SELECT does not work

Question

SELECT does not work

Navigation

#1 by (6 votes)
#2 by (3 votes)
#3 by (2 votes)

2

Good afternoon, I am trying to take the values of a field in a table with the clause where of a $ _POST that I bring from another page. The variable in question is id_stud that I bring it to me by POST perfectly ... in fact when I save it in the database it appears as saved, but the select has no way to work:

<?php

// Connexion à la base de données
include('bdd.php');
//echo $_POST['title'];
    $id_stud = $_POST['id_stud'];


if (isset($_POST['title']) && isset($_POST['start']) && isset($_POST['end']) && isset($_POST['color'])){

    $title = $_POST['title'];
    $start = $_POST['start'];
    $end = $_POST['end'];
    $color = $_POST['color'];
    $id_teach = $_POST['id_teach'];
    $id_stud = $_POST['id_stud'];
    $query = mysql_query("select * from student where student_id = '$id_stud'");
    $row = mysql_fetch_array($query);
        $name = $row['firstname'];
        $lastn = $row['lastname'];                    
    $nombre = $name." ".$lastn;
    $sql = "INSERT INTO events(title, id_teach, is_stud, start, end, color) values ('$nombre', '$id_teach', '$id_stud', '$start', '$end', '$color')";
    //$req = $bdd->prepare($sql);
    //$req->execute();

    echo $sql;

    $query = $bdd->prepare( $sql );
    if ($query == false) {
     print_r($bdd->errorInfo());
     die ('Erreur prepare');
    }
    $sth = $query->execute();
    if ($sth == false) {
     print_r($query->errorInfo());
     die ('Erreur execute');
    }

}

//header('Location: '.$_SERVER['HTTP_REFERER']);


?>

php

asked by Vieira 06.07.2017 в 15:32

source

3 answers

3

First of all, I want to make it clear that the combined use of single and double quotes is not an error, at least not for this line:

"select * from student where student_id = '$id_stud'"

Test for all versions of PHP: link

otherwise, if it were like this:

'select * from student where student_id = "$id_stud"'

Now let's assume that your structure is something like this:

CREATE TABLE 'student' (
  'student_id' int NOT NULL,
  'firstname' varchar(40) NOT NULL,
  'lastname' varchar(40) default NULL
);

CREATE TABLE 'events' (
  'title' mediumint NOT NULL,
  'id_teach' int NOT NULL,
  'id_stud' int NOT NULL,
  'start' datetime,
  'end' datetime,
  'color' varchar(10) default NULL
);

Considering the sentences SELECT e INSERT that you show in the question, then your problem is summarized to a small typing failure, since you have something like this:

$sql = "INSERT INTO events(title, id_teach, is_stud, start, end, color) values ('$nombre', '$id_teach', '$id_stud', '$start', '$end', '$color')";

I choose this conjecture on the basis that you have a $id_stud argument, however in the query you call the field is_stud and since the field does not exist, you are not allowed to do the insertion.

I want to emphasize that I am not against the suggestions of colleagues to escape the variables and use another API as mysqli , since others I disagree with it. However, just try to recreate the true error of your query and demystify the problem because of quotation marks.

answered by 06.07.2017 в 17:28

2

I do not use PHP, I work more with JavaScript, but I think the SELECT is poorly constructed, you pass the parameter enclosed in quotes. Therefore the SELECT is looking for student_id = '$id_stud' and is not looking for the value of $id_stud .

I think the Select would have to be like this:

"select * from student where student_id = '".$id_stud."'"

answered by 06.07.2017 в 15:48

Can you pass predetermined or optional arguments in Java as it is done in PHP? I iterate 2 array in a v-for with fields that have a relation

score 6 · Accepted Answer

Your code as well as what you send is prone to SQL Injection, I recommend you set how to escape variables with PHP and MYSQSL here: link

A secure version of your code and adapted from the official PHP documentation would be:

$query_string = sprintf("select * from student where student_id = '%s'",
            mysql_real_escape_string($id_stud));
$query =  mysql_query($query_string);

Then for another the mysql library is officially deprecated. Also, the query that I copy above in this case works but will not work in all cases against mysql injection.

I leave here the general information about mysqli. link

I recommend you consider migrating from mysql to mysqli that brings other advantages not only the sql injection.

Here is an example of how your connection would be and your select with mysqli and prepared statement with bindeo and variable escape, using the mysqli object interface there is also a works like mysql.

$mysqli = new mysqli("localhost", "usuario", "password", "database");

/* check connection */
if ($mysqli->connect_errno) {
    printf("Fallo Conexion: %s\n", $mysqli->connect_error);
    exit();
}

$stmt = $mysqli->prepare("select * from student where student_id = ?");
$stmt->bind_param("s", $id_stud);

$stmt->execute();

$stmt->bind_results($resultado);

$stmt->fetch();

$stmt->close();