Page 1 of 1

Unknown column 'simplystuck' in 'where clause'???

Posted: Sat Nov 04, 2006 11:52 pm
by cturner
I am getting the following error when I test the code that is below: Could not query because: Unknown column 'simplystuck' in 'where clause'. I know that simplystuck is in the url and I know that simplystuck is in cart table but I am unsure of why I am getting this error. Can someone please help me solve this problem? Thanks in advance.

Code: Select all

// more code here
$username = $_GET['username'];
// more code here
// get the item(s) from the database for the username
$query2 = "SELECT * FROM tbl_cart WHERE username = $username";
	$r2 = mysql_query($query2) or die('Could not query because: ' .mysql_error());
	while($row2 = mysql_fetch_array($r2)){
		// display the product name
		echo "<td valign=top>".$row2['productname']."<br />";
		// display the options
		echo $row2['packsize']."<br />";		
		echo $row2['colour']."<br />";
		echo $row2['icon']."<br />";
		echo $row2['name']."<br />";
		echo $row2['address1']."<br />";
		echo $row2['address2']."<br />";
		echo $row2['address3']."<br />";
		echo $row2['address4']."<br />";
		echo $row2['address5']."<br />";
		echo "</td>";
	}
// more code here

Re: Unknown column 'simplystuck' in 'where clause'???

Posted: Sun Nov 05, 2006 12:21 am
by Zoxive
cturner wrote:I am getting the following error when I test the code that is below: Could not query because: Unknown column 'simplystuck' in 'where clause'. I know that simplystuck is in the url and I know that simplystuck is in cart table but I am unsure of why I am getting this error. Can someone please help me solve this problem? Thanks in advance.

Code: Select all

// more code here
$username = $_GET['username'];
// more code here
// get the item(s) from the database for the username
$query2 = sprintf("SELECT * FROM `tbl_cart` WHERE `username` = '%s'",mysql_real_escape_string($username)); // fixed
	$r2 = mysql_query($query2) or die('Could not query because: ' .mysql_error());
	while($row2 = mysql_fetch_array($r2)){
		// display the product name
		echo "<td valign=top>".$row2['productname']."<br />";
		// display the options
		echo $row2['packsize']."<br />";		
		echo $row2['colour']."<br />";
		echo $row2['icon']."<br />";
		echo $row2['name']."<br />";
		echo $row2['address1']."<br />";
		echo $row2['address2']."<br />";
		echo $row2['address3']."<br />";
		echo $row2['address4']."<br />";
		echo $row2['address5']."<br />";
		echo "</td>";
	}
// more code here
-Zoxive

Posted: Sat Nov 11, 2006 5:42 pm
by califdon
$query2 = "SELECT * FROM tbl_cart WHERE username = $username";
You're missing the quotes around the string $username.

Try: "SELECT * FROM tbl_cart WHERE username = '$username' "

Posted: Sat Nov 11, 2006 9:19 pm
by Cameri
You should validate the variable $username before putting it into a query, or else you can expect SQL injections. If you don't know what SQL Injections are, I sugges you google it.


Example:

Code: Select all

if (isset($_POST['username']) && !empty($_POST['username'])) {
 //variable is set and not empty, continue
$username = mysql_real_escape_string($_POST['username']); //<-- escaped it to avoid sql injections

}
There are many functions at your disposal to prevent sql injections, of course, you must use a combination of them, like trim(), strip_tags(), htmlentities(), mysql_escape_string() and mysql_real_escape_string(). And if you can use PHP 5.2 there are new functions to validate user input, haven't tried em yet (I'm on php 5.1.6).

Posted: Sun Nov 12, 2006 3:55 am
by timvw
Cameri wrote:You should validate the variable $username before putting it into a query, or else you can expect SQL injections. If you don't know what SQL Injections are, I sugges you google it.


Example:

Code: Select all

if (isset($_POST['username']) && !empty($_POST['username'])) {
 //variable is set and not empty, continue
$username = mysql_real_escape_string($_POST['username']); //<-- escaped it to avoid sql injections

}
Zoxive already pointed that out in his answer (and he also added the required quotes around the string value)...

Based on his sprintf example using mysql_real_escape_string i once came up with the following function: http://www.timvw.be/elegantly-generate-sql-queries/.