Page 1 of 1
Unknown column 'simplystuck' in 'where clause'???
Posted: Sat Nov 04, 2006 11:52 pm
by cturner
I am getting the following error when I test the code that is below: Could not query because: Unknown column 'simplystuck' in 'where clause'. I know that simplystuck is in the url and I know that simplystuck is in cart table but I am unsure of why I am getting this error. Can someone please help me solve this problem? Thanks in advance.
Code: Select all
// more code here
$username = $_GET['username'];
// more code here
// get the item(s) from the database for the username
$query2 = "SELECT * FROM tbl_cart WHERE username = $username";
$r2 = mysql_query($query2) or die('Could not query because: ' .mysql_error());
while($row2 = mysql_fetch_array($r2)){
// display the product name
echo "<td valign=top>".$row2['productname']."<br />";
// display the options
echo $row2['packsize']."<br />";
echo $row2['colour']."<br />";
echo $row2['icon']."<br />";
echo $row2['name']."<br />";
echo $row2['address1']."<br />";
echo $row2['address2']."<br />";
echo $row2['address3']."<br />";
echo $row2['address4']."<br />";
echo $row2['address5']."<br />";
echo "</td>";
}
// more code here
Re: Unknown column 'simplystuck' in 'where clause'???
Posted: Sun Nov 05, 2006 12:21 am
by Zoxive
cturner wrote:I am getting the following error when I test the code that is below: Could not query because: Unknown column 'simplystuck' in 'where clause'. I know that simplystuck is in the url and I know that simplystuck is in cart table but I am unsure of why I am getting this error. Can someone please help me solve this problem? Thanks in advance.
Code: Select all
// more code here
$username = $_GET['username'];
// more code here
// get the item(s) from the database for the username
$query2 = sprintf("SELECT * FROM `tbl_cart` WHERE `username` = '%s'",mysql_real_escape_string($username)); // fixed
$r2 = mysql_query($query2) or die('Could not query because: ' .mysql_error());
while($row2 = mysql_fetch_array($r2)){
// display the product name
echo "<td valign=top>".$row2['productname']."<br />";
// display the options
echo $row2['packsize']."<br />";
echo $row2['colour']."<br />";
echo $row2['icon']."<br />";
echo $row2['name']."<br />";
echo $row2['address1']."<br />";
echo $row2['address2']."<br />";
echo $row2['address3']."<br />";
echo $row2['address4']."<br />";
echo $row2['address5']."<br />";
echo "</td>";
}
// more code here
-Zoxive
Posted: Sat Nov 11, 2006 5:42 pm
by califdon
$query2 = "SELECT * FROM tbl_cart WHERE username = $username";
You're missing the quotes around the string $username.
Try: "SELECT * FROM tbl_cart WHERE username = '$username' "
Posted: Sat Nov 11, 2006 9:19 pm
by Cameri
You should validate the variable $username before putting it into a query, or else you can expect SQL injections. If you don't know what SQL Injections are, I sugges you google it.
Example:
Code: Select all
if (isset($_POST['username']) && !empty($_POST['username'])) {
//variable is set and not empty, continue
$username = mysql_real_escape_string($_POST['username']); //<-- escaped it to avoid sql injections
}
There are many functions at your disposal to prevent sql injections, of course, you must use a combination of them, like trim(), strip_tags(), htmlentities(), mysql_escape_string() and mysql_real_escape_string(). And if you can use PHP 5.2 there are new functions to validate user input, haven't tried em yet (I'm on php 5.1.6).
Posted: Sun Nov 12, 2006 3:55 am
by timvw
Cameri wrote:You should validate the variable $username before putting it into a query, or else you can expect SQL injections. If you don't know what SQL Injections are, I sugges you google it.
Example:
Code: Select all
if (isset($_POST['username']) && !empty($_POST['username'])) {
//variable is set and not empty, continue
$username = mysql_real_escape_string($_POST['username']); //<-- escaped it to avoid sql injections
}
Zoxive already pointed that out in his answer (and he also added the required quotes around the string value)...
Based on his sprintf example using mysql_real_escape_string i once came up with the following function:
http://www.timvw.be/elegantly-generate-sql-queries/.