0

i have some problem to get data from column with 'USER' value. i place this WHERE USER='$USER' the code can't execute

if (isset($_GET['USER']) &&isset($_GET['SCORE']) &&isset($_GET['VERSUS']) &&isset($_GET['TIMESTAMP']) &&isset($_GET['STATUS'])){
$USER = strip_tags(mysqli_real_escape_string($dblink, $_GET['USER']));//get data from column USER
$SCORE = strip_tags(mysqli_real_escape_string($dblink, $_GET['SCORE']));//get data from column SCORE
$VERSUS = strip_tags(mysqli_real_escape_string($dblink, $_GET['VERSUS']));//get data from column VERSUS
$TIMESTAMP = strip_tags(mysqli_real_escape_string($dblink, $_GET['TIMESTAMP']));//get data from column TIMESTAMP
$STATUS = strip_tags(mysqli_real_escape_string($dblink, $_GET['STATUS']));//get data from column STATUS
$sql = ("SELECT * FROM `record` WHERE USER='$USER';");//choose userdata table from database where column USER
$result = $dblink->query($sql);

$result= $dblink->query("SELECT * FROM `record` WHERE USER='$USER' ORDER BY `record`.`TIMESTAMP` DESC;");

if (mysqli_num_rows($result) > 0) {
while($row=mysqli_fetch_array($result)){
echo $row['USER'] . "|" . $row['VERSUS'] . "|" . $row['STATUS'] . "|";

// close while loop 
}
} else {
    echo "0 results";
}
}

the url for showing the data from mysql

xx.xxx.com/x/xxxx.php?USER=JBROWN
b3253223b33v
  • 27
  • 6
  • *i have some problem*, whats that? – Lawrence Cherone Apr 18 '18 at 21:51
  • Where do you assign `$USER` from `$_GET['USER']` or connect to tha database? whats mysqli_error show? – Lawrence Cherone Apr 18 '18 at 21:53
  • 3
    You should also read up on [How to prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Lawrence Cherone Apr 18 '18 at 21:54
  • You should also be consistent in use of functional or OO interface to mysqli. The library doesn't care, but it's easier for readers. – Barmar Apr 18 '18 at 21:55
  • Yes the user can select what he want and worse exemple xx.xxx.com/x/xxxx.php?USER=JBROWN%20OR%20=%20 that will select the whole user table. use prepare statement instead. – bormat Apr 18 '18 at 21:55
  • This code will never run with that URL because the if statement surrounding the database access requires that all of $_GET['USER'], $_GET['SCORE'], $_GET['VERSUS'], $_GET['TIMESTAMP`'] and $_GET['STATUS'] are set. – Nick Apr 18 '18 at 22:22

0 Answers0