0

Hi guys I'm sure I'm missing something but I can't figure out why this is not working! So I have a table and some data, and I'm trying to get the image column, but for some reason, it's not working.

This is what I'm getting (empty url):

<div class="forma_reservas_datos_imagen imgPack" style="background-image:url()"></div>

PHP

<?php 

global $wpdb;

$tablePacks = 'packs';

$res =  "SELECT * FROM ".$tablePacks." where nom_pack_get = '".$_GET["pack"]."'";

$packImg = $wpdb->get_results($res, ARRAY_A);

if(count($packImg) == 1){
    ?>
    <div class="forma_reservas_datos_imagen imgPack" style="background-image:url(<?php echo $packImg->imatge_url; ?>)">
<?php   

}

?>
Brandon Minnick
  • 13,342
  • 15
  • 65
  • 123
JJCarlk3
  • 69
  • 7
  • 2
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Nov 10 '17 at 19:39
  • Thanks I don't know much about PDO tho so I'm gonna implement it sometime in the future when the website is all setup and working – JJCarlk3 Nov 10 '17 at 19:53
  • Don't do that. Learn PDO, it's easy. Otherwise, you'll be learning how to restore your compromised website from backup. – Alex Howansky Nov 10 '17 at 19:54
  • @JJCarlk3, try to var_dump($packIg); at first, and check what is inside; And if you still insist on not using PDO, than at least, please sanitise your GET['pack'] variable, in any way; – pomaxa Nov 10 '17 at 20:03
  • Added language formatting – Brandon Minnick Nov 10 '17 at 21:43
  • Thank you guys you're absolutely right! – JJCarlk3 Nov 11 '17 at 10:47

1 Answers1

1

$packImg will be an array of associative arrays, no an object, so you should use it as $packImg[0]["imatge_url"].

As others have pointed out in the comments, watch out for SQL injections. Use wpdb's prepare method:

$res = $wpdb->prepare("SELECT * FROM ".$tablePacks." where nom_pack_get = %s", $_GET["pack"]);

prepare will return SQL that is safe to send to the database (and you don't have to type '" . $myvar . "' all the time, it really helps a lot, and makes your code secure at the same time).

janh
  • 2,885
  • 2
  • 22
  • 21
  • Thank you I'm gonna try that and will let you know if it works. And you guys are probably right I gotta learn pdo and sql injections.. It's just that I thought, such a normal small business like mine why would anyone want to hack it? But yeah I guess it could happen to anyone. – JJCarlk3 Nov 11 '17 at 10:34
  • Glad that it works. And regarding the SQL injections: it's probably not that you will be targeted specifically. But there are bots that just mass check websites, and will manipulate variables passed via query string, and report their findings to their owners. Think of them like somebody just checking whether your door is locked, not trying to unlock it, and then deciding whether breaking into your house is worth it. – janh Nov 11 '17 at 10:53
  • That makes sense, I'm going to keep this in mind from now on and will replace all my wpdb queries with these prepare statements, thanks a lot man! – JJCarlk3 Nov 11 '17 at 11:16