HELP: pesky SQL syntax error using PHP variables

**David Haynes** · Jul 10 '06, 09:15 PM

Re: HELP: pesky SQL syntax error using PHP variables

Frankie wrote:

Hello:
>
New user here...first post to group.
>
I'm getting an SQL syntax error when I try to run the following query:
>
$query = sprintf("SELECT itemNumber, entryDate, modifyDate, thumbnailURL,
title, price FROM '%s' WHERE itemNumber = '%s'", $_POST['selectCategory '],
$_POST['tfItemNum']);
>
I've tested the variables and they are populated.
>
Strangely, the query works with a variable in the WHERE clause, but not in
the FROM clause.
>
Any tips appreciated,
>
Frank H
Austin, TX
>
>

Your FROM clause would be FROM 'foo'. It should be FROM foo instead.

Try:
$query = sprintf("SELECT itemNumber, entryDate, modifyDate,
thumbnailURL, title, price FROM %s WHERE itemNumber = '%s'",
$_POST['selectCategory '], $_POST['tfItemNum']);

-david-

**Frankie** · Jul 10 '06, 09:25 PM

Re: HELP: pesky SQL syntax error using PHP variables

Thank you soooo much!

Those darn quotes...so confusing. I'm delirious from staring at this query
all morning.

F.H.

"David Haynes" <david.haynes2@ sympatico.cawro te in message
news:pvzsg.9199 3$%16.23940@fe7 6.usenetserver. com...

Your FROM clause would be FROM 'foo'. It should be FROM foo instead.
>
Try:
$query = sprintf("SELECT itemNumber, entryDate, modifyDate,
thumbnailURL, title, price FROM %s WHERE itemNumber = '%s'",
$_POST['selectCategory '], $_POST['tfItemNum']);

**Rik** · Jul 10 '06, 09:55 PM

Re: HELP: pesky SQL syntax error using PHP variables

Frankie wrote:

Thank you soooo much!
>
Those darn quotes...so confusing. I'm delirious from staring at this
query all morning.

Rule of thumb:
backticks(``) around names derived from the database (fields, database,
tables)
quotes('') around strings

Grtz,
--
Rik Wasmus

**Robin** · Jul 11 '06, 08:25 AM

Re: HELP: pesky SQL syntax error using PHP variables

Frankie wrote:

Hello:
>
New user here...first post to group.
>
I'm getting an SQL syntax error when I try to run the following query:
>
$query = sprintf("SELECT itemNumber, entryDate, modifyDate, thumbnailURL,
title, price FROM '%s' WHERE itemNumber = '%s'", $_POST['selectCategory '],
$_POST['tfItemNum']);
>
I've tested the variables and they are populated.
>
Strangely, the query works with a variable in the WHERE clause, but not in
the FROM clause.
>
Any tips appreciated,
>
Frank H
Austin, TX
>
>

I hope you're checking those $_POST variables before blindly making the
SQL call!

Robin

**Frankie** · Jul 12 '06, 06:15 PM

Re: HELP: pesky SQL syntax error using PHP variables

"Robin" <anon@somewhere .comwrote in message
news:e8vnab$87k $1@gemini.csx.c am.ac.uk...

>
<snip>
>
I hope you're checking those $_POST variables before blindly making the
SQL call!

Yes, $_POST['selectCategory '] comes from a select menu while
$_POST['tfItemNum'] is checked by "ereg", and then again by "strip_tags " if
re-displayed.

Thanks again to all who responded.

F.H.

**Robin** · Jul 13 '06, 08:25 AM

Re: HELP: pesky SQL syntax error using PHP variables

Frankie wrote:

"Robin" <anon@somewhere .comwrote in message
news:e8vnab$87k $1@gemini.csx.c am.ac.uk...
>

>><snip>
>>
>>I hope you're checking those $_POST variables before blindly making the
>>SQL call!

>
>
Yes, $_POST['selectCategory '] comes from a select menu while
$_POST['tfItemNum'] is checked by "ereg", and then again by "strip_tags " if
re-displayed.
>
Thanks again to all who responded.
>
F.H.
>

By "comes from a select menu" do you mean is the product of a <select
name="selectCat egory"tag?

You cannot guarantee that this value will only be one of your <option>
tag values. Posted data is easily forged.

Robin

**Frankie** · Jul 14 '06, 01:55 AM

Re: HELP: pesky SQL syntax error using PHP variables

----- Original Message -----
From: "Robin" <anon@somewhere .com>
Newsgroups: comp.lang.php
Sent: Thursday, July 13, 2006 3:25 AM
Subject: Re: HELP: pesky SQL syntax error using PHP variables

><snip>
>
You cannot guarantee that this value will only be one of your <option>
tag values. Posted data is easily forged.

Hmmm.

So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input? In this case, a bogus POST value
would only cause the query to fail, right? Or could a malicious user gain
access to the server this way?

At the moment, I only clean data that allows direct user input, such as text
fields.

F.H.

**Rik** · Jul 14 '06, 02:05 AM

Re: HELP: pesky SQL syntax error using PHP variables

Frankie wrote:

----- Original Message -----
From: "Robin" <anon@somewhere .com>
Newsgroups: comp.lang.php
Sent: Thursday, July 13, 2006 3:25 AM
Subject: Re: HELP: pesky SQL syntax error using PHP variables
>
>

><snip>
>>
>You cannot guarantee that this value will only be one of your
><optiontag values. Posted data is easily forged.

>
Hmmm.
>
So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input?

Yes. I could send raw headers to your script, but much simpler is to make my
own form with the apropriate names, and post it to your url...

In this case, a bogus
POST value would only cause the query to fail, right?

Nope.

Or could a
malicious user gain access to the server this way?

Yes and no. If the POST values are used for db queries, one could pretty
much do anything to your database very easily if you haven't protected
yourself against it. Depending on how the rest of your server is setup, and
how sensitive data is kept, maybe even more.

At the moment, I only clean data that allows direct user input, such
as text fields.

You should check, escape & clean all data that comes from the users.

Grtz,
--
Rik Wasmus

**Robin** · Jul 14 '06, 08:35 AM

Re: HELP: pesky SQL syntax error using PHP variables

Frankie wrote:

----- Original Message -----
From: "Robin" <anon@somewhere .com>
Newsgroups: comp.lang.php
Sent: Thursday, July 13, 2006 3:25 AM
Subject: Re: HELP: pesky SQL syntax error using PHP variables
>

>><snip>
>>
>>You cannot guarantee that this value will only be one of your <option>
>>tag values. Posted data is easily forged.

>
Hmmm.
>
So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input? In this case, a bogus POST value
would only cause the query to fail, right? Or could a malicious user gain
access to the server this way?
>
At the moment, I only clean data that allows direct user input, such as text
fields.

As Rik says, trust nothing that has come from the user as users cannot
be trusted! Don't rely on the standard way browsers restrict the posted
data (such as select tags), or even javascript validation before submission.

Note: (often forgotten) that $_SERVER['PHP_SELF'] comes from the user
too and can be used for cross site scripting attacks (see
http://en.wikipedia.org/wiki/XSS ).

Robin

**Frankie** · Jul 16 '06, 06:05 PM

Re: HELP: pesky SQL syntax error using PHP variables

"Rik" <luiheidsgoeroe @hotmail.comwro te in message
news:ecfda$44b6 fcb1$8259c69c$1 3740@news2.tude lft.nl...

So you're suggesting all POST data be cleaned, even if it comes from a
select menu which doesn't allow user input?

>
Yes. I could send raw headers to your script, but much simpler is to make

my

own form with the apropriate names, and post it to your url...

Would it be more secure to send data as SESSION variables instead of POST
variables (after initial data validation)?

IF.HE.

**Rik** · Jul 16 '06, 06:35 PM

Re: HELP: pesky SQL syntax error using PHP variables

Frankie wrote:

"Rik" <luiheidsgoeroe @hotmail.comwro te in message
news:ecfda$44b6 fcb1$8259c69c$1 3740@news2.tude lft.nl...

>>>
>>So you're suggesting all POST data be cleaned, even if it comes
>>from a select menu which doesn't allow user input?

>>
>Yes. I could send raw headers to your script, but much simpler is to
>make my own form with the apropriate names, and post it to your
>url...

>
Would it be more secure to send data as SESSION variables instead of
POST variables (after initial data validation)?

You can't 'send' SESSION variables like that.
It would just mean extra code with no benefits.

Just validate your POST data with the tools that are there (is_int(),
preg_match(), mysql_real_esca pe_string() before using the in a
mysql_database etc.). When a value is invalid, either stop further
processing and provide a usefull error message, or set it to a default value
and use that.

Grtz,
--
Rik Wasmus

HELP: pesky SQL syntax error using PHP variables

HELP: pesky SQL syntax error using PHP variables

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment