Solved

PHP MYSQL Select statement

Posted on 2012-03-12
20
343 Views
Last Modified: 2012-08-14
I need assistance to correct a flaw in my PHP coding.

I have an online mailing list and I have written an interface for subscribers to change their information. At the moment they could retrieve it using only their subscriber_id number but there is a flaw in this. Anyone could enter a random number, retrieve and change someone else's information EXCEPT the email address. I made the email field a readonly field. However, the majority of requests that I am receiving are for email address changes. So I want to change the retrieve process, I want subscribers to be able to retrieve their records using BOTH subscriber_id AND email address and this is where I am running into problems.

Attached is the code I currently use. I've changed Line 6 to:

   
if (is_numeric ($_GET['subscriber_id']) && is_string($_GET['email']) ) {

Open in new window


and the SELECT statement on Line 10 to:

   
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email={$_GET['email']}";

Open in new window


I am getting an error message which states:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@hotmail.com' at line 1
The query was SELECT * FROM dada_subscribers WHERE subscriber_id=555 AND email=johndoe@hotmail.com.

Open in new window


I need assistance in understanding (1) How to retrieve the record using both the subscriber_id and the email fields and (2) how to stop the error message being reported to the screen.

Thanks
Terry
0
Comment
Question by:terry_ally
  • 8
  • 4
  • 3
  • +2
20 Comments
 
LVL 15

Expert Comment

by:Simon Ball
ID: 37709301
the sql for picking the email will need quotes around it, where as the subscriber where clause does not as its an integer

$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email='{$_GET['email']}' ;";

Open in new window

0
 
LVL 15

Expert Comment

by:Simon Ball
ID: 37709310
not sure with PHP - do you use \" to escape the " character?

$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email=\"{$_GET['email']}\";";

Open in new window


I like to end my sql with a ; too.
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37709358
This might be simpler to understand and read and solves the apostrophe problem.
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id='" . $_GET['subscriber_id'] . "' AND email='" . $_GET['email'] . "'";

Open in new window

0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 37709392
First, that's a very good step you are taking, by recognizing that vulnerability that anyone could put any ID in.

However, that is VERY insecure code. Never, EVER use the value of a $_GET or $_POST or any user-provided variable in a query without cleaning it first. If you make that code live, you could give hackers a way to permanently delete all of the records in that database (not kidding). All they have to do is create an "email address" that has SQL code in it and you're screwed.

This:
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email={$_GET['email']}";

Should look like:
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id=" . intval($_GET['subscriber_id']) . " AND email='" . mysql_real_escape_string($_GET['email']) . "'";

What if the person used an easily-accessible tool like Firebug to change their email address in the form (nothing is ever read-only in a web page unless you restrict it on the database permission level)?

Imagine that they change it from:
joe.smith@gmail.com

to:
'; DELETE FROM dada_subscribers; SELECT '

Your query might end up looking like this:
SELECT * FROM dada_subscribers WHERE subscriber_id=123 AND email=''; DELETE FROM dada_subscribers; SELECT '';

Suddenly, anyone has access to run their own database queries on your database and that above one would delete your records.

It's extremely important to be careful with your database queries. Anytime a database query has a variable in it that is coming from a user, make SURE that you're escaping it!
0
 

Author Comment

by:terry_ally
ID: 37709457
Hi gr8gonzo,

I've carried out your test and attempted to hack the database without success. Thanks for that tip.

I've implemented your solution but a problem has arisen. Once I use the combined subscriber_id and the email in the URL I am able to retrieve the record.

However, if I omit the email address or use an incorrect email address it is not throwing me the error message any longer ("No subscriber record was located").

How do I correct that?

Terry
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37709523
Terry,

When you report that an SQL query doesn't work, please share the query string with us.

One way to see the string is
echo $query . "<br />"

Of course, you want to remove the echo statement from production software.

Thanks,
Hugh
0
 

Author Comment

by:terry_ally
ID: 37709564
Hi Hugh,

There was no error message and there should have been. I said that in my post. It returns a blank data form.

Terry
0
 
LVL 15

Expert Comment

by:Ess Kay
ID: 37709634
Subscriber is a Number so subscriber = 555 should work

try to change the email format
in regular sql it is a text so it needs single quotes around it
email=johndoe@hotmail.com will not work, you must pass through the quotes to the sql

email='johndoe@hotmail.com'

php should let it slide but perhaps you have a freak version which needs this change

$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email='{$_GET['email']}'";
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37709690
Terry,

I understand there's no error message.  I get that.  Happens to me more often than I want to admit.

Print the query string to see what it says.  My guess is that it says something different than what you intend.  (At least that's what happens to me more often than I want to admit.)

What do you mean by blank data form?  Do you mean it's empty or do you mean the page has no text?  If "no text" then I suggest you look in your log file (error_log, probably) to see what went wrong.  PHP syntax errors end up in my error_log file.  If you can't get to the log file, you could run your script through PHP at the command line.  That may or may not work depending on what you have in your script.

Hugh
0
 

Author Comment

by:terry_ally
ID: 37709891
Hi Hugh,

I printed the query string and it is exactly as it was taken from the URL. Nothing untoward.

Basically, it calls for a record with a unique subscriber_id and the email address that's in the record. When these are correct it returns the record with editable fields (a data entry form).

When I try the subscriber_id with an incorrect email -- according to my code -- it should return an error message. However, it is a returning a blank data form.

Have a look at the code which I attached.

Terry
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 15

Expert Comment

by:Ess Kay
ID: 37709901
have you tried splitting the page to

if exists then return <form stuff>
else echo "<br>the records dont match"
0
 

Author Comment

by:terry_ally
ID: 37710394
Hi esskayb2d,

Yes, the page is structured like that.

Terry
0
 

Author Comment

by:terry_ally
ID: 37710691
Hello everyone,

Unfortunately, none of the above solutions are doing the job for me and I am going to close this question.
0
 
LVL 15

Expert Comment

by:Ess Kay
ID: 37710728
how about pasting your code?
0
 

Author Comment

by:terry_ally
ID: 37711289
I have pasted AND attached the code, if you go back to my original post.
0
 
LVL 15

Expert Comment

by:Ess Kay
ID: 37711365
you pasted two lines of code, and the error


it will be easier if you attach the file so that the professionals here can look at it closer
0
 
LVL 34

Accepted Solution

by:
gr8gonzo earned 500 total points
ID: 37711378
If you try to query for both items in the WHERE clause, then yes, you are not going to get a record back if one of them is wrong.

If you're trying to use this as a way to validate the process, then you should do something like this:

URL is form.php?subscriber_id=555&email=john.doe@gmail.com

form.php
1. Query for only ONE of those parameters, like this:
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id=" . intval($_GET['subscriber_id']);

2. Then when a record comes back, pull its data and then check to see if the emails match:

$rs = mysql_query($query);
$row = mysql_fetch_assoc($rs);
if($row["email"] == $_GET["email"])
{
   // Valid - it's a match, so go ahead and do the rest of the code...
}
else
{
   // The email for subscriber ID 555 is not john.doe@gmail.com, so throw an error...
}
0
 
LVL 15

Expert Comment

by:Simon Ball
ID: 37711948
so do you want it to be an OR not an AND?

if they provide either subid or email you want it to find the records?
0
 

Author Comment

by:terry_ally
ID: 37712179
Hi gr8gonzo,

Your solution works when using mysql_fetch_array rather than mysql_fetch_assoc.

Thanks
Terry
0
 

Author Closing Comment

by:terry_ally
ID: 37712180
This solution works when using mysql_fetch_array rather than mysql_fetch_assoc.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now