close ad
WARNING: Do Not Install the DREAMWEAVER CC 2017 or 2018 Update »
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

MySQLi query where target from $_GET is a column?

Thread began 3/28/2016 12:20 pm by Steve | Last modified 3/28/2016 6:13 pm by Ray Borduin | 539 views | 10 replies |

Steve

MySQLi query where target from $_GET is a column?

Hello,
I have a query where we are using a JumpMenu to refresh the page and use a $_GET URL variable to return a recordset. The Query works in PHP MyAdmin but not in the MySQLi behaviour. Is it a limitation or incorrect use from my side?

<?php
$Recordset1 = new WA_MySQLi_RS("Recordset1",$redacted_i,0);
$Recordset1->setQuery("SELECT * FROM applications WHERE ? = 1 ORDER BY applications.id DESC");
$Recordset1->bindParam("s", "".$_GET['id'] ."", "PosLG"); //target
$Recordset1->execute();
?>



I've also tried defining the URL variable as a proper page level variable but it still does not work:

<?php $target = $_GET['id']; ?>
<?php
$Recordset1 = new WA_MySQLi_RS("Recordset1",$redacted_i,0);
$Recordset1->setQuery("SELECT * FROM applications WHERE ? = 1 ORDER BY applications.id DESC");
$Recordset1->bindParam("s", "".$target ."", "PosLG"); //target
$Recordset1->execute();
?>



The point of the recordset is to check one of a number of columns for a value of 1. The column name is chosen from a JumpMenu that refreshes the page setting a url such as .....php?id=PosGS

Sign in to reply to this post

Dave BuchholzBeta Tester

Steve,

if $_GET['id'] is an number (integer) then your recordset should look like this:

<?php
$Recordset1 = new WA_MySQLi_RS("Recordset1",$redacted_i,0);
$Recordset1->setQuery("SELECT * FROM applications WHERE ? = 1 ORDER BY applications.id DESC");
$Recordset1->bindParam("i", "".$_GET['id'] ."", "PosLG"); //target
$Recordset1->execute();
?>



note that I have changed

$Recordset1->bindParam("s", "".$_GET['id']  ."", "PosLG"); //target



to

$Recordset1->bindParam("i", "".$_GET['id']  ."", "PosLG"); //target



s = "string" and i = "integer" in this instance

In the advanced recordset dialog you need to change the variable type from text to number/integer

Sign in to reply to this post

Steve

Dave, it is a string not an integer. Thank you for your reply.


BTW, to move forward I've excluded the Web Assist variable and went with a simpler, direct query:


<?php if(isset($_GET['id'])) {
$target = $_GET['id'];
?>

<?php
$Recordset1 = new WA_MySQLi_RS("Recordset1",$redacted_i,0);
$Recordset1->setQuery("SELECT `id`,`setDate`,`fName`,`lName` FROM applications WHERE $target = 1 AND status != 3 ORDER BY applications.id DESC ");
$Recordset1->execute();
?>



It works but was not my first choice.

Sign in to reply to this post

Dave BuchholzBeta Tester

This post has been deleted.

Steve

Dave,
The column IS an integer but we are looking for the variable to be the "column name" and then we check to see if it holds a value of 1.

Basically we have 20 or so columns that are Positions, and people are ranking their choices by entering an number with 1 being their top choice. Our page allow the user to select a column name from a JumpMenu and then we poll the DB to return all matching records that have 1 in that column,

Sign in to reply to this post

Dave BuchholzBeta Tester

Steve,

that is interesting, so passing a column name doesn't result in a match

Sign in to reply to this post

Steve

Dave,
No, it works perfectly fine outside the behaviors environment variable.

Sign in to reply to this post

Dave BuchholzBeta Tester

Yes I can see why, the string is automatically quoted to prevent sql injection.

Sign in to reply to this post

Ray BorduinWebAssist

Yes, you wouldn't be able to use parameters to pass the value because of SQL injection prevention code that is automatically applied as Dave suggests. The solution is to add the code to your SQL statement directly as you have discovered. However this opens your query to SQL injection particularly when using a $_GET variable, so be very careful using this technique and make sure you have other protection on the page such as a login required to prevent abuse.

Sign in to reply to this post

Steve

Thanks Ray, the page does use Security based on user pass (Validation Toolkit) BUT now I am concerned as I do not want to open any vulnerabilities.
What would you suggest? Setting the value as a session on Post? Creating some limitation code that only allows 8 character max? Suggestions?

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...