Jump to content

[SOLVED] Same old syntax error, just need query structure help

br3nn4n

By br3nn4n
in PHP Coding Help

 Share

Recommended Posts

br3nn4n Member

br3nn4n

Posted
Posted

First off, I'm not sure if this should be in the MySQL section or not, but it's a PHP error so here goes.

 

My query:

 

<?php
$query = mysql_query (SELECT * FROM $_GET[section] WHERE date_year = $_GET[year], date_mon = $_GET[month]);
?>

 

And I get the same, tired old:

 

Parse error: syntax error, unexpected T_VARIABLE in /home/thenorth/public_html/test/archives.inc on line 9

 

The above query is line 9, by the way.

 

TIA

rajivgonsalves Newbie

rajivgonsalves

Posted
Posted

you forgot the quotes, the sql is a string... it should be as follows, also you put a comma it should be a "and"


<?php
$query = mysql_query ("SELECT * FROM {$_GET['section']} WHERE date_year = {$_GET['year']} and date_mon = {$_GET['month']}");
?>

drummer101 Member

drummer101

Posted
Posted

Rule of thumb, when you use single quotes inside doubles (or the other way around) as part of an array, they need to be surrounded by { }

 

took me a while to figure that out, but when I did I didn't get that annoying error anymore :)

kopytko Newbie

kopytko

Posted
Posted

In my opinion it should by like this:

 

<?php
$query = mysql_query ('SELECT * FROM '.$_GET['section'].' WHERE date_year = '.$_GET['year'].' and date_mon = '.$_GET['month']);
?>

Its faster and causes less mistakes.

revraz Member

revraz

Posted
Posted

And it's wide open to sql injections.

 

In my opinion it should by like this:

 

<?php
$query = mysql_query ('SELECT * FROM '.$_GET['section'].' WHERE date_year = '.$_GET['year'].' and date_mon = '.$_GET['month']);
?>

Its faster and causes less mistakes.

drummer101 Member

drummer101

Posted
Posted

kopytko: $_GET pulls the data from the url like:

 

http://foo.bar/page.php?section=member&year=2008&month=january

 

Now if you were authenticating that way, all I would have to do would be change ?section=member to ?section=admin. I now have access to your admin section.

 

DO NOT USE GET for sql statments >:[

redarrow Advanced Member

redarrow

Posted
Posted

kopytko: $_GET pulls the data from the url like:

 

http://foo.bar/page.php?section=member&year=2008&month=january

 

Now if you were authenticating that way, all I would have to do would be change ?section=member to ?section=admin. I now have access to your admin section.

 

DO NOT USE GET for sql statments >:[

 

as stated it easy to get things put in your database throw your url...........

kopytko Newbie

kopytko

Posted
Posted
kopytko: $_GET pulls the data from the url like:

 

http://foo.bar/page.php?section=member&year=2008&month=january

 

Now if you were authenticating that way, all I would have to do would be change ?section=member to ?section=admin. I now have access to your admin section.

 

DO NOT USE GET for sql statments >:[

 

Why not? If you validate all data from user, than you can't be hacked.

Post variables also can be send to script, so if I create script with form or use telnet, I can send post variable named "section" with "admin" value and also get access to admin section.

 

edit

By the way. Don't use get, post, cookie variables to pass section and always check if user can view current page.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.