0

I have a link in a table which sends two $_GET variables to another page with the following code:

echo "<td><a href='somepage.php?del_date=" . $row['del_date'] . "&order_no=" . $row['order_no'] . "'>Details</a></td>";

This seems to have worked as I am able to echo both of these on the other page. However I am not sure of the syntax needed to put both of them into a mysql_query. I have at the moment something like:

$result = mysql_query("SELECT panel_product_no, del_quantity
FROM deliveryContainsPanelProduct
WHERE del_date = " . $_GET["del_date"]
AND order_no = " . $_GET["order_no"]);

But that doesn't work. I've tried a bunch of variations by playing with the inverted commas etc, but most of the time the page is blank or at best it displays the table headings but doesn't output any results. I think the problem is somewhere between the WHERE and the AND clause but I'm completely stuck.

Can anybody help me out?

user1620419
  • 49
  • 3
  • 9
  • 11
    You are vulnerable to [SQL Injection](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) – Tadeck Sep 02 '12 at 11:41
  • 1) You have syntax errors - missed `."` after `$_GET["del_date"]`, 2) see prev.comment, 3) don't use `mysql_*` since these functions deprecated – Alexander Larikov Sep 02 '12 at 11:43
  • 1
    Use of **mysql_** extension is discouraged. Instead, the [MySQLi](http://www.php.net/manual/en/function.mysqli-connect.php) or [PDO_MySQL](http://www.php.net/manual/en/ref.pdo-mysql.php) extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. – hjpotter92 Sep 02 '12 at 11:45
  • @user1620419 Read more about SQL injections: http://stackoverflow.com/questions/11939226/sql-injections-and-adodb-library-general-php-website-security-with-examples – Ilia Ross Sep 02 '12 at 11:50
  • besides SQL injection: For a delete action I'd also recommend to learn about CSRF - Cross-Site Request Forgery which is an attack vector which can have quite bad impact. Wikipedia (didn't check) might be a good starting point. – johannes Sep 02 '12 at 13:02

3 Answers3

1
$result = mysql_query('SELECT panel_product_no, del_quantity FROM deliveryContainsPanelProduct WHERE del_date = "' . mysql_real_escape_string($_GET["del_date"]) . '" AND order_no = "' . mysql_real_escape_string($_GET["order_no"]) . '"');

This should work.

I have also escape the incoming variables to protect you from SQL injections.

Tyilo
  • 28,998
  • 40
  • 113
  • 198
0
$result = mysql_query("SELECT panel_product_no, del_quantity
FROM deliveryContainsPanelProduct
WHERE del_date = " . $_GET['del_date']. " AND order_no = " . $_GET['order_no']);

You forgot to open up double quotes for AND order_no...

And yes, if you had read the comments, you should be using mysqli extension that the mysql extension for queries. Or you should use mysql_real_escape_string() for every parameter that you use in your query.

Arjun Abhynav
  • 543
  • 4
  • 15
0
$delDate = mysql_real_escape_string($_GET["del_date"]);
$orderNo = mysql_real_escape_string($_GET['order_no']);

$query = "SELECT panel_product_no, del_quantity FROM deliveryContainsPanelProduct";
$query .= " WHERE del_date =" . $delDate;
$query .= " AND order_no=" . $orderNo; 

$result = mysql_query($query) or die("query error");
Idrees Khan
  • 7,702
  • 18
  • 63
  • 111