Page 1 of 1

PHP Sql Injection not working properly

Posted: Mon Mar 28, 2016 3:01 am
by jon84dwk
I am trying to create a search like this : http://www.goldmansachs.com/a/data/events/ and getting some error while using sql injection. I would appreciate your help. At first i started with students to fetch their information but nothing is being displayed on table. I would appreciate any help. Below is my php code:

Code: Select all

<?php

 echo "<body style='background-color:#DCDCDC'>";
 :banghead: 

$db = new PDO('mysql:host='.$db_host.';dbname'.$db_name,$db_username,$db_pass);



$sql= "SELECT * FROM bpi_registration";
	    

$query=$db->query($sql);



function grade()
{
	$query= "select distinct class_name from bpi_classInfo";
	$result=mysql_query($query) or  die(mysql_error());
		
		
	while  ($value = mysql_fetch_array ($result))
	{
	echo "<option value='" . $value['class_name'] . "'>" . $value['class_name'] . "</option>";
	}


}



function school()
{
	$query= "select distinct school_name from bpi_schoolInfo";
	$result=mysql_query($query)or  die(mysql_error());
		
		
	while  ($value = mysql_fetch_array ($result))
	{
		echo "<option value='" . $value['school_name'] . "'>" . $value['school_name'] . "</option>";
	}


}




function team()
{
	$query= "select distinct team_name from bpi_teamProfile";
	$result=mysql_query($query)or  die(mysql_error());
		
		
	while  ($value = mysql_fetch_array ($result))
	{
		echo "<option value='" . $value['team_name'] . "'>" . $value['team_name'] . "</option>";
	}


}



function students()
{
	$query= "select * from bpi_registration";
	$result=mysql_query($query)or  die(mysql_error());
		
		
	
		while ($value = mysql_fetch_array ($result)) 
	{ 
	echo "<option value='" . $value['id']. "'>" . $value['first_name'].' '.$value['last_name']. "</option>"; 
	}
	


}


?>



<form action="retrieve1.php" method="GET">

<select name="Grade">
<option value="" selected="selected">Choose Grade</option>
<?php grade() ?>
</select>

<select name="School">
<option value="" selected="selected">Choose School</option>
<?php school() ?>
</select>

<select name="Team">
<option value="" selected="selected">Choose Team</option>
<?php team() ?>
</select>

<select name="Students">
<option value="" selected="selected">Choose Students</option>
<?php students() ?>
</select>

<input type="submit" value="Find" />
</form>



<table width="600" border="2">  
<tr>  

<th width="198"> <div align="center">Email </div></th>  
<th width="97"> <div align="center">City </div></th>  
<th width="97"> <div align="center">State </div></th>  
<th width="59"> <div align="center">Country </div></th>   

<tr>


<?php
  if (isset($_GET['Students'])) 
{

//echo $_GET['Students'];


$userQuery = "{$sql} WHERE bpi_registration.id = :user_id";

$user = $db->prepare($sql);

$user->execute(['user_id' => $_GET['Students']]);

$selectedUser=$user->fetch(PDO::FETCH_ASSOC);

}

?>


<?php

if(isset($selectedUser))
{
echo $selectedUser['email'];
echo $selectedUser['address_city']; 
echo $selectedUser['address_state']; 
echo $selectedUser['address_country']; 
}
?>

Re: PHP Sql Injection not working properly

Posted: Mon Mar 28, 2016 3:05 pm
by requinix
What error?