Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PHP MYSQL Select statement

Posted on 2012-03-12
20
Medium Priority
?
352 Views
Last Modified: 2012-08-14
I need assistance to correct a flaw in my PHP coding.

I have an online mailing list and I have written an interface for subscribers to change their information. At the moment they could retrieve it using only their subscriber_id number but there is a flaw in this. Anyone could enter a random number, retrieve and change someone else's information EXCEPT the email address. I made the email field a readonly field. However, the majority of requests that I am receiving are for email address changes. So I want to change the retrieve process, I want subscribers to be able to retrieve their records using BOTH subscriber_id AND email address and this is where I am running into problems.

Attached is the code I currently use. I've changed Line 6 to:

   
if (is_numeric ($_GET['subscriber_id']) && is_string($_GET['email']) ) {

Open in new window


and the SELECT statement on Line 10 to:

   
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email={$_GET['email']}";

Open in new window


I am getting an error message which states:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@hotmail.com' at line 1
The query was SELECT * FROM dada_subscribers WHERE subscriber_id=555 AND email=johndoe@hotmail.com.

Open in new window


I need assistance in understanding (1) How to retrieve the record using both the subscriber_id and the email fields and (2) how to stop the error message being reported to the screen.

Thanks
Terry
0
Comment
Question by:terry_ally
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 3
  • +2
20 Comments
 
LVL 15

Expert Comment

by:Simon Ball
ID: 37709301
the sql for picking the email will need quotes around it, where as the subscriber where clause does not as its an integer

$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email='{$_GET['email']}' ;";

Open in new window

0
 
LVL 15

Expert Comment

by:Simon Ball
ID: 37709310
not sure with PHP - do you use \" to escape the " character?

$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email=\"{$_GET['email']}\";";

Open in new window


I like to end my sql with a ; too.
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37709358
This might be simpler to understand and read and solves the apostrophe problem.
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id='" . $_GET['subscriber_id'] . "' AND email='" . $_GET['email'] . "'";

Open in new window

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 35

Expert Comment

by:gr8gonzo
ID: 37709392
First, that's a very good step you are taking, by recognizing that vulnerability that anyone could put any ID in.

However, that is VERY insecure code. Never, EVER use the value of a $_GET or $_POST or any user-provided variable in a query without cleaning it first. If you make that code live, you could give hackers a way to permanently delete all of the records in that database (not kidding). All they have to do is create an "email address" that has SQL code in it and you're screwed.

This:
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email={$_GET['email']}";

Should look like:
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id=" . intval($_GET['subscriber_id']) . " AND email='" . mysql_real_escape_string($_GET['email']) . "'";

What if the person used an easily-accessible tool like Firebug to change their email address in the form (nothing is ever read-only in a web page unless you restrict it on the database permission level)?

Imagine that they change it from:
joe.smith@gmail.com

to:
'; DELETE FROM dada_subscribers; SELECT '

Your query might end up looking like this:
SELECT * FROM dada_subscribers WHERE subscriber_id=123 AND email=''; DELETE FROM dada_subscribers; SELECT '';

Suddenly, anyone has access to run their own database queries on your database and that above one would delete your records.

It's extremely important to be careful with your database queries. Anytime a database query has a variable in it that is coming from a user, make SURE that you're escaping it!
0
 

Author Comment

by:terry_ally
ID: 37709457
Hi gr8gonzo,

I've carried out your test and attempted to hack the database without success. Thanks for that tip.

I've implemented your solution but a problem has arisen. Once I use the combined subscriber_id and the email in the URL I am able to retrieve the record.

However, if I omit the email address or use an incorrect email address it is not throwing me the error message any longer ("No subscriber record was located").

How do I correct that?

Terry
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37709523
Terry,

When you report that an SQL query doesn't work, please share the query string with us.

One way to see the string is
echo $query . "<br />"

Of course, you want to remove the echo statement from production software.

Thanks,
Hugh
0
 

Author Comment

by:terry_ally
ID: 37709564
Hi Hugh,

There was no error message and there should have been. I said that in my post. It returns a blank data form.

Terry
0
 
LVL 15

Expert Comment

by:Ess Kay
ID: 37709634
Subscriber is a Number so subscriber = 555 should work

try to change the email format
in regular sql it is a text so it needs single quotes around it
email=johndoe@hotmail.com will not work, you must pass through the quotes to the sql

email='johndoe@hotmail.com'

php should let it slide but perhaps you have a freak version which needs this change

$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email='{$_GET['email']}'";
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37709690
Terry,

I understand there's no error message.  I get that.  Happens to me more often than I want to admit.

Print the query string to see what it says.  My guess is that it says something different than what you intend.  (At least that's what happens to me more often than I want to admit.)

What do you mean by blank data form?  Do you mean it's empty or do you mean the page has no text?  If "no text" then I suggest you look in your log file (error_log, probably) to see what went wrong.  PHP syntax errors end up in my error_log file.  If you can't get to the log file, you could run your script through PHP at the command line.  That may or may not work depending on what you have in your script.

Hugh
0
 

Author Comment

by:terry_ally
ID: 37709891
Hi Hugh,

I printed the query string and it is exactly as it was taken from the URL. Nothing untoward.

Basically, it calls for a record with a unique subscriber_id and the email address that's in the record. When these are correct it returns the record with editable fields (a data entry form).

When I try the subscriber_id with an incorrect email -- according to my code -- it should return an error message. However, it is a returning a blank data form.

Have a look at the code which I attached.

Terry
0
 
LVL 15

Expert Comment

by:Ess Kay
ID: 37709901
have you tried splitting the page to

if exists then return <form stuff>
else echo "<br>the records dont match"
0
 

Author Comment

by:terry_ally
ID: 37710394
Hi esskayb2d,

Yes, the page is structured like that.

Terry
0
 

Author Comment

by:terry_ally
ID: 37710691
Hello everyone,

Unfortunately, none of the above solutions are doing the job for me and I am going to close this question.
0
 
LVL 15

Expert Comment

by:Ess Kay
ID: 37710728
how about pasting your code?
0
 

Author Comment

by:terry_ally
ID: 37711289
I have pasted AND attached the code, if you go back to my original post.
0
 
LVL 15

Expert Comment

by:Ess Kay
ID: 37711365
you pasted two lines of code, and the error


it will be easier if you attach the file so that the professionals here can look at it closer
0
 
LVL 35

Accepted Solution

by:
gr8gonzo earned 2000 total points
ID: 37711378
If you try to query for both items in the WHERE clause, then yes, you are not going to get a record back if one of them is wrong.

If you're trying to use this as a way to validate the process, then you should do something like this:

URL is form.php?subscriber_id=555&email=john.doe@gmail.com

form.php
1. Query for only ONE of those parameters, like this:
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id=" . intval($_GET['subscriber_id']);

2. Then when a record comes back, pull its data and then check to see if the emails match:

$rs = mysql_query($query);
$row = mysql_fetch_assoc($rs);
if($row["email"] == $_GET["email"])
{
   // Valid - it's a match, so go ahead and do the rest of the code...
}
else
{
   // The email for subscriber ID 555 is not john.doe@gmail.com, so throw an error...
}
0
 
LVL 15

Expert Comment

by:Simon Ball
ID: 37711948
so do you want it to be an OR not an AND?

if they provide either subid or email you want it to find the records?
0
 

Author Comment

by:terry_ally
ID: 37712179
Hi gr8gonzo,

Your solution works when using mysql_fetch_array rather than mysql_fetch_assoc.

Thanks
Terry
0
 

Author Closing Comment

by:terry_ally
ID: 37712180
This solution works when using mysql_fetch_array rather than mysql_fetch_assoc.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question