0

I am trying to query some tables in my database using a simple dropdown in which the name of the tables are listed. the query has only one record result showing the name and age of the youngest institute registered in the database!

$table = $_GET['table'];
$query = "select max('$table'.est_year) as 'establish_year' from '$table' ";

I need to send the name of the table as variable to the querier php file. no matter the method is GET or POST in both ways when I put the variable name in the query statement, it gives the error:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.order) as 'last' from 'customers'' "

hjpotter92
  • 78,589
  • 36
  • 144
  • 183

2 Answers2

2

You are wrapping the table name in single quotes, which is not valid SQL (that's the syntax for strings, not table names). You should either not wrap the name at all or else wrap it in backticks (on the american keyboard layout, that's the key above TAB).

You should also not quote the alias established_year:

select max(`$table`.est_year) as establish_year from `$table`

Also, your code is vulnerable to SQL injection. Fix this immediately!

Update (sql injection defense):

In this case the most appropriate action would likely be to validate the table name against a whitelist:

if (!in_array($table, array('allowed_table_1', '...'))) {
    die("Invalid table name");
}
Community
  • 1
  • 1
Jon
  • 428,835
  • 81
  • 738
  • 806
  • do I need to use mysql_escape_string() or what ? –  Jun 23 '12 at 11:39
  • @rezasaberi: No for two reasons: 1) `mysql_escape_string` should never be used (`mysql_real_escape_string` has superseded it) and 2) it's a table name, where the rules are different. See the updated answer. – Jon Jun 23 '12 at 11:44
  • @Jon : How OP code is vulnerable to SQL Injection? And how mine is not preventing and yours is preventing? – Fahim Parkar Jun 23 '12 at 11:51
  • @FahimParkar: Please see the comment under your own answer. Using a whitelist prevents injections because only a handful of known safe inputs will be accepted. – Jon Jun 23 '12 at 11:54
-1

single quote ('), in mysql, it represents string value.

SELECT *, 'table' FROM `table`;

Demo

So your query should be 

$table = $_GET['table'];
$query = "select max($table.est_year) as 'establish_year' from $table ";

Also read old post, phpmyadmin sql apostrophe not working.

Also your code is vulnerable to SQL Injection. You can use something like this

//Function to sanitize values received from the form. Prevents SQL injection

function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

$firstName = clean($_POST['firstName']);
$lastName  = clean($_POST['lastName']);
.
.
.
Community
  • 1
  • 1
Fahim Parkar
  • 30,974
  • 45
  • 160
  • 276
  • 1
    -1: This code will not prevent SQL injection because `$table` will be a *table name*, not just any string. The quoting rules are different. – Jon Jun 23 '12 at 11:45
  • @Jon : Do you see `return mysql_real_escape_string($str);`?? – Fahim Parkar Jun 23 '12 at 11:49
  • I do. You have to realize that `mres` achieves nothing if the returned value is not enclosed in quotes, which in this case it cannot be because it is not a string. – Jon Jun 23 '12 at 11:53