SQL where clause giving a null result

Question

I have the following simple php code that gives me a result that I want to display.

$linkz= mysql_connect($host,$username,$password) or die(mysql_error());
mysql_select_db($db, $linkz);


$sq_name= $_POST['unameTF'];
$sq_pass= $_POST['passTF'];
$sq_search= $_POST['searchTF'];

if($sq_search=""||$sq_search=null)
{
echo "type something";
}else
{
$sql2= "SELECT * FROM sql_insert WHERE sq_name='$sq_search' ";
$res= mysql_query($sql2, $linkz) or die(mysql_error());
}

    while($row=mysql_fetch_assoc($res))
    }
    echo "$row[sq_name]"."<br/>";
    }

This gives me a null result always(ie it doesn't give an error or dispay anything). It works fine when the if-else statement is removed meaning it just

$sql2= "SELECT * FROM sql_insert WHERE sq_name='$sq_search' ";
$res= mysql_query($sql2, $linkz) or die(mysql_error());

and no checking to see if its null.

and also if I replace

$sql2= "SELECT * FROM sql_insert WHERE sq_name='$sq_search' ";

with

$sql2= "SELECT * FROM sql_insert WHERE sq_name='".$_POST['searchTF']."' ";

(even without removing the if-else statement)

Can someone explain whats going on?

Please note that `mysql` is not supported anymore. Use `mysqli` or `pdo` instead. — Nytrix, Jul 28 '15 at 16:22
If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jul 28 '15 at 16:24
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Jul 28 '15 at 16:24
Yeah thanks @Nytrix &@Jay. I know you shouldn't use mysql any longer cause of sql injection. This is more of a homework DB/php project. — DUB, Jul 28 '15 at 16:27

iam-decoder · Accepted Answer · 2015-07-28T16:27:51.270

The reason why it works without the if() statement is because you used assignment operators, rather than comparison operators causing the flow of your if statement to work like this:

if we can set $sq_search = "" ... we can!
    check that it's not a null-terminated value... that's good too!
if we can set $sq_search = null ... we can!
    check that it's not a null-terminated value... it is, this answer is false
do that else statement,
    compile the string, output will be: "SELECT * FROM sql_insert WHERE sq_name=''"

replace your if statement with this:

if($sq_search===""||is_null($sq_search)){
    echo "type something";
} else {
    $sql2= "SELECT * FROM sql_insert WHERE sq_name='$sq_search' ";
    $res= mysql_query($sql2, $linkz) or die(mysql_error());
}

score 0 · Answer 2 · answered Jul 28 '15 at 16:42

0

if ((!isset($_POST['searchTF'])) || (empty($_POST['searchTF']))
{
echo "type something";
} else

answered Jul 28 '15 at 16:42

Duane Lortie

1,285
1
12
16

what happens if the contents of `$_POST['searchTF']` is `'0'` ?? – iam-decoder Jul 28 '15 at 16:49
Then it searches for zero... :/ but yes, the initial problem is due to not using comparators .. if ($var=0) { } // always true if ($var==0) { } // only true if $var contains 0 – Duane Lortie Jul 29 '15 at 17:48
actually `empty('0')` will evaluate to true causing the `echo "type something";` to evaluate rather than searching like you'd expect. :) – iam-decoder Jul 30 '15 at 17:06
DOH! I meant if ($var=='0') { } good catch! – Duane Lortie Jul 30 '15 at 20:54

SQL where clause giving a null result

2 Answers2