIA

[rajivgonsalves]

you forgot the quotes, the sql is a string... it should be as follows, also you put a comma it should be a "and"

<?php
$query = mysql_query ("SELECT * FROM {$_GET['section']} WHERE date_year = {$_GET['year']} and date_mon = {$_GET['month']}");
?>

[br3nn4n]

Ooh, I see

 

Thank you Rajiv!

[drummer101]

Rule of thumb, when you use single quotes inside doubles (or the other way around) as part of an array, they need to be surrounded by { }

 

took me a while to figure that out, but when I did I didn't get that annoying error anymore

[rajivgonsalves]

Yes I forgot to mentioned that  its the curly syntax read more at

 

http://php.net/manual/en/language.types.string.php

[kopytko]

In my opinion it should by like this:

 

<?php
$query = mysql_query ('SELECT * FROM '.$_GET['section'].' WHERE date_year = '.$_GET['year'].' and date_mon = '.$_GET['month']);
?>

Its faster and causes less mistakes.

[br3nn4n]

Awesome guys, works perfectly!

 

Thanks!

[revraz]

And it's wide open to sql injections.

 

In my opinion it should by like this:

 

<?php
$query = mysql_query ('SELECT * FROM '.$_GET['section'].' WHERE date_year = '.$_GET['year'].' and date_mon = '.$_GET['month']);
?>

Its faster and causes less mistakes.

[drummer101]

kopytko: $_GET pulls the data from the url like:

 

http://foo.bar/page.php?section=member&year=2008&month=january

 

Now if you were authenticating that way, all I would have to do would be change ?section=member to ?section=admin. I now have access to your admin section.

 

DO NOT USE GET for sql statments >:[

[kopytko]

@drummer101, @revraz

I know it. I've just answered to @br3nn4n question. In real life you should user escape string function and validate all data - $_GET, $_POST and $_COOKIES.

[br3nn4n]

Okay, this may sound naive, but how is that open to sql injections?

 

I could always $_POST the month/year...

 

I'm gonna try hacking it myself in the meantime

[redarrow]

kopytko: $_GET pulls the data from the url like:

 

http://foo.bar/page.php?section=member&year=2008&month=january

 

Now if you were authenticating that way, all I would have to do would be change ?section=member to ?section=admin. I now have access to your admin section.

 

DO NOT USE GET for sql statments >:[

 

as stated it easy to get things put in your database throw your url...........

[br3nn4n]

Ohh, I get what he meant...about user authentication, and never using $_GET for it. Yeah I know how insecure that is

[kopytko]

kopytko: $_GET pulls the data from the url like:

 

http://foo.bar/page.php?section=member&year=2008&month=january

 

Now if you were authenticating that way, all I would have to do would be change ?section=member to ?section=admin. I now have access to your admin section.

 

DO NOT USE GET for sql statments >:[

 

Why not? If you validate all data from user, than you can't be hacked.

Post variables also can be send to script, so if I create script with form or use telnet, I can send post variable named "section" with "admin" value and also get access to admin section.

 

edit

By the way. Don't use get, post, cookie variables to pass section and always check if user can view current page.