3

I have PHP / SQL query like this:

return $this->db->query("SELECT * FROM candidates WHERE firstname = ".$searchParams->firstname." AND surname = ".$searchParams->firstname."");

and getting error:

Column not found: 1054 Unknown column 'Dante' in 'where clause

However column Dante is not in query ( it is user input in $searchParams->firstname

I read on google that SQL read things revert, so from right to left, and problem should be in apostroph or quotation marks. I try to replace a lot things but can't find the right way how to fix this.

Can someone advise me what I'm doing wrong?

Saty
  • 22,443
  • 7
  • 33
  • 51
Andurit
  • 5,612
  • 14
  • 69
  • 121
  • Do you escape your params (I don't see even '' around the values)? ... depending on the type of your SQL connector mysql/mysqli/pdo there are different ways to escape the query.. – Svetoslav Nov 20 '15 at 08:34
  • Please read up on [How to avoid **SQL-INJECTION**](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Naruto Nov 20 '15 at 08:38
  • `return $this->db->query("SELECT * FROM candidates WHERE firstname = '$searchParams->firstname' AND surname = '$searchParams->firstname'");` – Narendrasingh Sisodia Nov 20 '15 at 08:45
  • Be careful you have a big MySQL injection here. – LolWalid Nov 20 '15 at 09:12

2 Answers2

2

Try to include input into string as below :

return $this->db->query("SELECT * FROM candidates WHERE firstname = '".$searchParams->firstname."' AND surname = '".$searchParams->firstname."'");

Also you have passed same variable in firstname and surname, please check.

AnkiiG
  • 3,468
  • 1
  • 17
  • 28
  • hey thank you for answer AG21 :) You are right i try to escape this with single quotes which wasn't really helpfull – Andurit Nov 20 '15 at 08:38
1

You need to put your value in quotes

return $this->db->query("SELECT * FROM `candidates` WHERE `firstname` = '".$searchParams->firstname."' AND `surname` = '".$searchParams->firstname."'");
Saty
  • 22,443
  • 7
  • 33
  • 51