How should I write PHP $_POST vars in a mysql_query function?

php sql mysql post sql-injection
54,300

Solution 1

First of, watch out for SQL Injections!

Now, to answer your question try doing this instead:

$query = mysql_query("SELECT `pass` FROM `database` WHERE `user` LIKE '" . mysql_escape_string($_POST['user']) . "';");

You were doing a couple of things wrong:

  • using the = operator instead of LIKE operator
  • not enclosing the value in the SQL query with '
  • not enclosing the user index in the $_POST array with '

PS: You should use mysql_real_escape_string() instead of mysql_escape_string()!

Solution 2

You're simply inserting a variable into a string, so it shouldn't matter which command you're putting it into.

There are a few issues to point out.

One, you might want to use the {} format for array variables. You don't use quotes around the arrray key names in this format.

$query = mysql_query("SELECT pass FROM database WHERE user='{$_POST[user]}'")

Two, you'd never want to make a query like that because you are open to sql injection holes. Consider, what if $_POST['user'] was "cow';drop table database;--"?

You must either run mysql_real_escape_string on the POST input before putting it into your query, or check out using PHP PDO with prepared statements.

One way to do format your string which provides a bit of structure is to use sprintf.

$query=mysql_query(sprintf("SELECT pass FROM database WHERE user='%s'",mysql_real_escape_string($_POST['user'])));

Solution 3

  1. Use PDO - it provides much better API to communicate with DB.
  2. If you're using mysql_*() functions always remember to filter (mysql_real_escape_string()) any data that comes from untrusted source (like user)

  3. Pay more attention to how your code looks like. Just compare the following listings:

    $query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ")");

$query = sprinf('INSERT INTO database VALUES ("foo", "bar", "%s", "%s", "%s")',
mysql_real_escape(...), ...);

    Do I have to explain which one is better to read, modify or understand?

Solution 4

Why not check and see what mysql_error() has to say about it? If your query is invalid, mysql_error() will return a nice blob of text telling you exactly what went wrong.

As for MySQL not liking the POST var if you insert it directly for some runs, but not others, then you should make sure you're using consistent data and setups for each test. If some test are done using a GET, then your POST vars will be empty. If you're using different user names for each test, then see if what's consistent between the ones that fail.

And as mentioned above, read up about SQL injection and how your query is just begging to be subverted by a malicious user.

Share:
54,300
Julian H. Lam
Author by

Julian H. Lam

Founder of NodeBB Inc., curator of the NodeBB open-source project. Experienced in Javascript, (X)HTML, CSS, php, (my)SQL, server administration, Linux, etc... GitHub Profile

Updated on July 22, 2022

Comments

  • Julian H. Lam
    Julian H. Lam over 1 year

    In accessing my database, I have the user fill out a form, and in the target page, the posted values are used in the resulting MySQL query.

    $query = mysql_query("SELECT pass FROM database WHERE user='$_POST[user]'");

    However, for some reason or another, MySQL doesn't like my using a $_POST variable in the command, and it only works if I define (for example) $user = $_POST['user'];, and then put $user directly in the SQL command.

    On the other hand, I can use $_POST values in INSERT statements where specific column names are not required:

    $query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', '$_POST[user]'");

    If I try an INSERT statement where attributes are defined (e.g. user='foo'), then the same problem appears.

    What am I doing wrong in my SQL query that causes the command to error out when run, but works with the specific method of formatting an INSERT command?

    Hopefully, it's not "tough luck, looks like you have to assign all of your posted values". Heh.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I prevent SQL injection in PHP?
SQL injection that gets around mysql_real_escape_string()
mysql escaping single and double quotes
How to insert data to multiple tables with foreign key dependencies involved (MySQL)
Internal server error while importing sql file?
Why is password_verify returning false?
How to set MySQL timeout longer?
Multiple left joins in laravel eloquent
MySQL: Look for the same string in multiple columns
Rename column name with php and MySql