PHP $_GET & MySQL

Question

I am trying to create a script that gets the varible in the browser URL p and querys the colums playername for anything matching varible p but it still doesnt work anyone know what im doing wrong ive been fiddling with this for hours..

<!DOCTYPE html>
<html lang="en">
 <head>
    <meta charset="utf-8">
    <title>Admin Panel</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="">
    <link href="http://example.com/assets/css/bootstrap.css" rel="stylesheet">
    <link href="http://example.com/assets/css/docs.css" rel="stylesheet">
    <link href="http://example.com/assets/js/google-code-prettify/prettify.css" rel="stylesheet">

<center>

<?php

$con = mysql_connect("","","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("log", $con);

$plyr=$_GET["p"];

$result = mysql_query('SELECT * FROM logs_chat WHERE playername="$plyr"');

echo '
            <table class="table">
              <thead>
                <tr>
                  <th>Time</th>
                  <th>Player</th>
                  <th>Message</th>
                </tr>
              </thead>
              <tbody>
';

while($row = mysql_fetch_array($result))
  {
  echo "<tr>";
  echo "<td>" . $row['time'] . "</td>";
  echo "<td>" . $row['playername'] . "</td>";
  echo "<td>" . $row['text'] . "</td>";
  echo "</tr>";
  }
echo "</table>";

mysql_close($con);
?>

</center>
    <script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
    <script src="http://example.com/assets/js/jquery.js"></script>
    <script src="http://example.com/assets/js/google-code-prettify/prettify.js"></script>
    <script src="http://example.com/assets/js/bootstrap-transition.js"></script>
    <script src="http://example.com/assets/js/bootstrap-alert.js"></script>
    <script src="http://example.com/assets/js/bootstrap-modal.js"></script>
    <script src="http://example.com/assets/js/bootstrap-dropdown.js"></script>
    <script src="http://example.com/assets/js/bootstrap-scrollspy.js"></script>
    <script src="http://example.com/assets/js/bootstrap-tab.js"></script>
    <script src="http://example.com/assets/js/bootstrap-tooltip.js"></script>
    <script src="http://example.com/assets/js/bootstrap-popover.js"></script>
    <script src="http://example.com/assets/js/bootstrap-button.js"></script>
    <script src="http://example.com/assets/js/bootstrap-collapse.js"></script>
    <script src="http://example.com/assets/js/bootstrap-carousel.js"></script>
    <script src="http://example.com/assets/js/bootstrap-typeahead.js"></script>
    <script src="http://example.com/assets/js/bootstrap-affix.js"></script>
    <script src="http://example.com/assets/js/application.js"></script>
</body>
</html>

Is it normal that you don't close your head tag and don't open your body tag? — Dim13i
– Dim13i, Commented Dec 10, 2012 at 2:50
Heads up! Future versions of PHP are deprecating and removing the mysql_ family of functions. It looks like you're still learning PHP, meaning now would be a great time to switch to PDO or mysqli. — Charles
– Charles, Commented Dec 10, 2012 at 3:03
Please learn to use parametrized queries. What you have now leaves you open to SQL injection. bobby-tables.com/php.html has examples. — Andy Lester
– Andy Lester, Commented Dec 10, 2012 at 3:08

Muthu Kumaran · Accepted Answer · 2012-12-10 03:00:37Z

1

Problem is on here,

$result = mysql_query('SELECT * FROM logs_chat WHERE playername="$plyr"');

$plyr is considered as string not variable, PHP will not parse anything which is single quoted ' '. You need to concat the variable.

Change it to,

$result = mysql_query('SELECT * FROM logs_chat WHERE playername="'.$plyr.'"');

Update:

Don't use mysql_* function, they will be deprecated soon. Use PDO or mysqli for connecting database. Beware of SQL INJECTIONS, $_GET["p"] is not validated and possible weakness in your code. Try prepared statements or mysqli_real_escape_string or PDO::quote.

edited Dec 10, 2012 at 3:00

answered Dec 10, 2012 at 2:52

Muthu Kumaran

18k5 gold badges50 silver badges72 bronze badges

Sign up to request clarification or add additional context in comments.

6 Comments

cegfault Over a year ago

also, there is no check here for SQL injection

user1242453 Over a year ago

What else could I possibly use for that function then?

Muthu Kumaran Over a year ago

@cegfault I was updating. Check now.

cegfault Over a year ago

@MuthuKumaran: perpared statements work, are not as fast as regular queries if they are only being used once (ie, not in a loop). mysqli_real_escape_string or PDO::quote would probably be better

Andy Lester Over a year ago

@cegfault: Far better to take whatever microsecond speed hit you claim than to use tainted data when building SQL statements. Parametrized queries are the only way to go.

|

Mike Demen · Accepted Answer · 2012-12-10 03:45:06Z

1

Have you tried to put single quotes around the names of the tables?

form: $result = mysql_query('SELECT * FROM logs_chat WHERE playername="$plyr"');

to: $result = mysql_query("SELECT * FROM logs_chat WHERE playername='$plyr'");

also dont forget to use mysql_real_escape_string when getting $_GET variables.

answered Dec 10, 2012 at 3:45

Mike Demen

717 bronze badges

Collectives™ on Stack Overflow

PHP $_GET & MySQL

2 Answers 2

6 Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

6 Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related