Why can I query with an int but not a string here? PHP MySQL Datatypes-Collection of common programming errors
I am working on an Asset Database problem. I receive $id
from $_GET["id"];
I then query the database and display the results.
This works if my id is an integer like “93650” but if it has other characters like “wci1001”, it displays this MySQL error:
Unknown column ‘text’ in ‘where clause’
All fields in tables are of type: VARCHAR(50)
What would I need to do to be able to use this query to search by id that includes other characters?
Thank you.
__
/*
* View Asset
*
*/
# include functions script
include "functions.php";
$id = $_GET["id"];
if (empty($id)):$id="000";
endif;
ConnectDB();
$type = GetAssetType($id);
?>
Wagman IT Asset
- Search Assets
- Add Asset
|
|
-
View Asset
Wagman Construction - Bridging Generations since 1902
-
Quote the variable, like this:
WHERE asset.id = '$id'
-
You have a SQL Injection vulnerability.
You need to use parameterized queries, using PDO.
You also need to HTML-encode your data, using
htmlspecialchars
. -
As others have mentioned, simply quoting with single-quotes is a big security risk. Use mysql_real_escape_string on the data beforehand or else use an extension like PDO with parameterized statements that will automatically be quoted.
And while sanitizing (with htmlspecialchars) is not necessary before storage (and I don’t recommend it in case you need it reverted to its inputted state) you should sanitize it before output so that HTML/script tags won’t be parsed.
Originally posted 2013-11-09 19:14:52.