1

I have a mySQL database where the primary key is a string that is a username and a field is a URL. The username is passed through the url, and the url is printed out. However, I cant get the code to work. What am I doing wrong?

<html>
    <head>
    <title>Query string</title>
    </head>
    <body>
    <?php
    $con = mysql_connect("na","na","na");
    if (!$con)
    {
    die('Could not connect: ' . mysql_error());
    }
    mysql_select_db("na", $con); 
    $query="SELECT * FROM  `na`.`na` WHERE 'Username' = '" . $_GET["username"] . "'";
     $data = mysql_query($query) or die('Could not connect: ' . mysql_error());
     while($info = mysql_fetch_array($data)) 
 { 
Print "URL>>".$info['Url'] . "URL>>" ; 
 } 
    ?>
    </body>
    </html>
John Woo
  • 258,903
  • 69
  • 498
  • 492
Tikitaco
  • 69
  • 7

1 Answers1

1

The reason why your query is not working is because you have wrap the column named Username with single quotes. Remember that column name are identifier and not string literals. Wrapping identifiers with single quote makes it a string literal. So in your case you are comparing a value into a string username and not into a column name username. Remove the single quote and it will surely work.

SELECT * FROM  `na`.`na` WHERE Username = ''

Try this one out, pass a value in the $_GET["username"] with Username and you will get all the records in the table because 'Username' = 'Username' which makes it always true.

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492