tags:

views:

101

answers:

3
Q: 

PHP: Problem in a SQL statement when using a String Parameter 

$befal = mysql_query("SELECT * FROM users WHERE username = $_GET[username]");
$rad = mysql_fetch_assoc($befal);

Equals

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in C:\profile.php on line 4

I have a user called Admin in the field username and it still dont work. profile.php?user=Admin...

This works if I use the ID though:

$befal = mysql_query("SELECT * FROM users WHERE user_id = $_GET[id]");
$rad = mysql_fetch_assoc($befal);

What can be the problem?

Thanks

+3  A: 

Try it like this:

$befal = mysql_query("SELECT * FROM users WHERE username = '$_GET[username]'");

You have to encapsulate a string parameter in apostrophes.

[UPDATE]

Just like cletus and Olaf pointed out, with the above sql statement you are very prone to SQL Injection. Check out their posted answers to see what I mean.

Andreas Grech  2009-02-21 10:13:17
you're welcome mate ;-)
Andreas Grech  2009-02-21 10:15:45
I think an upvote is in Order Wiklos.
OscarRyz  2009-02-21 10:18:21
upvote requires 15 rep - (s)he's got 3...
Olaf  2009-02-21 10:23:13
...and with the update this answer is actually upvotable ;)
Olaf  2009-02-21 10:27:00
@Dreas Grech: I suggest you put the big fat warning above your code. I was already on the down-voting button with the mouse for suggesting working but intrinsically broken code.
Tomalak  2009-02-21 10:48:37
A: 

Now that you've got your answer, try entering 

Something' OR '1' = '1

as username - you've managed to produce a nice SQL-injectable application.

Olaf  2009-02-21 10:19:03
should i use mysql_real_escape_string on it first to fix this?
 2009-02-21 10:21:18
Sorry, I don't know php-functions in depth - cletus suggests mysql_escape_string. See also here: http://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks
Olaf  2009-02-21 10:24:11
+6  A: 

Errr... that's a recipe for getting hacked. I would like to introduce you to SQL injection as characterized by this very funny yet poignant cartoon.

Try this instead.

$username = mysql_escape_string($_GET['username']);
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
cletus  2009-02-21 10:20:27
+1 though I probably would have put forward mysqli. And the cartoon is great. *lol*
Tomalak  2009-02-21 10:45:25
I've given up on mysqli. Too unstable and noone is fixing the bugs.
cletus  2009-02-21 10:46:19
Hm. Admittedly, I don't do enough PHP to have come across any bugs in mysqli. I believe it would work for this trivial scenario, though. ;-) Maybe it's PDO, then. In any case I'm all in favor of prepared/parametrized statements.
Tomalak  2009-02-21 10:55:05

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL