Why does this statement returns true when i query the database

Question

I know i should be using prepare statements and sanitizing the data i'm just checking the PDO driver

I just want to know why if i'm passing just random data the query returns true?

just notice this PDO::query — Executes an SQL statement, returning a result set as a PDOStatement object

    $dbuser = 'root';
$dbpass = 'root';
$formpost = false;
try
{
    $dbh = new PDO('mysql:host=127.0.0.1;dbname=loginexample', $dbuser, $dbpass);
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}
if(!empty($_POST['username']) && !empty($_POST['password']))
{
    $formpost = true;
    $username = $_POST['username'];
    $password = $_POST['password'];
}

if($dbh && $formpost)
{
    $sql= "SELECT username, password FROM user WHERE username='$username' AND password='$password'";
    if($dbh->query($sql))
    {
        echo 'true';
    }
}

I want to see who'd be the first smartass to comment about this being SQL injection vulnerable. — Madara's Ghost, Nov 03 '12 at 13:23
It returns true because your query is successful..nothing else — Mr. Alien, Nov 03 '12 at 13:24
@idavid , i did not know, that there is a rude adjective with 3 letters. Also, have you tried [**reading the manual**](http://php.net/manual/en/pdo.query.php) !? Do you know which are the ["truthy values"](http://php.net/manual/en/types.comparisons.php) ? — tereško, Nov 03 '12 at 13:44
@MadaraUchiha i place this in bold to avoid SQL injection comments and you are the first *** that place a comment about it. ##I know i should be using prepare statements and sanitizing the data i'm just checking the PDO driver## — David Strada, Nov 03 '12 at 13:48
@idavid: I commented sarcastically, to see who'd be the first to not read that gigantic banner of yours, and comment about it anyway. I think you misunderstood me a little bit :) — Madara's Ghost, Nov 03 '12 at 13:48
@tereško Have you tried reading this? notice this PDO::query — Executes an SQL statement, returning a result set as a PDOStatement object — David Strada, Nov 03 '12 at 13:49
First try if `rowCount()` works with `SELECT` and your database driver: http://www.php.net/manual/en/pdostatement.rowcount.php - If that does not work, consider to create a `SELECT` query that returns the count your are looking for instead - which might be more appropriate in the first place, too. — hakre, Nov 03 '12 at 13:54
@idavid: You might not know it, but each object in PHP (incl. PDOStatement) evaluates `TRUE` in your `if` condition. http://php.net/boolean - There only is one exception to that rule with `SimpleXMLElement` under *very* certain circumstances. — hakre, Nov 03 '12 at 13:55
Also, [please learn](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers) how to prevents SQL injections with PDO. Just because you use PDO does not make your code automagically secure. — tereško, Nov 03 '12 at 13:58
Similar: [Verify method returns true](http://stackoverflow.com/q/9726089/367456) — hakre, Nov 03 '12 at 14:04

score 3 · Answer 1 · answered Nov 03 '12 at 13:25

3

PDO::query will always return a PDOStatement object, unless the query caused an error. (Returning no rows is not an error.) In PHP, any object will evaluate to boolean true, so the if condition will pass.

answered Nov 03 '12 at 13:25

lonesomeday

233,373
50
316
318

score 3 · Answer 2 · answered Nov 03 '12 at 13:26

3

Because PDO::query() returns a PDOStatement object to represent the result set. Even if no results were returned, the query was still successful (i.e. it contained no syntax errors, the table exists, etc).

To check for emptiness, you can use fetchAll() and run a count() function on that.

answered Nov 03 '12 at 13:26

Madara's Ghost

172,118
50
264
308

Got it fetchAll and then count(); – David Strada Nov 03 '12 at 13:41
Awesome! If this answer solved your problem, consider upvoting and accepting it, by clicking on the large green tick mark (✔) under the answer's score. – Madara's Ghost Nov 03 '12 at 13:42

score 1 · Accepted Answer · answered Nov 03 '12 at 13:26

1

This line: if($dbh->query($sql)) might not return an object that contains any found records, but it returns an object nonetheless. An object that might tell you that the number of found rows equals zero, for instance.

Try returning true or false based on the number of found records....

answered Nov 03 '12 at 13:26

Elias Van Ootegem

74,482
9
111
149

What would you use to fetch those records Fetch_all? – David Strada Nov 03 '12 at 13:45
`$stmt = $db->query($theQueryString); while ($row = $stmt->fetch(PDO::FETCH_ASSOC)){/*do stuff with $row*/}` – Elias Van Ootegem Nov 03 '12 at 14:09

score 0 · Answer 4 · answered Nov 03 '12 at 13:25

0

PDO::query() returns a PDOStatement object, or FALSE on failure.

My guess is that the query is succesfully getting all zero rows that matched

answered Nov 03 '12 at 13:25

Puggan Se

5,738
2
22
48

Yeah even when doesn't have records returns true, i will chech fetall and then count()>0 to play safe. – David Strada Nov 03 '12 at 13:43

Why does this statement returns true when i query the database

I know i should be using prepare statements and sanitizing the data i'm just checking the PDO driver

just notice this PDO::query — Executes an SQL statement, returning a result set as a PDOStatement object

4 Answers4