1

1) I have url http://localhost/Mayboo/az/product.php?id=1 and when I change the url to localhost/Mayboo/az/product.php?id=[i write here anything else] it gives error like this: Fatal error: Call to a member function fetch_assoc() on a non-object in C:\Users\Javid\Desktop\maybo\az\product.php on line 12 . How can I prevent this kind of error and if there is no such url redirect to 404 page?

2) Also additional question: when i write localhost/Mayboo/az/product.php?id=1%27 it gives this error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 144 . How can I prevent this also? Here is my code. Thanks beforehand!

<?php include 'inc/header.php'; ?>

<?php   
    //create DB Object
    $db = new Database();
    ?>

<?php 
$id = $_GET['id'];

$query = "SELECT * FROM mallar WHERE id = '$id'";
$post = $db->select($query)->fetch_assoc();
?>

        <div class="productcolumn col-md-8">
            <?php if($id == $post['id']): ?>
           <h1><?php echo $post['title_az']; ?></h1>
            <div class="productinfo">
                <img src="img/<?php echo $post['img']; ?>">
                <p><?php echo $post['text_az']; ?></p>
            </div>
            <div class="pdf">
                <?php if($post['pdf']): ?>
                <img src="img/pdf.png">
                <a href="doc/<?php echo $post['pdf']; ?>"><p><?php echo $post['pdf']; ?></p></a>
                <?php endif; ?>
            </div>
            <?php else: ?>
            <?php header("Location: 404.html"); ?>
            <?php endif; ?>
        </div>
Javid Abbasov
  • 81
  • 8
  • 1
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky May 04 '17 at 19:31
  • what is written in `select` method? – Agam Banga May 04 '17 at 19:43

1 Answers1

0

You can add following checks in your code:

  • Check if ID is coming an integer value
  • Check if there are some rows returned from the database for a given ID

Change

$id = $_GET['id'];
$query = "SELECT * FROM mallar WHERE id = '$id'";
$post = $db->select($query)->fetch_assoc();

To: 

$id = $_GET['id'];

$error = "";

// check if id id an integer

if(is_int($id)) { 
  $query = "SELECT * FROM mallar WHERE id = '$id'";

  // check if there are no records for an invalid ID.
  if($db->select($query)->num_rows()) {
    $post = $db->select($query)->fetch_assoc();
  }
  else {
    echo "No results found";
    die();
  }
else {
 echo "Wrong user ID supplied";
 die();
}

P.S: Your code is vulnerable to SQL injection attacks. You should use mysqli or PDO prepared statements with bound parameters as described in this post

Satish Saini
  • 2,880
  • 3
  • 24
  • 38