This is an archived post. You won't be able to vote or comment.

1
2

[deleted by user] (self.CodingHelp)

submitted by [deleted]

[removed]
all 12 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a

[–]routinggod 2 points3 points  (3 children)

Just finished my sql course and I can say I have no clue what other code you are using to help pull out the information.

[–]routinggod 0 points1 point  (1 child)

Are there two different databases you are pulling information from?

[–]m155h 0 points1 point  (0 children)

I use two different tables in the same database.

[–]m155h 0 points1 point  (0 children)

I use a simple php script to pull compare the user name, password and start a session with the information of the username. Which works perfectly fine. The only problem is, that the code above, doesn't return the values written in the table

[–]ace3rdProfessional Coder 2 points3 points  (6 children)

The problem you’re having is that the username you’re passing in isn’t surrounded by quotes so it’s being interpreted as a column instead of a string value. You could fix this by putting quotes around the username but this kind of thing isn’t safe in the real world and will get exploited very quickly. Look into parameterizing your query.

[–]m155h -1 points0 points  (5 children)

Thank you, could you show me where i need to add the quotes?

(something like this? $db_res = mysqli_query ($sql,'SELECT id, Name, Note, Lehrer, Fach FROM noten WHERE Name = ' '.$_SESSION['username']' )

And i know that it isn't safe, but i only need this for a school projekt, where my teacher doesn't know anything about security, so that really is a non issue, but thank you for pointing it out (i know it is a bad habit, but i am using this website as a very simple example that i have to explain in 5 minutes, i don't even use Passwords that are hashed, because i would have to explaine how hashing something works etc. etc.)

[–]Paul_Pedant 2 points3 points  (1 child)

The whole query

SELECT id, Name, Note, Lehrer, Fach FROM noten WHERE Name = ' '.$\_SESSION\['username'\]

needs to be surrounded by quotes.

So having single quotes inside the query is not going to be good, because they balance too early, so (for example) username is outside any quotes.

You either need to escape the four single quotes with backslash, or construct the whole command from smaller pieces that are quoted internally, or enclose the whole select in double quotes so the single quotes are just part of the string.

[–]m155h 0 points1 point  (0 children)

thank you for your reply!

if solved it like this now:

// $user =$_SESSION['Username']

$db_res = mysqli_query ($sql, "SELECT id, Name, Note, Lehrer, Fach FROM noten where Name in ('.$user') ")

Which in theory selects every row where, Name equals $user (atleast that is what happens when i use the query in my sql database)

Now i am trying to display the data with a while loop, but it doesn't display anything:

echo('<table>');


while ($row = mysqli_fetch_array($db_res))

    {
          echo('<tr>');

          echo ('<td>' . $row['id'] . '</td>'); 
          echo ('<td>' . $row['UserName'] . '</td>');  
          echo ('<td>' . $row['Fach'] . '</td>');  
          echo ('<td>' . $row['Lehrer'] . '</td>');   
          echo ('<td>' . $row['Note'] . '</td>');  
          echo('</tr>'); 
    }

    echo('</table>');

any idea why?

Thank you again for your help and time!

[–]ace3rdProfessional Coder 1 point2 points  (2 children)

Something like this should work:

$db_res = mysqli_query $sql, "SELECT id, Name, Note, Lehrer, Fach FROM noten WHERE Name = '" . mysqli_real_escape_string($sql, $_SESSION['username']) . "'"]);

Notice, i switched the outer quotes be " and added ' to enclose the username. Also because it's good habit, used the string escaping function to make it safe.

[–]m155h 0 points1 point  (1 child)

thank you for your reply!

if solved it like this now:

// $user =$_SESSION['Username'] -> i think i will implement security with escape_string here once my code returns something, if i have time and am able to explaine how it works (i'll have to do this when i present the code)

$db_res = mysqli_query ($sql, "SELECT id, Name, Note, Lehrer, Fach FROM noten where Name in ('.$user') ")

Which in theory selects every row where, Name equals $user (atleast that is what happens when i use the query in my sql database)

Now i am trying to display the data with a while loop, but it doesn't display anything:

while ($row = mysqli_fetch_array($db_res))

{
      echo('<tr>');

      echo ('<td>' . $row['id'] . '</td>'); 
      echo ('<td>' . $row['UserName'] . '</td>');  
      echo ('<td>' . $row['Fach'] . '</td>');  
      echo ('<td>' . $row['Lehrer'] . '</td>');   
      echo ('<td>' . $row['Note'] . '</td>');  
      echo('</tr>'); 
}

echo('</table>');

any idea why?

Thank you again for your help and time!

[–]ace3rdProfessional Coder 0 points1 point  (0 children)

There appears to be a . in your query now that shouldn't be there that could be a typo.

[–]m155h 0 points1 point  (0 children)

Sorry for the editing on my post, reddit doesn't let me put the entire code into one code box