Echo POST into SQL string

Question

I have a sql string that I want to echo a value from a form into the string to DROP a table. Currently I am using the following string

$sql4 = "DROP TABLE gs.gs_object_data_<? echo $rows['$imei']; ?>";

This is not echoing the IMEI that I have drawn from a $_POST on the previous page.

I have also tried the following strings to no avail.

$sql4 = "DROP TABLE gs.gs_object_data_'%$imei%'";

$sql4 = "DROP TABLE gs.gs_object_data_'".$imei."'";

gs_object_data is a constant in all tables just the imei differes

I need a result as such gs_object_data_111111 the imei on previous page will be 111111

Any suggestions will be appreciated.

Madhusanka Goonathilake · Answer 1 · 2019-01-20T08:31:13.700

0

This would work:

$sql4 = "DROP TABLE gs.gs_object_data_{$rows['imei']};";

edited Jan 20 '19 at 08:31

answered Jan 20 '19 at 08:18

Madhusanka Goonathilake

53
5

I am getting the following error. Unknown table 'gs.gs_object_data_' still not bringing in the imei number – Trevor Ackermann Jan 20 '19 at 08:21
THere was a mistake in my answer, and I corrected it. It should be 'imei' and not '$imei'. If this doesn't work, would you mind posting the code where database connect is made, so that it'll be easier to debug? – Madhusanka Goonathilake Jan 20 '19 at 08:32
I found that this works now $sql4 = "DROP TABLE gs.gs_object_data_$imei"; It also drops the table requested – Trevor Ackermann Jan 20 '19 at 08:39

score 0 · Answer 2 · answered Jan 20 '19 at 08:37

It appears that you are wanting to use a POST request variable - is that so? You might find that sprintf is useful when creating strings like this - you supply placeholders within a simple string and then assign a variable to them later ~ saves issues with escaping quotes generally.

The following tests that the POST variable imei is available and creates the sql if it is - otherwise sets the $sql variable as false ( the false can be used in logic tests later )

$sql = !empty( $_POST['imei'] ) ? sprintf( 'drop table `gs`.`gs_object_data_%s`;', $_POST['imei'] ) : false;
if( $sql ){
    /* do something with sql */
}

score 0 · Answer 3 · answered Jan 20 '19 at 08:40

0

I have found that the following code worked

$sql4 = "DROP TABLE gs.gs_object_data_$imei";

imei is already set as a variable in the POST from the previous page

answered Jan 20 '19 at 08:40

Trevor Ackermann

166
1
4
16

2

This seems quite vulnerable to SQL injections. You should first whitelist the valid `$imei` values if you're not doing it already. – Jeto Jan 20 '19 at 09:13

Echo POST into SQL string

3 Answers3