0

I have an sql query to fetch data from database in php. I am using the limit to limit data. I need to limit data according to the id in the url.

How can I call the id in the sql query. I have tried the following but it's showing an error:

$response=mysqli_query($con,"select * from prometric ORDER BY RAND() LIMIT echo $_GET['id']; ");

and the error is

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\xampp\htdocs\nurse\prometricajax.php on line 14

Elydasian
  • 2,016
  • 5
  • 23
  • 41
Zubair Nazer Oliyat
  • 172
  • 2
  • 23
  • Server cannot understand the syntax which you think up. Remove `echo` word from the sql query text. And check the text you obtain after `$_GET['id']` value inserting. –  Jun 08 '18 at 06:13
  • i have tried it. its showing mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in – Zubair Nazer Oliyat Jun 08 '18 at 06:13
  • Create final form of SQL text in some variable before calling MySQL (`$sql='select ...'; $response=mysqli_query($con,$sql);`). And show it there. It is to look like `"select * from prometric ORDER BY RAND() LIMIT 123; "` –  Jun 08 '18 at 06:15
  • And keep in mind that LIMIT parameter means the count of records to return, not a value to search in some record's field. –  Jun 08 '18 at 06:19
  • my limit query is working fine but i need to retrieve it from url id – Zubair Nazer Oliyat Jun 08 '18 at 06:20
  • 1
    *i need to retrieve it from url id* I don't understand. Where is the URL you want to extract the `id` value from? In some field of some record from the `prometric` table? Or you already extract it with the `$_GET['id']` expression, and now you need to obtain the record from `prometric` table in which the value of some field is equal to the `id` value you exrtract from URL? –  Jun 08 '18 at 06:40
  • i have added the id in a button in my index page. when the user clicks the button he is redirected to the page where this query is there and its url will contain the id value which i gave in the previous page – Zubair Nazer Oliyat Jun 08 '18 at 06:53
  • Well. You obtain the `id` by `$_GET['id']` expression, and now you want to select the data about this `id` from the `prometric` table, is it? If so, the SQL query is to be like `SELECT * FROM prometric WHERE id = $_GET['id';`. –  Jun 08 '18 at 06:57
  • i want that 'id' in my limits. i use that value to limit the data – Zubair Nazer Oliyat Jun 08 '18 at 08:53

2 Answers2

2

It could be, worse, if you got it 'right' there would be an SQL injection vulnerability in your application.

die('the following appears to work but is unsafe');
$response=mysqli_query($con,"select * from prometric ORDER BY RAND() LIMIT $_GET[id]; ");

I've got die above because noone should use such code ever.

eg: called as 

https://you.example.com/thing.php?id=1%3btruncate+prometric%3bcommit

could delete all the content from the prometric table.

At a bare minimum do this.

$response=mysqli_query($con,"select * from prometric ORDER BY RAND() LIMIT ".(0+$_GET['id']));

the above forces $_GET['id'] to a number by adding 0, this should block all injection attacks, the worst they can do is use a big number and produce an error for number too big, etc.

but probably a better sanitization is called for. Eg: copy $_GET['id'] into a variable, and check that is in an acceptable range before using it in SQL.

Jasen
  • 11,837
  • 2
  • 30
  • 48
2

What you have is very very close. The extra echo in there along with the ; are what is causing you a problem. Try

$response=mysqli_query($con,"select * from prometric ORDER BY RAND() LIMIT " . $_GET['id']);
Dave
  • 5,108
  • 16
  • 30
  • 40
  • also not working. same error even. – Jasen Jun 08 '18 at 12:42
  • If you do a var_dump($_GET) before that statement what does it show? – Dave Jun 08 '18 at 12:43
  • doesn't matter. your code has the same syntax error. "(T_ENCAPSED_AND_WHITESPACE)" errors are about how strings work in PHP, not an SQL error. – Jasen Jun 08 '18 at 12:45
  • Thanks @Jasen ... to the original poster, heed the answer from Jasen about SQL injection. That's a much bigger concern. – Dave Jun 08 '18 at 12:48