-4

I have a strange situation. I have this code:

$dispnam = strtoupper($display_name);
$data = mysql_connect("localhost", "user", "pass");
mysql_select_db("dbname");
$result = mysql_query("SELECT location FROM upload WHERE name = '".$dispnam."'")
or die(mysql_error());  
$check = mysql_num_rows($data);
$info = mysql_fetch_array($data);
$display_url = $info['location'];
echo $display_url;

which returns an error 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'HIGHLIGHT'>BATMAN_SLAPPING_ROB' at line 1'

I have no idea where have I gone wrong. Your help will be greatly appreciated. Thanks iin advance!

Albab
  • 374
  • 2
  • 12
  • 3
    Echo out your SQL. You'll have an apostrophe in it; this is one of the reasons why binding variables is a good idea. – andrewsi Sep 24 '13 at 19:04
  • $dispnam returns that only. – Albab Sep 24 '13 at 19:05
  • Returns _what_, exactly? – andrewsi Sep 24 '13 at 19:06
  • 2
    You have a SQL injection vulnerability. – SLaks Sep 24 '13 at 19:08
  • Someone commented here and delete it, my previous comment was for him. Sorry. Alright so how do I do that? like echo SELECT location FROM upload WHERE name = '".$dispnam."' ? – Albab Sep 24 '13 at 19:08
  • @Albab - that should do it. – andrewsi Sep 24 '13 at 19:10
  • That is siply echoing the statement... didn't fixed. And $dispnam contains ~ BATMAN_SLAPPING_ROBBIN – Albab Sep 24 '13 at 19:14
  • Then something else in your code is going wrong, because the word HIGHLIGHT isn't in there. Are you certain that it's that piece of code is failing? How are you generating `$display_name`? Is this code run in a function? A loop? What are the inputs? Does it run once? Multiple times? – andrewsi Sep 24 '13 at 19:17
  • 1
    Please, before you write **any** more SQL interfacing code, you must read up on [proper SQL escaping](http://bobby-tables.com/php) to avoid severe [SQL injection bugs](http://bobby-tables.com/). Also, `mysql_query` should not be used in new applications. It's a deprecated interface that's being removed from future versions of PHP. A modern replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/). Read a guide like [PHP The Right Way](http://www.phptherightway.com/) to avoid making mistakes like this. – tadman Sep 24 '13 at 19:29
  • possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – tadman Sep 24 '13 at 19:30
  • I understand that and I appreciate your help. But I had to fix it for someone so I cannot change anything I just have to fix it.. Also, I got the solution. I was fetching data from $data and the query was made from $result so I had to change the $result to $data and it worked like charm. Thanks for your help :) – Albab Sep 25 '13 at 18:43

1 Answers1

2

$dispnam seems to contain a single quote. You should be using a parametrized query instead of constructing your query from strings

Daniel Hilgarth
  • 171,043
  • 40
  • 335
  • 443