PHP MYSQL Select statement

I need assistance to correct a flaw in my PHP coding.

I have an online mailing list and I have written an interface for subscribers to change their information. At the moment they could retrieve it using only their subscriber_id number but there is a flaw in this. Anyone could enter a random number, retrieve and change someone else's information EXCEPT the email address. I made the email field a readonly field. However, the majority of requests that I am receiving are for email address changes. So I want to change the retrieve process, I want subscribers to be able to retrieve their records using BOTH subscriber_id AND email address and this is where I am running into problems.

Attached is the code I currently use. I've changed Line 6 to:

   
if (is_numeric ($_GET['subscriber_id']) && is_string($_GET['email']) ) {

Open in new window


and the SELECT statement on Line 10 to:

   
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email={$_GET['email']}";

Open in new window


I am getting an error message which states:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@hotmail.com' at line 1
The query was SELECT * FROM dada_subscribers WHERE subscriber_id=555 AND email=johndoe@hotmail.com.

Open in new window


I need assistance in understanding (1) How to retrieve the record using both the subscriber_id and the email fields and (2) how to stop the error message being reported to the screen.

Thanks
Terry
terry_allyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon BallChief information OfficerCommented:
the sql for picking the email will need quotes around it, where as the subscriber where clause does not as its an integer

$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email='{$_GET['email']}' ;";

Open in new window

0
Simon BallChief information OfficerCommented:
not sure with PHP - do you use \" to escape the " character?

$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email=\"{$_GET['email']}\";";

Open in new window


I like to end my sql with a ; too.
0
Hugh McCurdyCommented:
This might be simpler to understand and read and solves the apostrophe problem.
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id='" . $_GET['subscriber_id'] . "' AND email='" . $_GET['email'] . "'";

Open in new window

0
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

gr8gonzoConsultantCommented:
First, that's a very good step you are taking, by recognizing that vulnerability that anyone could put any ID in.

However, that is VERY insecure code. Never, EVER use the value of a $_GET or $_POST or any user-provided variable in a query without cleaning it first. If you make that code live, you could give hackers a way to permanently delete all of the records in that database (not kidding). All they have to do is create an "email address" that has SQL code in it and you're screwed.

This:
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email={$_GET['email']}";

Should look like:
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id=" . intval($_GET['subscriber_id']) . " AND email='" . mysql_real_escape_string($_GET['email']) . "'";

What if the person used an easily-accessible tool like Firebug to change their email address in the form (nothing is ever read-only in a web page unless you restrict it on the database permission level)?

Imagine that they change it from:
joe.smith@gmail.com

to:
'; DELETE FROM dada_subscribers; SELECT '

Your query might end up looking like this:
SELECT * FROM dada_subscribers WHERE subscriber_id=123 AND email=''; DELETE FROM dada_subscribers; SELECT '';

Suddenly, anyone has access to run their own database queries on your database and that above one would delete your records.

It's extremely important to be careful with your database queries. Anytime a database query has a variable in it that is coming from a user, make SURE that you're escaping it!
0
terry_allyAuthor Commented:
Hi gr8gonzo,

I've carried out your test and attempted to hack the database without success. Thanks for that tip.

I've implemented your solution but a problem has arisen. Once I use the combined subscriber_id and the email in the URL I am able to retrieve the record.

However, if I omit the email address or use an incorrect email address it is not throwing me the error message any longer ("No subscriber record was located").

How do I correct that?

Terry
0
Hugh McCurdyCommented:
Terry,

When you report that an SQL query doesn't work, please share the query string with us.

One way to see the string is
echo $query . "<br />"

Of course, you want to remove the echo statement from production software.

Thanks,
Hugh
0
terry_allyAuthor Commented:
Hi Hugh,

There was no error message and there should have been. I said that in my post. It returns a blank data form.

Terry
0
Ess KayEntrapenuerCommented:
Subscriber is a Number so subscriber = 555 should work

try to change the email format
in regular sql it is a text so it needs single quotes around it
email=johndoe@hotmail.com will not work, you must pass through the quotes to the sql

email='johndoe@hotmail.com'

php should let it slide but perhaps you have a freak version which needs this change

$query = "SELECT * FROM dada_subscribers WHERE subscriber_id={$_GET['subscriber_id']} AND email='{$_GET['email']}'";
0
Hugh McCurdyCommented:
Terry,

I understand there's no error message.  I get that.  Happens to me more often than I want to admit.

Print the query string to see what it says.  My guess is that it says something different than what you intend.  (At least that's what happens to me more often than I want to admit.)

What do you mean by blank data form?  Do you mean it's empty or do you mean the page has no text?  If "no text" then I suggest you look in your log file (error_log, probably) to see what went wrong.  PHP syntax errors end up in my error_log file.  If you can't get to the log file, you could run your script through PHP at the command line.  That may or may not work depending on what you have in your script.

Hugh
0
terry_allyAuthor Commented:
Hi Hugh,

I printed the query string and it is exactly as it was taken from the URL. Nothing untoward.

Basically, it calls for a record with a unique subscriber_id and the email address that's in the record. When these are correct it returns the record with editable fields (a data entry form).

When I try the subscriber_id with an incorrect email -- according to my code -- it should return an error message. However, it is a returning a blank data form.

Have a look at the code which I attached.

Terry
0
Ess KayEntrapenuerCommented:
have you tried splitting the page to

if exists then return <form stuff>
else echo "<br>the records dont match"
0
terry_allyAuthor Commented:
Hi esskayb2d,

Yes, the page is structured like that.

Terry
0
terry_allyAuthor Commented:
Hello everyone,

Unfortunately, none of the above solutions are doing the job for me and I am going to close this question.
0
Ess KayEntrapenuerCommented:
how about pasting your code?
0
terry_allyAuthor Commented:
I have pasted AND attached the code, if you go back to my original post.
0
Ess KayEntrapenuerCommented:
you pasted two lines of code, and the error


it will be easier if you attach the file so that the professionals here can look at it closer
0
gr8gonzoConsultantCommented:
If you try to query for both items in the WHERE clause, then yes, you are not going to get a record back if one of them is wrong.

If you're trying to use this as a way to validate the process, then you should do something like this:

URL is form.php?subscriber_id=555&email=john.doe@gmail.com

form.php
1. Query for only ONE of those parameters, like this:
$query = "SELECT * FROM dada_subscribers WHERE subscriber_id=" . intval($_GET['subscriber_id']);

2. Then when a record comes back, pull its data and then check to see if the emails match:

$rs = mysql_query($query);
$row = mysql_fetch_assoc($rs);
if($row["email"] == $_GET["email"])
{
   // Valid - it's a match, so go ahead and do the rest of the code...
}
else
{
   // The email for subscriber ID 555 is not john.doe@gmail.com, so throw an error...
}
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simon BallChief information OfficerCommented:
so do you want it to be an OR not an AND?

if they provide either subid or email you want it to find the records?
0
terry_allyAuthor Commented:
Hi gr8gonzo,

Your solution works when using mysql_fetch_array rather than mysql_fetch_assoc.

Thanks
Terry
0
terry_allyAuthor Commented:
This solution works when using mysql_fetch_array rather than mysql_fetch_assoc.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.