0

I am trying to run a simple SELECT query inside of a PHP class, using the GET variable.

$this->Token = $_GET['Token'] ?? null;

function getRows(){   
        $query = $this->db->query("SELECT * FROM store_product_images WHERE token = ".$this->Token." ORDER BY display_order ASC");

When I run this, nothing shows, if I remove the WHERE it works fine

Designer
  • 477
  • 2
  • 12
  • 3
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. Instead of building queries with string concatenation, always use [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) with [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). See [**this page**](https://phptherightway.com/#databases) and [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for some good examples. – Alex Howansky Apr 18 '21 at 16:31
  • 2
    If `token` is a string, you would need quotes round the value,but using prepared statements solves this and a few other problems. – Nigel Ren Apr 18 '21 at 16:32
  • 2
    @NigelRen It does have quotes around it? Could you show me an example of what you mean? – Designer Apr 18 '21 at 16:32
  • 1
    You missed the quote to indicate that you passed a string on your query. You better write it like this `[...] WHERE token = '{$this->Token}' ORDER BY [...]`. Anyway, you should really consider to escape your value, or better to use prepared statement, as another has mentioned, your code is vulnerable to SQL injection. – Ammar Faizi Apr 18 '21 at 16:38

1 Answers1

1

you missed the quote

$query = $this->db->query("SELECT * FROM store_product_images WHERE `token`= '".$this->Token."' ORDER BY display_order ASC");
ha3an
  • 72
  • 2
  • 15