pdo select query wont works with string of letters

Question

I have a little problem with my select query. If I input a string of numbers (int) and the user with that "username" exists, I get a result named $resultw. But if I enter in the form a string with letters (varchar) and a user have this username in my database it didnt works and I didnt get any (error) message. What could happen that?

my php:

 if(isset($_POST["submit"])){
    $hostname='localhost';
            $user='root';
            $password='';

            $uinput = $_POST['username'];


    try {
                            $dbh = new PDO("mysql:host=$hostname;dbname=game",$user,$password);

                            $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // <== add this line
                             $sql = "SELECT id, email, username 
    FROM user
    WHERE username = $uinput"; // 
      if ($resi = $dbh->query($sql)) {// need to add this line in your code
          // then after fetchColumn
         $resultw = $resi->fetchAll();
       }

       if($resultw >= 0) {
           //do something

       }
       else {

           echo "The user you are searching for does not exist.\nPlease check your input.";
       }
    }
    catch(PDOException $e) {

        //
    }
        }

Dont know if its needed but thats my form:

<form style="width:100%" data-ajax="false" action="./username.php" method="post">

        <div style="width:100%" class="ui-grid-a">
        <div style="width:75%;padding-left:5%" class="ui-block-a">
        <div>
        <input data-inline="true" type="text" name="username" id="username"/></div></div>
         <div style="width:20%" class="ui-block-b"><div>
        
        <input data-inline="true" type="submit" name="submit" value="Go" class="ui-btn"/>
    </div></div>        
        </div>      
    </form>

my foreach loop:

<?php foreach ($resultw as $keyres => $rowres): ?>  
        <li>
        <a href="ime.php"><?php echo $rowres['username']; ?></a>
        </li>

            <?php endforeach; ?>

You are vulnerable to [sql injection attacks](http://bobby-tables.com), and you have no quotes around your `$uinput` in your query, meaning you have a syntax error. However, you **SHOULD** be getting an error, since you've enabled exceptions. your error is the difference between `username=123` and `username=foo`. one is a field-to-integer comparison, the other is a field-to-field comparison, and you almost certainly DON'T have a field named `foo`. — Marc B, Nov 23 '15 at 16:29

score 2 · Accepted Answer · answered Nov 23 '15 at 16:31

2

$sql = "SELECT id, email, username 
FROM user
WHERE username = '$uinput'";

I would advise sanitizing/escaping the $uinput string first though.

answered Nov 23 '15 at 16:31

Tony DeStefano

819
6
11

question is: why should they use what you suggested? – Funk Forty Niner Nov 23 '15 at 16:34
I'd give the OP some links, http://php.net/manual/en/security.database.sql-injection.php, http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php; and state the issue directly. – chris85 Nov 23 '15 at 16:34

pdo select query wont works with string of letters

1 Answers1