0
<?php

include('dbLink2.php');


$quizqr = $_GET['quizQR'];
$recordsID1 = $_GET['recordsID1'];
$recordsID2 = $_GET['recordsID2'];

$m_array1=array();
$m_array=array();
    
    $sql = "SELECT quizQR, recordsID FROM `registertestactivity` WHERE (quizQR = '$quizqr' OR recordsID = '$recordsID1' OR recordsID = '$recordsID2') LIMIT 1";
    $result = @mysqli_query($link, $sql) or die();
    
    if (@mysqli_affected_rows($link) > 0) {
    
        while($row = @mysqli_fetch_assoc($result))
        {
            $m_array[]=$row;
        }

    } else {
        
        $m_array1 += ["quizQR" => "NoRecords"];
        $m_array1 += ["recordsID" => "NoRecords"];
                
        $m_array[0] = $m_array1;
        
    }   
        
    echo json_encode($m_array);

@mysqli_free_result($result);
@mysqli_close($link);

?>

Can someone help me out, i have tried the mysqli_real_escape_string and it still doesnt work :(

The $quizqr value has a '#' character in the string and this is the error msg that pops when the ajax call this php: click to see error message image

nice_dev
  • 17,053
  • 2
  • 21
  • 35
Natasha
  • 23
  • 4
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Sep 09 '20 at 13:43
  • 1
    Remove every single `@` in your code. You're suppressing messages which might be valuable to you. – Jay Blanchard Sep 09 '20 at 13:43
  • 1
    You should [never use `die()`](https://stackoverflow.com/a/15320411/1011527) and use `mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` with your database connection code to throw errors for all of your queries when they occur. – Jay Blanchard Sep 09 '20 at 13:44
  • Along with the above, `#` is a URL fragment. Everything after that isn't sent to the server. – nice_dev Sep 09 '20 at 13:46
  • The URL you're using to access this script doesn't have the necessary variables in the query string of the URL. Can you share the URL? – Jay Blanchard Sep 09 '20 at 13:47
  • the db connection ? or the ajax i call to this php? – Natasha Sep 09 '20 at 13:54
  • The AJAX connection. – Jay Blanchard Sep 09 '20 at 14:43
  • @JayBlanchard `url: web_address + "backend/get_regTestCheck.php?quizQR=" + quiz_qr + "&recordsID1=" + recordID1 + "&recordsID2=" + recordID2` – Natasha Sep 09 '20 at 15:19
  • @JayBlanchard so an example of data would be `url: web_address + "backend/get_regTestCheck.php?quizQR=C-Q01/00000054#/065-10K/5XP-0521 GG0E&recordsID1=records_001&recordsID2=records_002` – Natasha Sep 09 '20 at 15:26
  • If you `print_r($_GET);` at the top of the page, what do you get? – Jay Blanchard Sep 09 '20 at 15:32
  • @JayBlanchard `Array ( [quizQR] => C-Q01/00000054 )` – Natasha Sep 10 '20 at 06:52
  • 1
    If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* – Jay Blanchard Sep 10 '20 at 13:26

1 Answers1

1

Because you have a # in the URL you're dealing with a URL Fragment which means that everything past the # is not available in the query string. PHP offers a flag, PHP_URL_FRAGMENT for its parse_url() function which can help you get what you need from the string.

Here is one example using the URL you provided:

$fragment = parse_url($url, PHP_URL_FRAGMENT);
echo $fragment;
$fragmentSection = explode('&', $fragment);
print_r($fragmentSection);

foreach($fragmentSection AS $section) {
    if(0 != strpos($section, '=')) {
        $sectionParts = explode('=', $section);
        $queryParts[$sectionParts[0]] = $sectionParts[1];
    }
}
print_r($queryParts);

This ultimately returns two array members which could then be used in your query:

Array
(
    [recordsID1] => records_001
    [recordsID2] => records_002
)

The best thing to do would be to write a function to which you pass the URL to return the elements you need.

Keep in mind that this is not fool-proof. If the URL is in a different format then what I have done here will have to be modified to work as you would like it to.

Additionally you have been given some warnings and guidance in the comments you should follow to keep your code safe and efficient, so I will not repeat them here.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119