Exporting query in a xls file problems only with google Chrome

Question

I'm having a problem which is only regarding to Google Chrome, everywhere else it works just fine.

I'm trying to export the queries in a xls file , but when i try to do it with Chrome i get this error:

Sql error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM hostess' at line 1

my code is as below:

<?php
$username = $_POST['username'];

$host = '';
$user = '';
$pass = '';
$db = '';
$table = 'hostess';
$file = 'Report_Hostess';

$link = mysql_connect($host, $user, $pass) or die("Can not connect." . mysql_error());
mysql_select_db($db) or die("Can not connect.");
mysql_query("SET NAMES UTF8");

$select = "SELECT ".$username." FROM hostess";

$export = mysql_query ( $select ) or die ( "Sql error : " . mysql_error( ) );

$fields = mysql_num_fields ( $export );

for ( $i = 0; $i < $fields; $i++ )
{
    $header .= mysql_field_name( $export , $i ) . "\t";
}

while( $row = mysql_fetch_row( $export ) )
{
    $line = '';
    foreach( $row as $value )
    {                                            
        if ( ( !isset( $value ) ) || ( $value == "" ) )
        {
            $value = "\t";
        }
        else
        {
            $value = str_replace( '"' , '""' , $value );
            $value = '"' . $value . '"' . "\t";
        }
        $line .= $value;
    }
    $data .= trim( $line ) . "\n";
}
$data = str_replace( "\r" , "" , $data );

if ( $data == "" )
{
    $data = "\n(0) Records Found!\n";                        
}
$filename = $file."_".date("Y-m-d_H-i",time());
header("Content-type: application/octet-stream");
header("Content-Disposition: attachment;filename=".$filename.".xls");
header("Pragma: no-cache");
header("Expires: 0");
print "$header\n$data";

exit;
?>

$username is just a string with coma separated values like id,name,surname etc to build the query.

Can you please tell me why i get this error just using google chrome? Thanks

**Your code is vulnerable to SQL injection.** You *really* should be using [prepared statements](http://stackoverflow.com/a/60496/623041), into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of [Bobby Tables](http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain). — eggyal, Jun 28 '12 at 10:17
Also, as stated in the PHP manual for the [`mysql_query()`](http://php.net/manual/en/function.mysql-query.php) function: *Use of this extension is discouraged. Instead, the [MySQLi](http://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](http://www.php.net/manual/en/ref.pdo-mysql.php) extension should be used. See also [MySQL: choosing an API](http://www.php.net/manual/en/mysqlinfo.api.choosing.php) guide and [related FAQ](http://www.php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated) for more information.* — eggyal, Jun 28 '12 at 10:19
However, to diagnose your particular problem: please `echo $select;` before the call to `mysql_query` and then paste here the result? — eggyal, Jun 28 '12 at 10:19
this is the result: SELECT FROM hostessSql error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM hostess' at line 1 — Blerta Shaqelli, Jun 28 '12 at 10:27
I meant, please paste the result of the `echo` statement--i.e., the value of `$select`. — eggyal, Jun 28 '12 at 10:28
`$_POST['username']` appears to be empty, we cannot tell you why without more details. — Dr.Molle, Jun 28 '12 at 10:33
$checked1 = $_POST['checkbox']; $checked = implode(',', $_POST['checkbox']) are values taken from a checkbox form — Blerta Shaqelli, Jun 28 '12 at 11:40

score 0 · Answer 1 · answered Jun 28 '12 at 10:35

this is the result: SELECT FROM hostessSql error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM hostess' at line 1

select [SOMETHING] FROM hostess

your $username is not well setted.

$username = $_POST['username'];

are you sure you are sending it by post?

suggestion: do what @eggyal suggest you...

Exporting query in a xls file problems only with google Chrome

1 Answers1