How to query MySQL from a web browser URL ?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • karthikeyanck
    New Member
    • Oct 2007
    • 23

    How to query MySQL from a web browser URL ?

    How to query MySQL from a web browser URL.

    I 've a Apache server running on my Ubuntu machine which has PHP and MySQL installed.

    I 've an assignment to demonstrate how SQL Injection works, I need to pass SQL Queries through my PHP Page so that i can INSERT, UPDATE, DROP data from the MySQL Database.

    I need to complete the project at the earliest

    Any help Appreciated !!!!!!!!!!!!!
  • pbmods
    Recognized Expert Expert
    • Apr 2007
    • 5821

    #2
    Heya, karthikeyanck.

    You posted this in the Articles section. I'll go ahead and move it to the Forum where an Expert will be more likely to find it.

    Comment

    • ronverdonk
      Recognized Expert Specialist
      • Jul 2006
      • 4259

      #3
      When it is just simply passing an SQL query to the db and echoing the output resource ID and the array of rows returned (e.g. after a select), this snippet will do. You'll have to adapt it to your own needs.
      [php]
      <?php
      if (isset($_POST['sql']) ) {
      $sql=$_POST['sql'];
      // Make a MySQL Connection
      $conn = mysql_connect(" localhost", "ronverdonk ", "ronnie09")
      or die("Could not connect to the db server: ".mysql_error() );
      mysql_select_db ("vwso",$con n)
      or die("Could not select the db: " . mysql_error());
      $result=mysql_q uery($sql);
      echo $result.'<br />';
      if ($_POST['out'] == 'y') {
      while ($row = mysql_fetch_ass oc($result)) {
      echo '<pre>'; print_r($row);
      }
      }
      }
      ?>
      <form name="MyForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
      Type your mySQL query:<br />
      <input type="text" name="sql" size="70" value="<?php echo (isset($_POST['sql'])) ? $_POST['sql'] : ""; ?>"><br />
      Do you want query output displayed?<br />
      <input type="radio" name="out" value="y"<?php if ($_POST['out'] == 'y') echo " checked"; ?> />yes&nbsp;
      <input type="radio" name="out" value="n"<?php if ($_POST['out'] == 'n') echo " checked"; ?> />No<br />
      <input type="submit" value="submit query" />
      </form>
      </body>
      </html>
      [/php]
      Ronald

      Comment

      • karthikeyanck
        New Member
        • Oct 2007
        • 23

        #4
        Originally posted by ronverdonk
        When it is just simply passing an SQL query to the db and echoing the output resource ID and the array of rows returned (e.g. after a select), this snippet will do. You'll have to adapt it to your own needs.
        [php]
        <?php
        if (isset($_POST['sql']) ) {
        $sql=$_POST['sql'];
        // Make a MySQL Connection
        $conn = mysql_connect(" localhost", "ronverdonk ", "ronnie09")
        or die("Could not connect to the db server: ".mysql_error() );
        mysql_select_db ("vwso",$con n)
        or die("Could not select the db: " . mysql_error());
        $result=mysql_q uery($sql);
        echo $result.'<br />';
        if ($_POST['out'] == 'y') {
        while ($row = mysql_fetch_ass oc($result)) {
        echo '<pre>'; print_r($row);
        }
        }
        }
        ?>
        <form name="MyForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
        Type your mySQL query:<br />
        <input type="text" name="sql" size="70" value="<?php echo (isset($_POST['sql'])) ? $_POST['sql'] : ""; ?>"><br />
        Do you want query output displayed?<br />
        <input type="radio" name="out" value="y"<?php if ($_POST['out'] == 'y') echo " checked"; ?> />yes&nbsp;
        <input type="radio" name="out" value="n"<?php if ($_POST['out'] == 'n') echo " checked"; ?> />No<br />
        <input type="submit" value="submit query" />
        </form>
        </body>
        </html>
        [/php]
        Ronald

        The script works fine, but when I query the server like the one below

        SELECT * FROM employee WHERE username = 'admin'

        I get Warning: mysql_fetch_ass oc(): supplied argument is not a valid MySQL result ***********

        Comment

        • ronverdonk
          Recognized Expert Specialist
          • Jul 2006
          • 4259

          #5
          This was just a simple sample and you'll have to play with it. At my site the error is probably the insertion of backslashes. At your site I assume you have no result set. So I changed the snippet code to get rid of backslashes and test the result. Next is the first part.
          [php]
          <?php
          if (isset($_POST['sql']) ) {
          $sql=$_POST['sql'];
          $sql=str_replac e('\\','',$sql) ;
          $db=$_POST['db'];
          // Make a MySQL Connection
          $conn = mysql_connect(" localhost", "ronverdonk ", "ronnie09")
          or die("Could not connect to server: ".mysql_error() );
          mysql_select_db ($db,$conn)
          or die("Could not select db $db: " . mysql_error());
          $result=mysql_q uery($sql) or
          die('Error: '.mysql_error() );
          echo "<b>stateme nt:</b> $sql<br />";
          if ($_POST['out'] == 'y') {
          if (mysql_num_rows ($result) > 0) {
          while ($row = mysql_fetch_ass oc($result)) {
          echo '<pre>'; print_r($row);
          }
          }
          else
          echo 'No results';
          }
          }
          ?>
          [/php]
          Ronald

          Comment

          Working...