Why won't this query work?
This is a discussion on Why won't this query work? within the PHP General forums, part of the PHP Programming Forums category; Hi Everyone, Attempting to get this query: "SELECT customerName, loginName, email, adminLevel FROM current WHERE customerBusiness=$business ORDER BY ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-24-2008
|
|||
|
|||
Why won't this query work?
Hi Everyone,
Attempting to get this query: "SELECT customerName, loginName, email, adminLevel FROM current WHERE customerBusiness=$business ORDER BY adminLevel" to work. So far it doesn't like me... It pops up saying that "Unknown column 'Raoset' in 'where clause'" Here is what I get if I echo the query: SELECT customerName, customerBusiness, loginName, email, adminLevel FROM current WHERE customerBusiness='Raoset' $business is populated from a session variable and echos right... What I can't figure out is what in the world is wrong... If I type in the variable info, it works just fine. So why can't I pull it from a variable? -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424-9337 www.raoset.com japruim@raoset.com 
|
|
03-24-2008
|
|||
|
|||
|
Re: [PHP] Why won't this query work?
Okay... so as happens to me more times then I care to admit... as soon
as I sent it I simply added: .....WHERE customerBusiness='$business'..... and it works just fine... Sorry for the noise! On Mar 24, 2008, at 1:47 PM, Jason Pruim wrote: > Hi Everyone, > > Attempting to get this query: > "SELECT customerName, loginName, email, adminLevel FROM current > WHERE customerBusiness=$business ORDER BY adminLevel" > > to work. > So far it doesn't like me... It pops up saying that "Unknown column > 'Raoset' in 'where clause'" > > Here is what I get if I echo the query: > SELECT customerName, customerBusiness, loginName, email, adminLevel > FROM current WHERE customerBusiness='Raoset' > > $business is populated from a session variable and echos right... > What I can't figure out is what in the world is wrong... If I type > in the variable info, it works just fine. So why can't I pull it > from a variable? > -- > > Jason Pruim > Raoset Inc. > Technology Manager > MQC Specialist > 3251 132nd ave > Holland, MI, 49424-9337 > www.raoset.com > japruim@raoset.com > > > -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424-9337 www.raoset.com japruim@raoset.com
|
|
03-24-2008
|
|||
|
|||
|
Re: [PHP] Why won't this query work?
On Mon, Mar 24, 2008 at 1:47 PM, Jason Pruim <japruim@raoset.com> wrote:
> Hi Everyone, > > Attempting to get this query: > "SELECT customerName, loginName, email, adminLevel FROM current WHERE > customerBusiness=$business ORDER BY adminLevel" > > to work. > So far it doesn't like me... It pops up saying that "Unknown column > 'Raoset' in 'where clause'" [snip!] Encapsulate your $business variable in quotes. If you don't, MySQL sees it as a relational link. Also, as a reminder, be sure to use mysql_real_escape_string($business) if you're not using mysqli_*(). -- </Daniel P. Brown> Forensic Services, Senior Unix Engineer 1+ (570-) 362-0283
|
|
03-24-2008
|
|||
|
|||
|
Re: [PHP] Why won't this query work?
On Mar 24, 2008, at 2:23 PM, Daniel Brown wrote: > On Mon, Mar 24, 2008 at 1:47 PM, Jason Pruim <japruim@raoset.com> > wrote: >> Hi Everyone, >> >> Attempting to get this query: >> "SELECT customerName, loginName, email, adminLevel FROM current WHERE >> customerBusiness=$business ORDER BY adminLevel" >> >> to work. >> So far it doesn't like me... It pops up saying that "Unknown column >> 'Raoset' in 'where clause'" > [snip!] > > Encapsulate your $business variable in quotes. If you don't, > MySQL sees it as a relational link. > > Also, as a reminder, be sure to use > mysql_real_escape_string($business) if you're not using mysqli_*(). It's already been escaped, $business is pulled out of the database after they log in. :) > > > -- > </Daniel P. Brown> > Forensic Services, Senior Unix Engineer > 1+ (570-) 362-0283 > -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424-9337 www.raoset.com japruim@raoset.com
|
|
03-24-2008
|
|||
|
|||
|
Re: [PHP] Why won't this query work?
On Mon, Mar 24, 2008 at 2:29 PM, Jason Pruim <japruim@raoset.com> wrote:
> > It's already been escaped, $business is pulled out of the database > after they log in. :) I don't care, Prune. (I still get a kick out of knowing that. Who was it, Jochem or Zoltan who said that? ;-P) NEVER trust that the data is escaped regardless of where it originated. Supposed someone else writes a script to tie into your database and doesn't escape it, and Hagar The Horrible's great-great(^15) grandson, Hacker The Horndog comes in and finds the vulnerability, and enters the company name as "';DELETE FROM current WHERE 1;SELECT * FROM current WHERE 1 "? Bye, data. Learn: http://xkcd.com/327/ -- </Daniel P. Brown> Forensic Services, Senior Unix Engineer 1+ (570-) 362-0283
|
|
03-24-2008
|
|||
|
|||
|
Re: [PHP] Why won't this query work?
On Mon, Mar 24, 2008 at 2:40 PM, Daniel Brown <parasane@gmail.com> wrote:
> On Mon, Mar 24, 2008 at 2:29 PM, Jason Pruim <japruim@raoset.com> wrote: > > > > It's already been escaped, $business is pulled out of the database > > after they log in. :) > > I don't care, Prune. > > (I still get a kick out of knowing that. Who was it, Jochem or > Zoltan who said that? ;-P) > > NEVER trust that the data is escaped regardless of where it > originated. Supposed someone else writes a script to tie into your > database and doesn't escape it, and Hagar The Horrible's > great-great(^15) grandson, Hacker The Horndog comes in and finds the > vulnerability, and enters the company name as "';DELETE FROM current > WHERE 1;SELECT * FROM current WHERE 1 "? > > Bye, data. > > Learn: http://xkcd.com/327/ > > > -- > </Daniel P. Brown> > Forensic Services, Senior Unix Engineer > 1+ (570-) 362-0283 > > -- > > > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Jason, Listen to Daniel's advice on this. Hacker issues aside, wouldn't it be embarrassing if someone typed O'Brien in the input field and it gave a white screen or worse yet text that said "Error with SQL?"
|
|
03-25-2008
|
|||
|
|||
|
Re: [PHP] Why won't this query work?
2008. 03. 24, hétfÅ‘ keltezéssel 14.40-kor Daniel Brown ezt Ã*rta:
> On Mon, Mar 24, 2008 at 2:29 PM, Jason Pruim <japruim@raoset.com> wrote: > > > > It's already been escaped, $business is pulled out of the database > > after they log in. :) > > I don't care, Prune. > > (I still get a kick out of knowing that. Who was it, Jochem or > Zoltan who said that? ;-P) /me points at Jochem ;) greets Zoltán Németh > > NEVER trust that the data is escaped regardless of where it > originated. Supposed someone else writes a script to tie into your > database and doesn't escape it, and Hagar The Horrible's > great-great(^15) grandson, Hacker The Horndog comes in and finds the > vulnerability, and enters the company name as "';DELETE FROM current > WHERE 1;SELECT * FROM current WHERE 1 "? > > Bye, data. > > Learn: http://xkcd.com/327/ > > -- > </Daniel P. Brown> > Forensic Services, Senior Unix Engineer > 1+ (570-) 362-0283 >
|
Linear Mode
