Using WHERE clause in SQL query causes error

Question

If I use the below code, it works

 $query = 'SELECT * FROM messages ORDER BY date DESC LIMIT ? , ?';

But if I use WHERE clause to filter the exact user data, it shows error

 $query = 'SELECT * FROM messages WHERE member_name='.$userid.' ORDER BY date DESC LIMIT ? , ?';

Here is the full error

Fatal error: Uncaught Error: Call to a member function execute() on bool in /home/customer/www/sitename.com/public_html/user/notifications/lib/DataSource.php:82 Stack trace: #0 /home/customer/www/sitename.com/public_html/user/notifications/Model/Pagination.php(41): Phppot\DataSource->select('SELECT * FROM m...', 'ii', Array) #1 /home/customer/www/sitename.com/public_html/user/notifications/index.php(7): Phppot\Pagination->getPage() #2 {main} thrown in /home/customer/www/sitename.com/public_html/user/notifications/lib/DataSource.php on line 82

The funny thing is, I am using the same script with WHERE clause in another website. but what could cause such an error ? The $userid string has value, already checked and all included/connected php files are also working.

The code is from this website

Does this answer your question? [Are PDO prepared statements sufficient to prevent SQL injection?](https://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection) — Nico Haase, Jan 07 '21 at 13:25
I could not find the given code on that website. Neither does the code you've shared show anything else than a variable definition - is there more code you want to share? Nevertheless, be warned that your second query is open for SQL injection. It should **not** be used like that, never — Nico Haase, Jan 07 '21 at 13:26

score 0 · Answer 1 · answered Jan 07 '21 at 06:06

0

Solved it with the following

$query = "SELECT * FROM messages WHERE member_name='$userid' ORDER BY date DESC LIMIT ? , ?";

answered Jan 07 '21 at 06:06

Shij Thach

93
7

That's still pretty vulnerable code. Is there any good reason to inject the `$userid` like that and not through a parameter? – Nico Haase Jan 07 '21 at 13:26

score -1 · Answer 2 · answered Jan 07 '21 at 06:33

-1

please change your field name (member_name) to another name. I think member_name is an function like member() in mysql. change your field name and try again.

answered Jan 07 '21 at 06:33

Nima Asaadi

19
1
4

Don't do this, unless you received an error message from MySQL that tells you so – Nico Haase Jan 07 '21 at 13:24

Using WHERE clause in SQL query causes error

2 Answers2