0

I am writing a very simple REST service using a single get method in PHP. I am very new to PHP but am finding it a great framework whilst trying to understand all of the functions.

My API was working well & returning data as a JSON array very quickly but before I push it live, I was worried about SQL injections taking place & from reading online found a fairly quick method of preventing these could be to add a SQL prepare for the DB to parse the query & variables seperatly. My Variable within the get request is an SHA512 hashed string & the API is running within a HTTPS environment also.

The piece I am struggling with is as per below: 

$stmt = mysqli_prepare ($link, "select blah,blah from people WHERE hashed = ? and blah <>''" );

        //binding SQL parameters
        mysqli_stmt_bind_param($stmt, 's', $e);

        // excecute SQL statement
        mysqli_stmt_execute($stmt);

        //get results
        $result = mysqli_stmt_get_result($stmt);
}
        //Set 405 status if wrong method is used.
        else {
             $result = http_response_code(405); 
        }
//debug variable check & SQL results row count
echo $e;        
echo mysqli_num_rows($result);

I know that my variables for $link are working as expected as they were working previously to pull in a connection string from an included seperate file.

At present the debug echo of $e is returning the variable as expected but the rowcount is 0.

If I run the query in SQL server, the query returns results as expected. I'm using MAMP (not pro) so am unsure of a SQL profiler too as well. I think my issue is with parameter binding somewhere.

Thanks in advance

AshBash
  • 27
  • 6
  • 7
    `if ($method = 'GET')` you're assigning here, rather than comparing `if ($method == 'GET')` - check your logs also. – Funk Forty Niner May 02 '17 at 10:22
  • 2
    use `error_reporting(E_ALL); ini_set('display_errors', 1);` on top of your pages and PHP will let you know if something goes wrong... and make sure `$e` is defined too – OldPadawan May 02 '17 at 10:23
  • ...I was just going to mention that; where `$e` is assigned; it's not included in the post. If all that this was using the wrong operator, there's a duplicate for this. http://stackoverflow.com/questions/2063480/the-3-different-equals – Funk Forty Niner May 02 '17 at 10:23
  • thanks all, $e is defined earlier within my page whilst I parse the URL and split the variables before using them in the query. I'll try the syntax changes and add the reporting line to help debug. Thanks for your help thus far. I'll feedback further. – AshBash May 02 '17 at 10:32
  • looks like it's something to do with the section under the comment for //get results. It is failing at the next step because of no variable existing which uses: if (!$result) { http_response_code(500); die(mysqli_error()); } – AshBash May 02 '17 at 10:36
  • well, we can't see that code, so how about sharing the bit that's causing the problem? – ADyson May 02 '17 at 11:07
  • I have updated the post with all of the code now. Hopefully that helps? – AshBash May 02 '17 at 12:18
  • 1
    `$result;` does not appear to be defined anywhere. You need to assign it a value (presumably, the result of your query?). – ADyson May 02 '17 at 15:40
  • 1
    the `$t` in the query is real security issue since taken from `PATH_INFO`. It should be checked as a valid tablename. – Deadooshka May 02 '17 at 17:04
  • Updated the main post to where I think the issue now lies. – AshBash May 03 '17 at 10:29
  • 1
    It seems you should use [`mysqli_stmt_num_rows()`](http://php.net/manual/en/mysqli-stmt.num-rows.php). That's a confusion. – Deadooshka May 03 '17 at 11:04
  • Thanks @Deadooshka. I have amended that using the $stmt var within the function but still seem to be getting 0 rows. So frustrating as it feels like this is close now. – AshBash May 03 '17 at 11:15
  • The manual says, that without prior calling a [`mysqli_stmt_store_result()`](http://php.net/manual/en/mysqli-stmt.store-result.php) it will not work correctly. – Deadooshka May 03 '17 at 11:33
  • @Deadooshka thanks, I had added that previouslybut no joy. I guess this would need to be added before trying to set the $results variable otherwise the object would be empty? Sorry for the noob questions. This is one of those points I've been trying to sort for the past day so I'm probably missing something obvious. – AshBash May 03 '17 at 11:47
  • 1
    I see this logic: `mysqli_stmt_execute($stmt)`, `mysqli_stmt_store_result($stmt)`, `$num_rows = mysqli_stmt_num_rows($stmt)`, `$result = mysqli_stmt_get_result($stmt)`, `mysqli_stmt_free_result($stmt)`, `mysqli_stmt_close($stmt)` and `mysqli_close($link)`. – Deadooshka May 03 '17 at 12:09

0 Answers0