0

:) Okay, lets say title is ExampleTitle

news.php
Doesn't work so I'll change my title to another.

$user = new User();
  $news = $user->ShowNews(ExampleTitle);
        echo '<pre>';
        var_dump($news);
        echo '</pre>';

New title: 22(works)

    $user = new User();
  $news = $user->ShowNews(22);
        echo '<pre>';
        var_dump($news);
        echo '</pre>';

ShowNews:

        public function ShowNews($title) {
        $get_news = $this->_db->query('SELECT * FROM news WHERE title = ' .$title);
            return $get_news->results();

    }

If the title is a number/numbers work, but if it is letter/letters/word/words does not work.

Martin Sholev
  • 5
  • 4
  • 1
    Fred answered your question below, but Is `$title` provided by the user? If so, you should be using prepared statements with bound variables or else your script will be vulnerable to SQL injection attacks. – Mike May 29 '16 at 03:38
  • @Mike $title is taken from url(website.com/news/Test-title) i use rewrite, so title will be Test title i use str_replace to remove - – Martin Sholev May 29 '16 at 03:45
  • 1
    OK, but the point is that you don't have control over what is in the variable, so therefore your script is vulnerable. See: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Mike May 29 '16 at 03:47
  • @Mike Good point Mike. – Funk Forty Niner May 29 '16 at 03:49
  • @MartinSholev are you using MySQL by any chance or off an SQL windows server? – Funk Forty Niner May 29 '16 at 03:50
  • @mike Dont worry i use, i just dump var to see is everthing okay or not, also i make foreach foreach ($news as $new) { escape($new->title) } – Martin Sholev May 29 '16 at 03:55
  • @Fred-ii- i m on shared hosting(Linux) thats is query function http://pastebin.com/XhyVejJW – Martin Sholev May 29 '16 at 03:59
  • @MartinSholev `var_dump` is not going to protect you from SQL injection. – Mike May 29 '16 at 04:01
  • @MartinSholev What I meant was, in the connection. Therefore it seems to be MySQL then if you're running on Linux. – Funk Forty Niner May 29 '16 at 04:01
  • I've a good mind to reopen this question [You Common Snake](http://stackoverflow.com/users/285587/your-common-sense) – Funk Forty Niner May 29 '16 at 04:06
  • @Mike I just use var_dump to see whether pulls some information at all :) – Martin Sholev May 29 '16 at 04:08
  • If you want to ignore both me and Fred-ii- and *not* fix your script's vulnerabilities, that's totally up to you. In all likelihood your script is probably *not* going to ever get hacked. You're also probably not going to get into a car accident the next time you get in the car, or even in the next year of driving, but not wearing a seatbelt would be foolish. Like seatbelts, bound parameters cost you nothing and it saves you from some major headaches... Or even death!!! ... I could be wrong about that last part. – Mike May 29 '16 at 04:19

1 Answers1

1

That's because strings need to be quoted:

("SELECT * FROM news WHERE title = '$title'");

Don't worry about it either being an integer or a string, the data interpreter will compensate for it.

You can use this for both of the possible instances.

More on string literals if using MySQL. The API used to connect with is unknown.

Edit:

As noted in comments, your code is susceptible to an SQL injection.

Read the following references:

Since the question was tagged as PDO, you can use a prepared statement which runs off Windows server also, should that be the platform you are working under:

Here is another reference link if you are running under a Windows OS:

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141