0

Someone can help me to find my error:

$query=mysqli_query($con," SELECT * FROM item WHERE ITEM = $ITEM ") or die ( mysqli_error($con));

i reciveing this error,i dont know wherer is syntax error.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

4
Contributors
9
Replies
48
Views
2 Years
Discussion Span
Last Post by cereal
0

i get this error when i insert in the end of url '
i did it for check the hacking security
$ITEM is integer like 15 77 88

0

Hi all!

@phoenix

I suppose you have a form with an input field like this:

<input type="text" name="ITEM" id="ITEM">

From which you set the $ITEM variable, so try to send something different from the expected value, you expect an integer. Send this instead:

1 OR 1=1

It will probably return all the rows in the item table. This is an SQL injection and it means the input submitted to the query function is not sanitized nor validated, so an attacker can try to run other queries and get some extra information or execute remote code.

This is the reason you should use prepared statements, for example:

$stmt = $mysqli->prepare("SELECT * FROM item WHERE id = ?");
$stmt->bind_param('i', $ITEM);
$stmt->execute();

$results = $stmt->get_result();

# looping results
while($row = $results->fetch_assoc())

For more examples check this code snippet by pritaeas:

0

I think your table name is incorrect. You are using "item" for the table name and "ITEM" for the column name. MySQL doesn't care if a column name is upper, lower, or mixed case, so you have the same name for your table and column. Are you sure the table name isn't "items" plural? If not, then you probably need to rename the table.

0

i change my query and tablename but i receving again this error...

if(isset($_GET['item'] ) && !empty($_GET['item'])){
                $id=$_GET[ 'item' ];
            }else{
                $id=$dbid;
            }
            echo $id."<br/>";// this is for  check what value  has $id ?

79' --->> this is echo $id."<br/>"; i am gettting this syntax ' in the end of $id. idk why '

error
Problem is here You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

my query is like dis

$item_query=mysqli_query($con ,"SELECT * FROM product WHERE item_id = $id ") or die ( "Problem  is here ".mysqli_error($con)); 

Edited by phoenix254

0

ok! maybe I understand where is problem.. but i don't know how to solve it.

localhost/item/test.php?item=79

if(isset($_GET['item'] ) && !empty($_GET['item'])){
                $id=$_GET['item'];
            }else{
                $id=$dbid;
            }

echo $id."<br/>";

result is 79
//beacuse localhost/item/test.php?item=

79

it is working nice

When i put this syntax ' in url and in $id add this syantax '

localhost/item/test.php?item=

79'

if(isset($_GET['item'] ) && !empty($_GET['item'])){
                $id=$_GET['item'];
            }else{
                $id=$dbid;
            }

echo $id."<br/>";

result is 79' //beacuse localhost/item/test.php?item=

79'

How can i resove it ? help me

Edited by phoenix254

1

@phoenix

that's why I was writing about prepared statements, the quote is not supposed to be submitted to the query, unless is escaped correctly, and that's why the security test was generating the syntax error, they supposed you where using quotes in your query:

"SELECT * FROM items WHERE ITEM = '$ITEM'"

So they tried to escape them by submitting the number with a quote:

71'

To get a query like this:

"SELECT * FROM items WHERE ITEM = '71''"

Which seems to not make sense but if you add other instructions right after the quote, you could execute whatever you want:

71' OR '1'='1

for example. At the end the query will look like this:

"SELECT * FROM items WHERE ITEM = '71' OR '1'='1'"

To solve with MySQLi you can use prepared statements or you can escape the input with mysqli_real_escape_string():

$id = mysqli_real_escape_string($con, $id);
$item_query = mysqli_query($con ,"SELECT * FROM product WHERE item_id = $id ");

Docs:

Edited by cereal

0

i think prepare statement is for pdo and it canalso be use in php, but i am new in php and i dont know how to use prepare statement , i saw a lot of -> this syntax.. but i dont know why are they and what for..
i would like to learn pdo what i think it is difficult than php...
sorry for bad english ..

and a lot of thanks ceral

0

A prepared statement consists in a group of SQL commands submitted by the MySQL client:

These are supported by both PDO and MYSQLi. When you see the -> it means you're accessing an object, but the same can be done with the procedural style.

Almost always the PHP documentation offers the examples for both styles, check this example:

<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$city = "Amersfoort";

/* create a prepared statement */
$stmt = mysqli_stmt_init($link);
if (mysqli_stmt_prepare($stmt, 'SELECT District FROM City WHERE Name=?')) {

    /* bind parameters for markers */
    mysqli_stmt_bind_param($stmt, "s", $city);

    /* execute query */
    mysqli_stmt_execute($stmt);

    /* bind result variables */
    mysqli_stmt_bind_result($stmt, $district);

    /* fetch value */
    mysqli_stmt_fetch($stmt);

    printf("%s is in district %s\n", $city, $district);

    /* close statement */
    mysqli_stmt_close($stmt);
}

/* close connection */
mysqli_close($link);

?>

Source: http://php.net/manual/en/mysqli-stmt.prepare.php#example-1887

Edited by cereal

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.