Unknown column 'simplystuck' in 'where clause'???

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
User avatar
cturner
Forum Contributor
Posts: 153
Joined: Sun Jul 16, 2006 3:03 am
Location: My computer

Unknown column 'simplystuck' in 'where clause'???

Post by cturner »

I am getting the following error when I test the code that is below: Could not query because: Unknown column 'simplystuck' in 'where clause'. I know that simplystuck is in the url and I know that simplystuck is in cart table but I am unsure of why I am getting this error. Can someone please help me solve this problem? Thanks in advance.

Code: Select all

// more code here
$username = $_GET['username'];
// more code here
// get the item(s) from the database for the username
$query2 = "SELECT * FROM tbl_cart WHERE username = $username";
	$r2 = mysql_query($query2) or die('Could not query because: ' .mysql_error());
	while($row2 = mysql_fetch_array($r2)){
		// display the product name
		echo "<td valign=top>".$row2['productname']."<br />";
		// display the options
		echo $row2['packsize']."<br />";		
		echo $row2['colour']."<br />";
		echo $row2['icon']."<br />";
		echo $row2['name']."<br />";
		echo $row2['address1']."<br />";
		echo $row2['address2']."<br />";
		echo $row2['address3']."<br />";
		echo $row2['address4']."<br />";
		echo $row2['address5']."<br />";
		echo "</td>";
	}
// more code here
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Re: Unknown column 'simplystuck' in 'where clause'???

Post by Zoxive »

cturner wrote:I am getting the following error when I test the code that is below: Could not query because: Unknown column 'simplystuck' in 'where clause'. I know that simplystuck is in the url and I know that simplystuck is in cart table but I am unsure of why I am getting this error. Can someone please help me solve this problem? Thanks in advance.

Code: Select all

// more code here
$username = $_GET['username'];
// more code here
// get the item(s) from the database for the username
$query2 = sprintf("SELECT * FROM `tbl_cart` WHERE `username` = '%s'",mysql_real_escape_string($username)); // fixed
	$r2 = mysql_query($query2) or die('Could not query because: ' .mysql_error());
	while($row2 = mysql_fetch_array($r2)){
		// display the product name
		echo "<td valign=top>".$row2['productname']."<br />";
		// display the options
		echo $row2['packsize']."<br />";		
		echo $row2['colour']."<br />";
		echo $row2['icon']."<br />";
		echo $row2['name']."<br />";
		echo $row2['address1']."<br />";
		echo $row2['address2']."<br />";
		echo $row2['address3']."<br />";
		echo $row2['address4']."<br />";
		echo $row2['address5']."<br />";
		echo "</td>";
	}
// more code here
-Zoxive
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Post by califdon »

$query2 = "SELECT * FROM tbl_cart WHERE username = $username";
You're missing the quotes around the string $username.

Try: "SELECT * FROM tbl_cart WHERE username = '$username' "
User avatar
Cameri
Forum Commoner
Posts: 87
Joined: Tue Apr 12, 2005 4:12 pm
Location: Santo Domingo, Dominican Republic

Post by Cameri »

You should validate the variable $username before putting it into a query, or else you can expect SQL injections. If you don't know what SQL Injections are, I sugges you google it.


Example:

Code: Select all

if (isset($_POST['username']) && !empty($_POST['username'])) {
 //variable is set and not empty, continue
$username = mysql_real_escape_string($_POST['username']); //<-- escaped it to avoid sql injections

}
There are many functions at your disposal to prevent sql injections, of course, you must use a combination of them, like trim(), strip_tags(), htmlentities(), mysql_escape_string() and mysql_real_escape_string(). And if you can use PHP 5.2 there are new functions to validate user input, haven't tried em yet (I'm on php 5.1.6).
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Cameri wrote:You should validate the variable $username before putting it into a query, or else you can expect SQL injections. If you don't know what SQL Injections are, I sugges you google it.


Example:

Code: Select all

if (isset($_POST['username']) && !empty($_POST['username'])) {
 //variable is set and not empty, continue
$username = mysql_real_escape_string($_POST['username']); //<-- escaped it to avoid sql injections

}
Zoxive already pointed that out in his answer (and he also added the required quotes around the string value)...

Based on his sprintf example using mysql_real_escape_string i once came up with the following function: http://www.timvw.be/elegantly-generate-sql-queries/.
Post Reply