Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SELECT * FROM _TBL WHERE username = '$username' 1

Status
Not open for further replies.

lynque

IS-IT--Management
Sep 30, 2004
124
CA
I have a query that executes when I hardcode the username but not when I try to use the session var.

Works:
$q = "SELECT * FROM ".TBL." WHERE username = 'Me'";

Doesn't work:
$q = "SELECT * FROM ".TBL." WHERE username = '$username'";

I have used:
<?php
print_r($_SESSION);
?>
to print out all of my sessions and username is populated so I'm a little confused, is it a syntax issue?

Any help is greatly appreciated
 
Hi

[ol]
[li]There is a big difference between a variable and an array's element.[/li]
[li]Do not expose your database to SQL injection attacks.[/li]
[/ol]
PHP:
[navy]$q[/navy] [teal]=[/teal] [green][i]"SELECT * FROM "[/i][/green][teal].[/teal]TBL[teal].[/teal][green][i]" WHERE username = '"[/i][/green][teal].[/teal][url=http://php.net/mysql_real_escape_string/][COLOR=darkgoldenrod]mysql_real_escape_string[/color][/url][teal]([/teal][navy]$_SESSION[/navy][teal][[/teal][green][i]'username'[/i][/green][teal]]).[/teal][green][i]"'"[/i][/green][teal];[/teal]

Feherke.
 
Thanks feherke,

I've heard a lot about SQL injection attacks but haven't found a definitive guide for protecting my DB, do you know of a link that would serve as a good guide?
 
Hi

Sorry, I know no such link.

However the base rule is simple : never trust anything you get from the client side. Adapted for this case : escape all data before using them in an SQL statement.


Feherke.
 
Try:

echo $q;
exit;

See if the string itself looks right.
 
The PHP manual also has a nice chapter on database security AND it gives an example of injection attacks. By the way, injection is not something restricted to databases. Mail header injection and even HTTP header injections exists, among others. Especially mail header injection is abused a lot in the wild.

If you want to program for the big bad internet, I can only recommend reading a good book on web programming security first. Alas the web lost its innocence...

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top