-1

I want to use the registration that a student has logged in to the system to enable him to view his/her clearance request process from my database using SESSION.

I have tried this code:

$sql = "SELECT clearanceid, regno, names, progcode, status, pfno, reasons 
        FROM clearance 
        WHERE regno='.$_SESSION['regno'].'";
Qirel
  • 25,449
  • 7
  • 45
  • 62
Abraham Kipsang
  • 1
  • 2

2 Answers2

0

If the only thing you are struggling is the SQL syntax then this example should give you a hint how to do this with MySQLi

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli($host, $user, $pass, $db);
$mysqli->set_charset($charset);

$stmt = $mysqli->prepare('SELECT clearanceid,regno,names,progcode,status,pfno,reasons FROM clearance WHERE regno=?');
$stmt->bind_param('i', $_SESSION['regno']);
$stmt->execute();
$results = $stmt->get_result();
Dharman
  • 30,962
  • 25
  • 85
  • 135
-1

Not sure which library you use, PDO or Mysqli or any other

Wrong syntax

First of all, your code will not work, as it will generate not a proper query
Hint: if unsure, echo your query first to check what it generates

SELECT clearanceid,regno,names,progcode,status,pfno,reasons FROM clearance WHERE regno= '.123.'

What will generate proper query is:

<?php
$sql = "SELECT clearanceid,regno,names,progcode,status,pfno,reasons 
FROM clearance 
WHERE regno= '{$regno}'";

You miss seciurity

If regno is numeric:

<?php
$regno = intval($_SESSION['regno']); // or floatval
$sql = "SELECT clearanceid,regno,names,progcode,status,pfno,reasons FROM clearance WHERE regno= {$regno}";

Edit: If $regno is a string, then use prepared statements as Dharman suggested

Grzegorz
  • 3,538
  • 4
  • 29
  • 47
  • 1
    `mysqli_real_escape_string` provides no security against SQL injection. It was never meant to prevent SQL injection. If you want to prevent SQL injection you need to use prepared statements. Casting to float or int is only going to work for numbers, but prepared statements work always. – Dharman Jul 14 '19 at 17:31
  • @Dharman Ok... first time I hear, but won't argue since it may be true... but can you point source/examples? – Grzegorz Jul 14 '19 at 22:08
  • 1
    [Link 1](https://stackoverflow.com/a/22305173/1839439) [Link 2](https://stackoverflow.com/a/60496/1839439) [Link 3](https://stackoverflow.com/a/16282269/1839439) [Link 4](https://stackoverflow.com/a/14011914/1839439) [Link 5](https://stackoverflow.com/q/5741187/1839439) [Link 6](https://stackoverflow.com/a/8265319/1839439) and more... – Dharman Jul 14 '19 at 22:20
  • So basically... if that's really true (haven't checked) half of internet is in danger... – Grzegorz Jul 14 '19 at 22:29
  • 1
    Yes, I am glad one more person has realised this. [SQL injection is 17 years old. Why is it still around?](https://security.stackexchange.com/q/128412/188415) – Dharman Jul 14 '19 at 22:31
  • @Dharman It's hard to belive such thing exists... or from what I read from those comments and answers is that its not really insecure... but is insecure in specific cases (which can be considered insecure overall) as it matters if you use `'` or `"` and how you set encoding etc... . So its insecurity may not be true in all cases (or it may?). But still you can easily fall into mistake and prepared statements would be safer option. You win! :P Sorry! :) – Grzegorz Jul 14 '19 at 22:40