mysqli_query($con, "SELECT * FROM files WHERE main_subject = " + echo $_GET['msubject']);
The above gives me a parse error. Could you give me suggestions on how I could change it to make it work?
Asked
Active
Viewed 54 times
1 Answers
0
You have to use . instead of + for the concatenation.
Replace your script for this:
mysqli_query($con, "SELECT * FROM files WHERE main_subject = '" . $_GET['msubject'] . "'");
fingerprints
- 2,751
- 1
- 25
- 45
-
I changed it to `mysqli_query($con, "SELECT * FROM files WHERE main_subject = " . echo $_GET['msubject']);` yet it still gives me a parse error. – p789887 Apr 15 '17 at 22:37
-
-
1There are several issues. The `echo` cannot be there - you are not producing output, but rather interpolating a variable into the SQL string. Then, assuming it is a string and not a number, it must be single quoted. See http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql for examples. Most importantly, the variable requires protection from SQL injection See http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php#60496 – Michael Berkowski Apr 15 '17 at 22:39
-
@MichaelBerkowski I understood SQL injection to only be a problem if one is inputting user inputted values into the database. I am only pulling values from the database with user inputs. Would this still be a problem? – p789887 Apr 15 '17 at 22:42
-
@p789887 Yes, it is still problematic. The query could be modified by injection to return unintended rows, or combined with a `UNION` to reveal other tables from your database. For example - `SELECT * FROM files WHERE main_subject = '' UNION SELECT username, password FROM users` could be constructed by passing a value through `$_GET`. Injection vulnerabilities apply to all SQL statements. – Michael Berkowski Apr 16 '17 at 00:29