SELECT * FROM $_POST[] - PHP mySQL formatting

Question

Need help formatting a mySQL query string. The following query returns "parse error, expecting T_STRING or T_VARIABLE"

PHP:

<?php


include 'db_connect.php';

mysql_select_db($databaseName, $con);

$query = "SELECT * FROM .$_POST['tab']. WHERE plant_code = .$_POST['plant_code']";

$result = mysql_query($query) or die (mysql_error());

$row = mysql_fetch_assoc($result);

echo json_encode($row);

?>

jQuery:

$('#profiles_desktops').click(function(){
                $.post("php/loadProfile.php", {plant_code : selectedSite, tab : "profiles_desktops"}, function(result){ (do something here...) });  });

@Jack - the parse error comes in the $query statement. Something about my query string is incorrect? — Ben Bernards, Apr 12 '12 at 22:07
*Always* use [`mysql_real_escape_string()`](http://php.net/mysql_real_escape_string) when appending something to a MySQL query. — rid, Apr 12 '12 at 22:09
This is just begging for SQL injection. Make sure you clean those parameters before you run the query (unless this is a school project--then...well it's still good practice) — Mike Park, Apr 12 '12 at 22:10

score 4 · Accepted Answer · answered Apr 12 '12 at 22:09

4

DO NOT DO THAT! it's wide open to SQL injection attacks. For god sake, validate and escape your input.

at the very least, rewrite it to:

$query = "SELECT * FROM `".mysql_real_escape_string($_POST['tab'])."` WHERE plant_code = '".mysql_real_escape_string($_POST['plant_code'])."'";

answered Apr 12 '12 at 22:09

Not_a_Golfer

47,012
14
126
92

Yup, this did it. (Note those are NOT single quotes, but are...what...back-quotes? Hiding under the ~ on my keyboard.) – Ben Bernards Apr 12 '12 at 23:08
They're called backticks, and you can read a bit more about them in this thread: http://stackoverflow.com/questions/261455/using-backticks-around-field-names – Not_a_Golfer Apr 12 '12 at 23:18

score 1 · Answer 2 · answered Apr 12 '12 at 22:06

1

Query should be:

"SELECT * FROM ".$_POST['tab']." WHERE plant_code =".$_POST['plant_code']

answered Apr 12 '12 at 22:06

Cassie Smith

503
3
12

3

After passing them through `mysql_real_escape_string()` of course. – rid Apr 12 '12 at 22:08
eek, no spaces! Query would fail unless the post variables have leading and trailing spaces in them – orourkek Apr 12 '12 at 22:09
1

Also, if `plant_code` is not numeric, you'd also need to put that between quotes. – rid Apr 12 '12 at 22:14

score 1 · Answer 3 · answered Apr 12 '12 at 22:08

The periods (.) in your query are unnecessary because you didn't break the quotes. Either of these should work:

$query = "SELECT * FROM $_POST['tab'] WHERE plant_code = $_POST['plant_code']";

or

$query = "SELECT * FROM " . $_POST['tab'] . " WHERE plant_code = " . $_POST['plant_code'];

Edit: This is, of course, not addressing the giant injection security holes :]

score 0 · Answer 4 · answered Apr 12 '12 at 22:09

0

Your concatenations in $query declaration are wrong.

$query = "SELECT * FROM " . $_POST['tab'] . "WHERE plant_code = '" . mysql_real_escape_string($_POST['plant_code']) . "'";

would suffice.

answered Apr 12 '12 at 22:09

hjpotter92

78,589
36
144
183

score 0 · Answer 5 · answered Apr 12 '12 at 22:10

Should be:

$query = "SELECT * FROM ".$_POST['tab']." WHERE plant_code = ".$_POST['plant_code'];

needed to have the php variable surrounded by double quotes (and leave the last one off, since you are ending with a variable, or instead of double quotes, leave out the dots because PHP will see it's variables and convert them to the values before the query runs. Also, sql doesn't like bracketed array variables for some reason. Try putting all your values in variables which is also much nicer to read:

$tab = $_POST['tab'];
$plant = $_POST['plant_code'];
$query = "SELECT * FROM ".$tab." WHERE plant_code = ".$plant;

SELECT * FROM $_POST[] - PHP mySQL formatting

5 Answers5