-3

I have a problem with my code. It works fine when i use id for example 1000000 but when i use id 1000000_1 it returns me error not when i m trying to insert it into mysql but when i call it to edit the record. id_fakelos=5979&CD_CAND=2015020010_1&kod_prok=2834

The error is "Fatal error: Call to a member function fetch_assoc() on a non-object in" and my code to call it is 

$query = "SELECT * FROM fakelos WHERE CD_CAND = {$CD_CAND} LIMIT 1";
$result = $mysqli->query($query);

$row = $result->fetch_assoc();
extract($row);

The code works perfectly when i m not using underscores

teok1979
  • 19
  • 1
  • 6
  • 3
    This is not related to your question, but I strongly advice you to start using PDO library instead of mysqli functions: http://php.net/manual/en/class.pdo.php – Giorgio Jan 22 '15 at 14:14
  • Since 1000000_1 is not numeric, you should add quotes around the value `SELECT * FROM fakelos WHERE CD_CAND = '{$CD_CAND}' LIMIT 1` – Maxim Krizhanovsky Jan 22 '15 at 14:15
  • »Returns FALSE on failure.« Read the documentation! http://php.net/manual/en/mysqli.query.php – feeela Jan 22 '15 at 14:15
  • Besides, you should show how you store 1000000_1 as a variable, and what's the datatype of fakelos ? int? varchar2? – Jonast92 Jan 22 '15 at 14:15
  • @Giorgio: That's bull. `mysqli` (not `mysql`) is a perfectly good choice. – Jon Jan 22 '15 at 14:16
  • I wonder what happens if you do `...&CD_CAND=1 AND (SELECT SUBSTR(password,1,1) FROM users WHERE name='Admin')='a'&...` This injection should allow me to find out individual characters of your password. Judging by the fantastic quality of the code in your question, I would be fairly safe in assuming you either save passwords in plain text, or with something broken like unsalted MD5. – Niet the Dark Absol Jan 22 '15 at 14:17

1 Answers1

1

The error occurs because 1000000_1 is not a valid literal outside quotes in MySql.

Putting quotes around it would fix the immediate issue, but there is a much bigger problem with your code: you are not using prepared statements with bound parameters.

Changing the code to use prepared statements will make it robust in the face of SQL injection attacks and will fix your problem "for free".

Community
  • 1
  • 1
Jon
  • 428,835
  • 81
  • 738
  • 806