PHP SQL Injection something wrong

Question

I am trying to use sql injection in order to GET users information from URL to echo their city, state, & country. Basically whatever user i select from dropdown their corresponding city, state and country should be displayed. For some reason i am not able to see any result in the table. I would appreciate any help. I am new to php.

<?php

 echo "<body style='background-color:#DCDCDC'>";

include ("account.php");
( $db = mysql_connect( $hostname, $username, $password ))
    or die ( "unable to connect to MYSQL database" );
mysql_select_db( $project );



$sql= "SELECT * FROM bpi_registration";
     

$query=mysql_query($sql) or die(mysql_error());



function grade()
{
 $query= "select distinct class_name from bpi_classInfo";
 $result=mysql_query($query) or  die(mysql_error());
  
  
 while  ($value = mysql_fetch_array ($result))
 {
 echo "<option value='" . $value['class_name'] . "'>" . $value['class_name'] . "</option>";
 }


}



function school()
{
 $query= "select distinct school_name from bpi_schoolInfo";
 $result=mysql_query($query)or  die(mysql_error());
  
  
 while  ($value = mysql_fetch_array ($result))
 {
  echo "<option value='" . $value['school_name'] . "'>" . $value['school_name'] . "</option>";
 }


}




function team()
{
 $query= "select distinct team_name from bpi_teamProfile";
 $result=mysql_query($query)or  die(mysql_error());
  
  
 while  ($value = mysql_fetch_array ($result))
 {
  echo "<option value='" . $value['team_name'] . "'>" . $value['team_name'] . "</option>";
 }


}



function students()
{
 $query= "select * from bpi_registration";
 $result=mysql_query($query)or  die(mysql_error());
  
  
 while  ($value = mysql_fetch_array ($result))
 {
  echo "<option value='" . $value['first_name'].' '.$value['last_name']. "'>" . $value['first_name'].' '.$value['last_name']. "</option>";
  
 }


}


?>



<form action="retrieve1.php" method="GET">

<select name="Grade">
<option value="" selected="selected">Choose Grade</option>
<?php grade() ?>
</select>

<select name="School">
<option value="" selected="selected">Choose School</option>
<?php school() ?>
</select>

<select name="Team">
<option value="" selected="selected">Choose Team</option>
<?php team() ?>
</select>

<select name="Students">
<option value="" selected="selected">Choose Students</option>
<?php students() ?>
</select>

<input type="submit" value="Find" />
</form>



<table width="600" border="2">  
<tr>  

<th width="198"> <div align="center">Email </div></th>  
<th width="97"> <div align="center">City </div></th>  
<th width="97"> <div align="center">State </div></th>  
<th width="59"> <div align="center">Country </div></th>   

<tr>


<?php
  if (isset($_GET['Students'])) 
{

//echo $_GET['Students'];


$userQuery = "{$sql} WHERE bpi_registration.first_name = :user_id";

$user = $db->prepare($sql);

$user->execute(['user_id'=> $_GET['Students']]);

$selectedUser=$user->fetch(PDO::FETCH_ASSOC);

}

?>


<?php

if(isset($selectedUser))
{
echo $selectedUser['email'];
echo $selectedUser['address_city']; 
echo $selectedUser['address_state']; 
echo $selectedUser['address_country']; 
}
?>

@Fred-ii- does that cause problem ? I am jst following youtube video tutorial to do what i want to do. I would appreciate if you can help me get the outcome. — jon doe, Mar 28 '16 at 01:01
The value of `$_GET['Students']` is `$value['first_name'].' '.$value['last_name']`. When you search your table, you only search `first_name`. That is you error. Also, what @Fred-ii- said. — , Mar 28 '16 at 01:04
@Terminus i see. Since i am new to php may i know how do i combine first_name and last_name ? — jon doe, Mar 28 '16 at 01:06
[I'm a big fan of using google for questions like that](https://www.google.com/search?q=mysql+concat&ie=utf-8&oe=utf-8). [It will usually take you to the docs](http://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_concat) Let Google be your best friend. — , Mar 28 '16 at 01:13
You really shouldn't use different MySQL apis. Find a different tutorial. [Here's a good question/answer that explains SQL injection and has a good tutorial on how to use PDO](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). For your specific issue (ignoring, the mysql_ library usage), you probably want to use the user_id column of your table as the value of the Students' — , Mar 28 '16 at 01:17
@Terminus BTW i tried to remove last_name and test my program it is still not working. What else is preventing the display ? — jon doe, Mar 28 '16 at 01:17
Are you still mixing PDO and mysql_? Start over only using PDO. — , Mar 28 '16 at 01:18
@Terminus $userQuery = "{$sql} WHERE bpi_registration.id = :user_id"; I changed it to id still not getting result. That was a good suggestion. I never thought of using primary key itself. Working on PDO part now — jon doe, Mar 28 '16 at 01:20
Did you also change the while loop in `function students()` to `while ($value = mysql_fetch_array ($result)) { echo ""; }`? And seriously, [ditch the mysql_ library before you get too far in your code writing](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) — , Mar 28 '16 at 01:24
@Terminus I am going to use PDO and post the updated code to see if it works. — jon doe, Mar 28 '16 at 02:08

PHP SQL Injection something wrong

0 Answers0