-5

I would like to use a GET variable from the URL and use it in a MySQL select statement as an id, then echo the results out on the page. I was able to echo out the $_GET variable by itself, but I am not able to use it as a variable in a query.Why is the code below not working?

<?php
require_once(dirname(__FILE__) . '/core/config.php');
include_once "shared/ez_sql_core.php";
include_once "ez_sql_mysqli.php";
$db = new ezSQL_mysqli(DB_USER,DB_PASSWORD,DB_USER,'localhost');

$client = (int)mysqli_real_escape_string($_GET['client']);

$results = $db->get_results("SELECT * FROM clients WHERE id=" . $client.  ";");

foreach ( $results as $data ){ 
    echo $data->name; 
  }

?>
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
user3741085
  • 99
  • 1
  • 2
  • 12
  • 1
    why you using (int)? and add $db --- ($db,$_GET['client']) – FullStack Sep 05 '16 at 08:34
  • 1
    @dass because (int) is the only meaningful operator here, while mysqli_real_escape_string is useless – Your Common Sense Sep 05 '16 at 08:38
  • If you want to fetch value from the url then you can use `$_REQUEST`. – Virb Sep 05 '16 at 08:40
  • I would check your database connection `ezSQL_mysqli(DB_USER,DB_PASSWORD,DB_USER,'localhost');` This line looks like total nonsense – RiggsFolly Sep 05 '16 at 08:40
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Sep 05 '16 at 08:41
  • You're using DB_USER twice, once for the username and once for the database name, is it done on purpose ? – vincenth Sep 05 '16 at 08:42

1 Answers1

3

You are using that ezSQL thing wrong way.

Here is how it have to be used:

$client = $db->escape($_GET['client']);
$results = $db->get_results("SELECT * FROM clients WHERE id='$client'");

However, I'd strongly recommend to get rid of this ridiculously insecure solution and use PDO instead:

$results = $pdo->prepare("SELECT * FROM clients WHERE id=?");
$results->execute([$_GET['client']]);
foreach ( $results as $data ){ 
    echo $data->name; 
}
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345