MySQL query using url parameters in PHP

Question

First of all this is the first time i try PHP..

here is the code :

<?php
if (isset($_GET['name']) && isset($_GET['password']) 
$uname = $_GET['name'];
$pass = $_GET['password'];
$conn = mysql_connect("localhost","DBusername","DBpassword");
mysql_select_db("DBname",$conn);
$result = mysql_query("SELECT * FROM table WHERE username=$uname and password =$password");
$row  = mysql_fetch_array($result);
if(is_array($row)) {
$ip = $row[ip];
 echo $ip ;
}else {
echo = "Invalid Username or Password!";
}
?>

When i try this link : http://www.mywebsite.com/page.php?name=user&password=mypassword

This is a Hidden page, i use it to get my recorded members IP address, when a user tries to login in my Windows Form application which is written in C#

always get a blank page ..

thanks in advance

enable error logging? multiple syntax errors and bad practices — sunshinekitty, Mar 24 '14 at 04:08
Note: You can use `isset($_GET['name'], $_GET['password'])` instead to clean things up. — Alex L, Mar 24 '14 at 04:32

score 5 · Accepted Answer · edited Jun 20 '20 at 09:12

5

Surround your variables with single quotes and add a die(mysql_error()); at the end as shown.

$result = mysql_query("SELECT * FROM `dvtmembers` WHERE username='$uname' and password ='$pass'") or die(mysql_error());

Warning : Your code is open to SQL Injection attack.

Other Major Errors.

It should be $uname not $uanme
You have missed a parenthesis after the isset construct
You are doing an assignment to the echo statement.

Modified Code

<?php
ini_set('display_startup_errors',1);
ini_set('display_errors',1);
error_reporting(-1);

if (isset($_GET['name']) && isset($_GET['password']))
{
$conn = mysql_connect("localhost","DBusername","DBpassword");
mysql_select_db("DBname",$conn);
$uname = mysql_real_escape_string($_GET['name']);
$pass = mysql_real_escape_string($_GET['password']);
$result = mysql_query("SELECT * FROM table WHERE username='$uname' and password ='$pass'") or die(mysql_error());
$row  = mysql_fetch_array($result);
if(is_array($row)) {
    $ip = $row['ip'];
    echo $ip ;
}else {
    echo "Invalid Username or Password!";
}
}
else { echo "Name and Password was not passed !";}
?>

This(mysql_*) extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Switching to PreparedStatements is even more better to ward off SQL Injection attacks !

edited Jun 20 '20 at 09:12

Community

1
1

answered Mar 24 '14 at 03:46

Shankar Narayana Damodaran

68,075
43
96
126

@Dr.Vision, Have you [`enabled error reporting`](http://stackoverflow.com/a/6575502/1003917) ? – Shankar Narayana Damodaran Mar 24 '14 at 03:50
1

Finally Worked, but always get "Invalid Username or Password!" however i type the name and pass correct.. – Dr.Vision Mar 24 '14 at 04:04
Good. Have you added the single quotes around as shown in the code on the `SELECT` query ? – Shankar Narayana Damodaran Mar 24 '14 at 04:04
and fixed this (and password ='$password') to (and password ='$pass') – Dr.Vision Mar 24 '14 at 04:34
Warning: mysql_real_escape_string(): Access denied for user 'myrootnme'@'localhost' (using password: NO) in /home/myrootnme/public_html/mypage.php on line 8 Warning: mysql_real_escape_string(): A link to the server could not be established in /home/myrootnme/public_html/mypage.php on line 8 Warning: mysql_real_escape_string(): Access denied for user 'myrootnme'@'localhost' (using password: NO) in /home/myrootnme/public_html/mypage.php on line 9 Warning: mysql_real_escape_string(): A link to the server could not be established in /home/myrootnme/public_html/mypage.php on line 9 – Dr.Vision Mar 24 '14 at 04:48
seems like there is a problem with the mysql_real_escape_string Expression !! – Dr.Vision Mar 24 '14 at 04:49
@Dr.Vision, Sorry that two lines should be below the db connection. See my modified code. – Shankar Narayana Damodaran Mar 24 '14 at 04:50

Ananth · Answer 2 · 2014-03-31T16:32:38.920

use single quotes in $row['ip'] and variables also. Your query is vunerable ( SQl Injection) so better use mysql_real_escape_string() for parameters like name , password.

   <?php
echo "<br/> Outside loop"; 

   if (isset($_GET['name']) && isset($_GET['password']) {
echo "<br/> Inside if loop"; 

    $uname =  mysql_real_escape_string($_GET['name']);
    $pass =  mysql_real_escape_string($_GET['password']);
    $conn = mysql_connect("localhost","DBusername","DBpassword");

if($conn == false ){ echo "Database not connected. DB error. " ; } 
echo "<br/> after connection "; 

    mysql_select_db("Tablename",$conn);
echo "<br/> after db selection"; 

    $result = mysql_query("SELECT * FROM dvtmembers WHERE username= '$uname' and password = '$pass' ") or die(mysql_error());
    $row  = mysql_fetch_array($result);
    if(mysql_num_rows($result) > 0) {
    $ip = $row['ip'];
     echo $ip ;
echo "<br/>final If loop"; 

    }else {
echo "<Br/> final else loop"; 

    echo = "Invalid Username or Password!";
    }
}
else { 

echo "Parameters are not passed" ; 
} 
    ?>

use this updated code above . and tell me what is the output ? — Ananth, Mar 24 '14 at 04:03

MySQL query using url parameters in PHP

2 Answers2

Modified Code