0

i would like my mysql query to be different depending on the content of a php variable (session) it has to be something like:

if ($_SESSION['session_id'] != NULL) { 
   $var1 = "and id = '$_SESSION[session_id]'";
}
$result = mysql_query("
SELECT  field1, field2
FROM    table
WHERE   name = '$_GET[name]' $var1
") or die(mysql_error());

which will be: WHERE name = '$_GET[name]' and id = '$_SESSION[session_id]' or: WHERE name = '$_GET[name]'

how can i do this? Thanks.

Improve this question
8
  • 2
    Vulnerable to injection attacks. I hope this isn't live. Commented Apr 27, 2013 at 21:10
  • Hey @Daedalus, Can you show me the secure way? Commented Apr 27, 2013 at 21:11
  • no, this is not live... it's just an example, but why is it vulnerable? Commented Apr 27, 2013 at 21:12
  • 2
    Please don't use mysql_* functions in new code. They were removed from PHP 7.0.0 in 2015. Instead, use prepared statements via PDO or MySQLi. See Why shouldn't I use mysql_* functions in PHP? for more information. Commented Apr 27, 2013 at 21:13
  • The above is mostly a canned response, but it holds true for the above. Commented Apr 27, 2013 at 21:13

1 Answer 1

Reset to default
1

The code you are trying to create has some serious (and less serious) problems that you need to fix right away if you ever want to make your site usefull.

First of, dont use mysql_ function but switch to mysqli or pdo. mysql functions have been deprecated.

Also you are inserting user input directly into your query. This causes some serious SQL injection problems. Always make sure to validate and escape user input.

To create a query like you want I'd use:

<?php
$name = $_GET['name'];

//validate $name according to your choice of mysql provider. EG: mysqli_real_escape_string
//this is just basic validation. make sure you also add other types of validation. If a name is always alphanumeric, make sure you also check that it is before using it.

/*
if you dont validate and I would enter my name like: hugo' OR 1=1 --
I would be able to access any record in your database. And that is just a harmless example.
*/

$query = "SELECT field1, field2 FROM table WHERE name = '".$name."'"

//for sake of simplicity I assume the id is numeric
if (!empty($_SESSION['session_id']) AND is_numeric($_SESSION['session_id'])) { 
   $query .= " and id = '".$_SESSION['session_id']."'";
}

//exec query
?>
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

empty isnt just for arrays. And I use empty because an Id of 0, which is often used after a log out, should be dismissed also
Which is why I deleted my comment.
Although this approach is better than in the question, building SQL by concatenating strings is unnecessarily dangerous -- there are too many opportunities to leave a hole open. Prepared statements are a much better option IMO.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.