-1

Here is a snippet of my code :

    require_once('functions.php');
    include('dbinfo.php');
    connectdb();


$querys= "SELECT 'score' FROM solve WHERE (problem_id='".$_GET['id']."' AND username='".$_SESSION['username']."')";
            $resultscore=mysql_query($querys);
            $scorefetch=mysql_fetch_array($resultscore);
            $subractscore=$scorefetch['score'];
echo $subractscore;

ideally the output should be the value stored in the score field of the database..but it is prints '

score

' .. where am i wrong in this?Also the the query results only one record at a time.

shiven
  • 421
  • 2
  • 8
  • 19
  • 3
    NOOO! Don't do this! Your query is vulnerable to SQL injection. Use [prepared statements](http://bobby-tables.com/php.html) instead by switching to MySQLi or PDO. – Marcel Korpel May 09 '13 at 13:55
  • @MarcelKorpel thanks :) will do that – shiven May 09 '13 at 13:59
  • why the vote down? :/ If you help it is fine if you dont let me know thereason before voting it down – shiven May 09 '13 at 14:00
  • 2
    You got the downvote because you are probably millionth person with the same question, doing the same bad things, and generally you're not using this website to obtain answers by browsing similar questions. You're using `mysql_` functions, you're not checking if your queries succeed or not (and it's dumb not to, since you can't know *why* they failed) and there's apparent lack of MySQL knowledge (quoting columns using single quotes). So you got a downvote because , well, people get tired of explaining the same thing every day. – N.B. May 09 '13 at 14:04

1 Answers1

7

The reason why your query won't work as expected is because your are wrapping the column name with single quotes. They (column name and table name) are identifiers and not string literals so they shouldn't be wrap with single quote.

SELECT score FROM solve WHERE....

If it happens that the column names and/or tables names used are reserved keywords, they can be escape with backticks not with single quotes.

In this case, the backticks aren't required since none of them are reserved keywords.

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • but using this all through my code and it works just fine – shiven May 09 '13 at 13:55
  • please wait, let me show you an example. – John Woo May 09 '13 at 13:55
  • 1
    here: http://www.sqlfiddle.com/#!2/4ca30/1 – John Woo May 09 '13 at 13:56
  • @shiven As example, `SELECT NOW();` and `SELECT 'foo';` are valid standalone queries; the former selects the current timestamp, the latter the string "foo". You're doing a case of the latter. – deceze May 09 '13 at 13:56
  • @JW웃 thanks you for the wonderful explanation :) .. got it right .. thanks again.. and will do read about sql injection thanks!! – shiven May 09 '13 at 14:01
  • @JW웃 i am running this other query with qoutes and it works fine : $query = "SELECT `points` FROM `problems` WHERE `sl`=".$_GET['id']; – shiven May 09 '13 at 14:10
  • @shiven backtick is different from single quotes. [MySQL - when to use single quotes, double quotes, and backticks?](http://stackoverflow.com/questions/11321491/mysql-when-to-use-single-quotes-double-quotes-and-backticks) – John Woo May 09 '13 at 14:11