{"id":421,"date":"2022-08-30T15:01:04","date_gmt":"2022-08-30T15:01:04","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2013\/11\/09\/why-can-i-query-with-an-int-but-not-a-string-here-php-mysql-datatypes-collection-of-common-programming-errors\/"},"modified":"2022-08-30T15:01:04","modified_gmt":"2022-08-30T15:01:04","slug":"why-can-i-query-with-an-int-but-not-a-string-here-php-mysql-datatypes-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2022\/08\/30\/why-can-i-query-with-an-int-but-not-a-string-here-php-mysql-datatypes-collection-of-common-programming-errors\/","title":{"rendered":"Why can I query with an int but not a string here? PHP MySQL Datatypes-Collection of common programming errors"},"content":{"rendered":"<p>I am working on an Asset Database problem. I receive <code>$id<\/code> from <code>$_GET[\"id\"];<\/code> I then query the database and display the results.<\/p>\n<p>This works if my id is an integer like &#8220;93650&#8221; but if it has other characters like &#8220;wci1001&#8221;, it displays this MySQL error:<\/p>\n<p>Unknown column &#8216;text&#8217; in &#8216;where clause&#8217;<\/p>\n<p>All fields in tables are of type: <code>VARCHAR(50)<\/code><\/p>\n<p>What would I need to do to be able to use this query to search by id that includes other characters?<\/p>\n<p>Thank you.<\/p>\n<pre><code>\n<\/code><\/pre>\n<p>__<\/p>\n<pre><code>\/* \n*  View Asset\n*\n*\/\n\n# include functions script\ninclude \"functions.php\";\n\n$id = $_GET[\"id\"];\nif (empty($id)):$id=\"000\";\nendif;\nConnectDB();\n$type = GetAssetType($id);\n\n?&gt;\n\n\n\n\n\n\nWagman IT Asset\n\n\n\n    \n                \n                  <img decoding=\"async\" src=\"images\/logo.png\" \/>\n                \n\n                \n\n                \n                    \n\n                        \n                        \n                            <\/code><\/pre>\n<ul>\n<table width=\"100%\" border=\"0\">\n<tr>\n<td width=\"15%\"><\/td>\n<td width=\"30%%\">\n<ul>\n<li>Search Assets<\/li>\n<\/ul>\n<\/td>\n<td width=\"30%\">\n<ul>\n<li>Add Asset<\/li>\n<\/ul>\n<\/td>\n<td width=\"25%\"><\/td>\n<\/tr>\n<\/table>\n<\/ul>\n<pre>\n                        \n                        \n                        <\/pre>\n<ul>\n<li>\n<h1><code>View Asset<\/code><\/h1>\n<\/li>\n<\/ul>\n<pre>\n                        \n\n\n                        \n\n                        \n                \n                \n                \n                    <br \/> \n                \n                \n                \n                Wagman Construction - Bridging Generations since 1902\n                \n\n\n\n\n<\/pre>\n<ol>\n<li>\n<p><code>Quote the variable, like this:<\/code><\/p>\n<pre><code><code>WHERE asset.id = '$id'\n<\/code><\/code><\/pre>\n<\/li>\n<li>\n<p>You have a SQL Injection vulnerability.<\/p>\n<p>You need to use parameterized queries, using PDO.<\/p>\n<p>You also need to HTML-encode your data, using <code>htmlspecialchars<\/code>.<\/p>\n<\/li>\n<li>\n<p>As others have mentioned, simply quoting with single-quotes is a big security risk. Use mysql_real_escape_string on the data beforehand or else use an extension like PDO with parameterized statements that will automatically be quoted.<\/p>\n<p>And while sanitizing (with htmlspecialchars) is not necessary before storage (and I don&#8217;t recommend it in case you need it reverted to its inputted state) you should sanitize it before output so that HTML\/script tags won&#8217;t be parsed.<\/p>\n<\/li>\n<\/ol>\n<p id=\"rop\"><small>Originally posted 2013-11-09 19:14:52. <\/small><\/p>","protected":false},"excerpt":{"rendered":"<p>I am working on an Asset Database problem. I receive $id from $_GET[&#8220;id&#8221;]; I then query the database and display the results. This works if my id is an integer like &#8220;93650&#8221; but if it has other characters like &#8220;wci1001&#8221;, it displays this MySQL error: Unknown column &#8216;text&#8217; in &#8216;where clause&#8217; All fields in tables [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-421","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=421"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/421\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}