0

I have a table in MySQL database with id, location, type, content columns. If fetching a specific row via id in the URL, e.g. domain.com/page.php?id=1 I can do this by:

$sql = "SELECT * FROM database_table WHERE id=" . $_GET["id"];
$rs = mysql_query($sql);    
while($row = mysql_fetch_array($rs)) {

echo $row['location'] . $row['type'] . $row['content'] ;

However if I want to fetch it via the other rows in the URL, e.g. domain.com/page.php?location=paris&type=housing

I tried this replacing the first line of code above with this:

$strSQL = "SELECT * FROM database_table WHERE location=" . $_GET['location']
                                                         . "AND type=" 
                                                         . $_GET['type'] ;

the code does not work on this URL:

domain.com/page.php?location=paris&type=housing

but works with this URL (notice the " " between the row):

domain.com/page.php?location="paris"&type="housing"

My question: Is there anything I can do to make it such that I don't have to have the " " between rows in the URL in order for the query to work?

M. A. Kishawy
  • 5,001
  • 11
  • 47
  • 72
David Ng
  • 25
  • 2
  • 7
  • You just made yourself vulnerable to SQL injection. Please at least `var_dump()` your SQL queries and you'll be perfectly aware of what has gone wrong (hint: double quotes making syntax error). – Tomasz Kowalczyk Oct 21 '14 at 12:53
  • 3
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Oct 21 '14 at 12:55
  • use mysql_real_escape_string on the value to protect yourself against SQL Injection a bit more. Even better would be to start using PDO. – Peter Oct 21 '14 at 13:03
  • Please could you share how to use PDO to achieve the same effect as the code above? Appreciate it alot! – David Ng Oct 21 '14 at 18:46

1 Answers1

2

Change

$strSQL = "SELECT * FROM database_table WHERE location=" . $_GET['location'] . "AND type=" . $_GET['type'] ;

to

$strSQL = "SELECT * FROM database_table WHERE location='" . $_GET['location'] . "' AND type='" . $_GET['type'] . "'";

Make sure you sanitize your $_GET data though.. you are vulnerable to mysql injection attacks. Mysql_query is also deprecated, use PDO.

You'll be able to call your script without quotes in the url:

domain.com/page.php?location=paris&type=housing

sridesmet
  • 875
  • 9
  • 19
  • 1
    You can also use MySqli. – Refilon Oct 21 '14 at 13:05
  • Gudgip, thanks for this, it works well. Please could you share how to use PDO to achieve the same effect as the code above? Or point me in some direction.. I'm new at this. Thanks! – David Ng Oct 21 '14 at 15:06
  • I will refer to this guide to get started with PDO: http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html . You can get thesame effect as the code above, but safe and object oriented. – sridesmet Oct 22 '14 at 07:42