0

The code below works fine everytime (returning null if nothing is found etc.) but when the id is "1" I dont get anything (the echo is blank).

I've tried with id "1" through "10" and "1" is the only one not working. I've tried casting id to INT.

Work: ...getGym.php?id=1

Do not work: ...getGym.php?id=2

<?php

//Getting the requested id
$id = $_GET['id'];

//Importing database
require_once('dbConnect.php');

//Creating sql query with where clause to get an specific gym
$sql = "SELECT * FROM gyms WHERE gymID = '$id'";

//getting result
$r = mysqli_query($con,$sql);

//pushing result to an array
$result = array();
$row = mysqli_fetch_array($r);

array_push($result,array(
        "gymID"       =>$row['gymID'],
        "gymName"     =>$row['gymName'],
        "gymAddress"  =>$row['gymAddress'],
        "visitorsNow" =>$row['visitorsNow'],
));

//displaying in json format
echo json_encode(array('result'=>$result));

mysqli_close($con);

EDIT:

Mysql output:

mysql> SELECT * FROM gymplaneraren.gyms WHERE gymID = 1;
+-------+--------------------------------+-----------------+-------------+
| gymID | gymName                        | gymAddress      | visitorsNow |
+-------+--------------------------------+-----------------+-------------+
|     1 | Friskis & Svettis Lackarebäck  | Bergfotsgatan 1 |          50 |
+-------+--------------------------------+-----------------+-------------+
1 row in set (0.00 sec)

I have, after some suggestions, changed the code to be more secure. It still doesn't return any value for gymID = 1. New code below:

<?php
// Getting the requested id
$id = intval($_GET['id']);

// Importing database
require_once('dbConnect.php');

if ($mysqli->connect_errno) {
    printf("Connect failed: %s\n", $mysqli->connect_error);
    exit();
}

$query = "SELECT * FROM gymplaneraren.gyms WHERE gymID = ?";

if ($stmt = $con->prepare($query)) {
        $stmt->bind_param("s", $id);
        $stmt->execute();
        $stmt->bind_result($gymID,$gymName,$gymAddress,$visitorsNow);

        while ($stmt->fetch()) {
                $output[]=array($gymID,$gymName,$gymAddress,$visitorsNow);
        }
        echo json_encode($output);
}

mysqli_close($con);
snackhat
  • 1
  • 1
  • 3
  • 1
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky May 04 '17 at 14:06
  • Have you checked `gymId => 1` is present in your DB Table? – Nana Partykar May 04 '17 at 14:08
  • @AlexHowansky I'll try it out! This is just att small school project so we haven't though about security that much. – snackhat May 04 '17 at 14:09
  • @nana-partykar gymID 1 is present. – snackhat May 04 '17 at 14:10
  • 3
    why are lectures/educators do not touch security at all this is worrying – Masivuye Cokile May 04 '17 at 14:11
  • @snackhat Great! Now is the time to get into the habit. :) – Alex Howansky May 04 '17 at 14:17
  • Print out the actual SQL you execute, verify the results manually, see where you went wrong. This is basic debugging. Also: You really should get into the habit of using prepared statements - it's not much more work at all (since you're already using mysqli) and will benefit you greatly. At **the very least** it'll put StackOverflow minds at rest and they'll focus on your actual issue ;-) – ccKep May 04 '17 at 14:23
  • Please tell me this is in development. Your code is beyond vulnerable. Sql injection is just the starting point here. A hacker can even attempt to include a file through the URL. If you put this in production, you'll get hacked terribly. You need to fix the multiple security issues here before proceeding with further development – Rotimi May 04 '17 at 14:33
  • This is just a quick test, I will secure it when it works. When I replace the line: `$sql = "SELECT * FROM gyms WHERE gymID = '$id'";` with: `$sql = "SELECT * FROM gyms WHERE gymID = '1'";` I get the same result (blank echo). When I replace the "1" with a "2" I get the correct result. The SELECT works fine when I use it in mysql and MySQL Workbench. – snackhat May 04 '17 at 16:48
  • Work: ...getGym.php?id=1 Do not work: ...getGym.php?id=2 you said this. and from the table we can see only 1 is there. so how will you get record for 2 while it doesnt exist – Exprator May 05 '17 at 07:10
  • @Exprator the mysql select is for id 1, not all. Ids 1 -9 exists in the schema. – snackhat May 05 '17 at 09:39

1 Answers1

-1
$id = trim($_GET['id']);
$sql = "SELECT * FROM gyms WHERE gymID = '$id'";

This will remove any space if exists

goto
  • 7,908
  • 10
  • 48
  • 58
Alex George Puthenpurackal
  • 80
  • 1
  • 11