Not able to detect sql syntax mistake

Question

I using PHP and MYSQL

i try catch fail to catch mysql syntax error, sql like below

SELECT * FROM lsht_admin WHERE AIC = '12345'' AND APAS ='abc' AND RST = 1

I purposely enter 12345', with a single apostrophe at the back. My code as below

try{

    $sql = "SELECT * FROM lsht_admin WHERE AIC = '12345'' AND APAS = 'abc' AND RST = 1";  
    $run = mysql_query($sql);

    if( $run === false ){
       throw new Exception("404|$errMsg|$syRDT");
    }else{
       //continue
    }

}catch(Exception $e){
   //redirect to error page
}

It not able to catch the error and goto error page, it and just show me the error below

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '','2019-01-17 18:17:20')' at line 1

SOS:

1) How to catch the syntax error

2) Or any better way to write it

Thanks

Full Code Below

<?php
session_start();
include "../inc/ondb.php";
include "../inc/func.php";
include "../inc/datetime.php";

//foreach ($_POST as $K => $S) { echo "<br/>$K : $S"; } 
$btn = ( (isset($_POST["BTN"])&&($_POST!=""))?$_POST["BTN"]:"");
$btn = ($btn==""?$_GET["BTN"]:$btn);
$goto="Location: ../index.php?err=0";


switch ($btn){
    case "index_Submit":


        try{
            $AIC = $_POST["AIC"]; $APAS = $_POST["APAS"];

            $sql = "SELECT * FROM lsht_admin WHERE AIC = '$AIC' AND APAS = '$APAS' AND RST = 1"; //echo $sql;
            $run = mysql_query($sql);

            if( $run === false ){ 
                $errMsg = "身份证/密码可能存在乱码，无法进入系统!";
                $HID = logHis("4018","$errMsg",$_POST["AIC"],$syRDT);
                throw new Exception("4018.$HID|$errMsg|$syRDT"); 
                echo "asdfadsf";
            }else{
                $HID = logHis("1001",$_POST["AIC"]."成功进入系统",$_POST["AIC"],$syRDT);
                $rs = mysql_query($sql)or die(mysql_error());
                while($row = mysql_fetch_assoc($run)){
                    $_SESSION["ARR"] = $row; 
                    mysql_query("update lsht_admin set RDT = '$syRDT' WHERE AID = $row[AID]")or die(mysql_error());

                    switch($row["ATYP"]){
                        case 0: $goto="Location: ../blank.php"; break;
                        case 1: 
                            $sql = "SELECT PAIC FROM lsht_admin WHERE ATYP=2 GROUP BY PAIC"; 
                            $rw = mysql_query($sql);
                            $nr = mysql_num_rows($rw);

                            if($nr==1){
                                $goto="Location: ../admin.php"; 
                            }else{
                                $goto="Location: ../index.php?err=1";
                            }
                            break;
                        case 2: $goto="Location: ../president.php"; break;
                        default : $goto="Location: ../blank.php"; break;
                    }
                }
            }
        }catch(Exception $e){
            $goto="Location: ../index.php?err=0";       
        }
        break;
}

include "../inc/offdb.php"; 
header($goto);
?>

output screen:

function logHis($errCod,$errMsg,$AIC,$syRDT){
    $HID = getNID("lsht_history","HID");
    $sql = "INSERT INTO lsht_history (HID,HACT,HDESC,AIC,RDT) VALUES ($HID,'$HID.$errCod','$errMsg',$AIC,'$syRDT')";
    mysql_query($sql) or die(mysql_error());
    return $HID;
}

Why are you using the long-deprecated `mysql_` code library? It was discontinued many years ago and removed entirely in PHP7. No new code should be written using this library. It leaves you vulnerable to SQL injection attacks (due to the lack of parameterised query support) and potentially other unpatched vulnerabilities. Switch to using `mysqli` or `PDO` as soon as possible, and then learn how to write parameterised queries to protect your data from malicious input. See http://bobby-tables.com for a simple explanation of the risks and some sample PHP code to write queries safely. — ADyson, Jan 17 '19 at 10:26
Use `mysqli` and turn on exception mode: https://stackoverflow.com/a/45950465/1346234 — Justinas, Jan 17 '19 at 10:28
**GUYS** Read question. It's **Intentional error**, OP does not asks *what's wrong with query*, but *how to catch it* — Justinas, Jan 17 '19 at 10:30
hi guys and thanks guys, **YES** i purposely to put the single quote there to make it fail and try to catch it, but fail to catch. **@ADyson** i'm not a FULL Time programmer, i just learn bit by bit myself. i will try to learn the mysqli asap. — user1493339, Jan 17 '19 at 10:38
But then again. The error is caught, in the form of checking the result, and then it is thrown as an exception. It's the exception that seems to result in this outcome, and the question doesn't seem to be at all about mysql. OP throws an (any) exception, tries to catch the exception, which failed (or the redirect failed), but failed to show the actual code of that exception handling. The whole MySQL stuff is just noise. — GolezTrol, Jan 17 '19 at 10:38
@GolezTrol depends. For query such as `SELECT * FROM t WHERE foo = 'yes' AND bar = 'user input'` I would only parameterize "bar". — Salman A, Jan 17 '19 at 10:38
hi guys and thanks guys, once again, i having hard time to understand what you guys reply due to my poor english, and because of my english standard poor, sometime i also very hard to understand those tutorial/explanation from the web. i learn code is by "copy paste and run it" — user1493339, Jan 17 '19 at 10:43
@user1493339 the idea should work. But you did not post the code for redirect. If you're using `header("Location: ")` to redirect then I believe you should be getting a "Cannot send headers, headers already sent" which explains why redirect failed. — Salman A, Jan 17 '19 at 10:49
@user1493339 please show us the proper contents of `}catch(Exception $e){ //redirect to error page }` (instead of just the comment). You are asking about a problem with handling the error, but did not show us what code you use currently when trying to handle it and then redirect. — ADyson, Jan 17 '19 at 11:16
@user1493339 P.S. _"I am not a full time programmer"_ That's fine...but neither was I when I started using PHP, and it didn't prevent me from noticing the [large red warning in the manual](http://php.net/manual/en/function.mysql-query.php) telling me not to use the mysql_query function :-). Even if you were not aware of all the reasons why you shouldn't use it, you should at least be able to know that it's obsolete. — ADyson, Jan 17 '19 at 11:18
Guys thanks again, i just added my full code. **Everything is fine, if user input collect**. So as i say i purposely input **AID**: **usernumber'** or **user'number**, then it will fail — user1493339, Jan 18 '19 at 01:43
@DeepakKeynes no, i have not try mysqli first coz i hope to finish everything first with my old way(what i know first) then only will go learn mysqli and change it to mysqli — user1493339, Jan 18 '19 at 01:48

Not able to detect sql syntax mistake

0 Answers0