Is there any errors with this PHP Code?

Question

Is there any problem with this since i get no output returned?Thanks in advance.

$question_text = $_POST['question_text'];

$first_word = explode(" ", $question_text);

$query ="SELECT c.field_name,t.category_name, d.domain_name FROM category_fields c, taxonomy_category t,  taxonomy_domain d
 WHERE c.category_Id = t.category_Id AND t.domain_Id = d.domain_Id
 AND c.field_name = '$first_word'";

I've changed my code to this and still no output.Is there a problem with the way i display them ?Thanks

$question_text = $_POST['question_text'];

list($first_word) = explode(' ', $question_text);

$query ="SELECT c.field_name,t.category_name, d.domain_name FROM category_fields c, taxonomy_category t, taxonomy_domain d WHERE c.category_Id = t.category_Id AND t.domain_Id = d.domain_Id AND c.field_name = '".mysql_escape_string($first_word[0])."'";

$result = mysql_query($query);

while($row = mysql_fetch_array($result, MYSQL_ASSOC))

{

echo "Keyword :{$row['c.field_name']}" . "Category : {$row['t.category_name']}" . "Domain : {$row['d.domain_name']}"; }

?>

This code is vulnerable to an SQL injection attack. Please don't interpolate POST data directly into the query--do some escaping. You might try checking what the value of $first_word is and running the query manually against your db. — Ted Hopp
– Ted Hopp, Commented Mar 14, 2011 at 4:50
print_r is your friend. print_r($first_word); will indicate why its not working. Also, list($first_word) = explode(' ', $question_text); extracts the first element of the generated array into $first_word. — Dan Lugg
– Dan Lugg, Commented Mar 14, 2011 at 4:52

user557846 · Accepted Answer · 2011-03-14 04:47:25Z

1

$first_word is an array, not a string, in your query you want $first_word[0]

it is also very unsafe to put any user submitted value directly in to a sql query, it should always be sanitised.

answered Mar 14, 2011 at 4:47

user557846

Sign up to request clarification or add additional context in comments.

1 Comment

Abby Over a year ago

Thanks,so i just have to add the array to both the $first_word ? Query too ? Thanks :)

mario · Accepted Answer · 2011-03-14 04:59:52Z

1

Instead of the explode line you could use following to get a correct SQL query:

$first_word = mysql_real_escape_string(strtok($question_text, " "));

The strtok cuts of the string until the first space. And escape function is necessary to prevent your script from SQL exploits.

edited Mar 14, 2011 at 4:59

answered Mar 14, 2011 at 4:49

mario

146k20 gold badges243 silver badges293 bronze badges

Comments

Clyde Lobo · Accepted Answer · 2011-03-14 04:49:15Z

0

Well after $first_word = explode(" ", $question_text); $first_word is an array because explode returns and array

Therefore

$query ="SELECT c.field_name,t.category_name, d.domain_name FROM category_fields c, taxonomy_category t,  taxonomy_domain d
 WHERE c.category_Id = t.category_Id AND t.domain_Id = d.domain_Id
 AND c.field_name = '$first_word'";

should be

$query ="SELECT c.field_name,t.category_name, d.domain_name FROM category_fields c, taxonomy_category t,  taxonomy_domain d
 WHERE c.category_Id = t.category_Id AND t.domain_Id = d.domain_Id
 AND c.field_name = '".mysql_escape_string($first_word[0])."'";

Read http://php.net/manual/en/function.mysql-escape-string.php for what mysql_escape_string does.

answered Mar 14, 2011 at 4:49

Clyde Lobo

9,1747 gold badges37 silver badges63 bronze badges

1 Comment

Abby Over a year ago

Hi,thanks and i have fixed the code but still no output.Is there any problem ?The new code is added above.

Dan Lugg · Accepted Answer · 2011-03-14 05:57:55Z

0

list($first_word) = explode(' ', $question_text);

This should do the trick. Sanitize your database inputs!

edited Mar 14, 2011 at 5:57

answered Mar 14, 2011 at 4:49

Dan Lugg

20.7k19 gold badges116 silver badges180 bronze badges

3 Comments

Abby Over a year ago

Hi,thanks and i have fixed the code but still no output.Is there any problem ?The new code is added above. –

Dan Lugg Over a year ago

Hi Abby; When you do list($first_word) = explode(' ', $question_text);, you no longer access $first_word as an array. The list() function extracts from the array result of explode(), the first element, and stores it in the supplied argument, in this case $first_word. You can simply use $first_word in your query. Sanitize your database inputs!

Abby Over a year ago

Ok i will look up on the ways to sanitize the inputs since i'm a beginner in PHP :) But a quick question, do i have to have a table to store the question_text in the method POST that i used? Currently i have a database named keyword with 3tables (category_fields,taxonomy_category,taxonomy_domain).I have make it list($first_word) and query just the $first_word bu still im getting Keyword : Category : Domain : It did not display the 1 i've stated in query.

Collectives™ on Stack Overflow

Is there any errors with this PHP Code?

4 Answers 4

1 Comment

Comments

1 Comment

3 Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

1 Comment

Comments

1 Comment

3 Comments

Your Answer

Sign up or log in

Post as a guest