-1

I've just built a website to add Music Albums for sale. I've created a page where I can display all of the albums posted on a specific day using a URL ( add/2016-12-15 ). The problem is that it isn't quite working correctly on the live version. Here is my code:

<?php
if(isset($_GET["date"])){$date = $_GET["date"];}else{
header("Location: $site_url");
exit();
};
?>
<?php
$count_albums_sql = "SELECT id FROM albums WHERE Date(added) = '$date'";
$count_albums_res = mysqli_query($con, $count_albums_sql);
$num_init_albums = mysqli_num_rows($count_albums_res);
//If None, Then Exit
if($num_init_albums == 0){
header("Location: $site_url");
exit();
}
$albums_sql = "SELECT albums.id, albums.added, albums.band, albums.title, albums.genre, albums.format, albums.released, albums.label, albums.link, bands.name FROM albums LEFT JOIN bands ON albums.band = bands.id WHERE Date(albums.added) = '$date'";
$albums_res = mysqli_query($con, $albums_sql);
...

When I visit the URL I'm not being redirected back to the homepage ($site_url), so it must be picking up the correct information from the URL, but it's not showing the results. Does anyone see any problems or know why this isn't working properly?

W D
  • 105
  • 3
  • 9
  • First of all, please use the [PDO extension](http://php.net/manual/ru/pdostatement.execute.php). You have a [mysql injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) in your code when you put raw user input in sql query. Than check result in $num_init_albums. Use something like `var_dump($num_init_albums); die();` to be sure that you have response from sql. Next check that php error display is on or check your server logs. Your script can crash silently if error display is off. – marv255 Dec 15 '16 at 15:44
  • How would an SQL injection affect my site? I'm selecting from a database, not inputting? I ask because I really don't know much about the subject of Injections – W D Dec 15 '16 at 15:47
  • 1
    [Here is](http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work/332367#332367) a good examle. I can be wrong in my example (version of php and mysql has meaning a lot). We still can open url like `/?date='; DROP TABLE users; --` or even `/'; DROP TABLE users; --/` and it will be harmfull. – marv255 Dec 15 '16 at 15:53
  • So what's the solution for non PDO PHP? I'm used to working in this way and don't really want to change the way I script things now, as this is just my small business website and don't really have plans to do many other major projects – W D Dec 16 '16 at 10:36
  • @marv255 - I use `$category = mysqli_real_escape_string($con, $_POST['category']);` in the PHP file I use to add the articles/content to my webpages, which is supposed to prevent Injections? – W D Dec 16 '16 at 10:39
  • Yes you can use `mysqli_real_escape_string`. In this case is more suitable something like `$time = strtotime($date); if ($time === false) die('unreadable format'); $date = date('Y-m-d H:i:s', $time);` to make sure that you have a date and date in needed format. – marv255 Dec 16 '16 at 10:51
  • Thanks @marv255. I'm actually passing lots of information via URL's for most pages, i.e. `.com/page/band-name/album-name/id` - Does this mean I'd need to do a `mysqli_real_escape_string` after I `$_GET` eack one of these variables in every page I use them on? – W D Dec 16 '16 at 10:59
  • You **must** check all data that comes from user. There are a lot of abstractions that automize this process. PDO e.g. Active record or ORM layer in every framework. Even if you want just to send an email with data that came from user input you **must check and filter** this data. – marv255 Dec 19 '16 at 05:06

2 Answers2

1

Your $date is empty, when you do your sql.

if(isset($_GET["date"])){$date = $_GET["date"];}else{
    header("Location: $site_url");
    exit();
};

$date = $mysqli->real_escape_string($_GET['date']);
$count_albums_sql = "SELECT id FROM albums WHERE Date(added) = '$date'";

That is the most simple way to do it and will not open you completly to sql injections. But you should definitly check that $date is a valid date before putting it into the query.

Seb
  • 1,521
  • 1
  • 12
  • 19
-1

I think you are sending by url incorrectly.

You must write something like this: add/?date=2016-12-15

I understand you are using something like this: add/2016-12-15

migueref
  • 302
  • 1
  • 7
  • I have a htaccess file which allows the url I'm using to be written this way – W D Dec 15 '16 at 15:42
  • Are you sure that your htacess file is working? Try display your get variable before to be sure that your variable is not empty or null. – migueref Dec 15 '16 at 16:38