Using a PHP $_GET Variable in an Embedded SQL Query

Question

So I have my PHP page and in the address bar it says something like this:

http://blabla/ClientStats.php?client=blabla

I had used the $_GET['CLIENT'] variable successfully until I wanted to access it inside an SQL query, like this:

<?php
$query = "SELECT ... ... ... FROM ... ... ... WHERE Client = '" + $_GET['CLIENT'] + "'";
?>

The query is a lot more complex than that, but will that "WHERE" statement work?

I'd tried to get this working quite a few different ways with no success so if I could find out the way today to get it working tomorrow that would be great (can't even remember if I tried doing it as I wrote above!).

So will that work, if not how should I do it?

Your code is vurnerable to SQL injections. Please fix that problem first. Then you don't have your actual problem any more. See [here](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) — juergen d, Oct 28 '12 at 11:53
[**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained and the [deprecation process](http://j.mp/Rj2iVR) has begun on it. See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). — Madara's Ghost, Oct 28 '12 at 11:57
PHP uses `.` for string concatenation, not `+`. Besides that, read the previous comments. — ThiefMaster, Oct 28 '12 at 11:58
What "doesn't work"? Also: the string concatenation operator in PHP is `.`, not `+`. — deceze, Oct 28 '12 at 11:58

score 2 · Answer 1 · answered Oct 28 '12 at 11:54

2

That's not a good idea, as you are using unchecked user input within an sql query, which will lead to a security hole.

answered Oct 28 '12 at 11:54

JohnB

13,315
4
38
65

score 2 · Accepted Answer · answered Oct 28 '12 at 11:58

2

add '.' instead of '+'. it should be

$query = "SELECT ... ... ... FROM ... ... ... WHERE Client = '" . $_GET['CLIENT'] . "'";

but before that , please check your code since it is vurnerable to SQL injections

answered Oct 28 '12 at 11:58

bipen

36,319
9
49
62

score 1 · Answer 3 · edited Oct 28 '12 at 12:01

1

Answering your original question, yes it will work but I think you'll find its rather frowned upon as it opens huge security vulnerabilities in your application.

What I do is store the values in a variable and then sanatize the input:

Example:

$client = mysql_real_escape_string($_GET['CLIENT']);

edited Oct 28 '12 at 12:01

ThiefMaster

310,957
84
592
636

answered Oct 28 '12 at 11:57

Menztrual

40,867
12
57
70

What you do is **wrong**. Neither of those sanitizations are suitable for SQL. – ThiefMaster Oct 28 '12 at 11:58
Sorry, i was showing an example. I don't code PHP. Updated answer to correct function. – Menztrual Oct 28 '12 at 11:59

score 0 · Answer 4 · answered Oct 28 '12 at 11:59

you must escape using *_real_escape_string ,otherwise your query is capable of sql injection attak therefore use like this

$client = mysql_real_escape_string($_GET['CLIENT']);//if using mysql

<?php
$query = "SELECT ... ... ... FROM ... ... ... WHERE Client = '".$client. "'";
?>

Using a PHP $_GET Variable in an Embedded SQL Query

4 Answers4