0

Hi i'm using a query to extract data from the table, from a dynamic link. and ummm the code I've used SEEMS to be okay, yet i get a 'Database Query Failed' can someone tell me why?

here's the code:

<?php
$PIN = $_GET['Pin'];

$query="SELECT * FROM Accident_Investigation WHERE PIN = $PIN";
$result = mysqli_query($connection, $query);

if(!$result){
    die("Database query failed.");
    } 
?>
Improve this question
6
  • 3
    Instead of die(), use echo mysqli_error($connection); and read the error message that outputs (if any). Commented Nov 25, 2013 at 16:51
  • 1
    where is $connection defined ? Commented Nov 25, 2013 at 16:52
  • 4
    Can change, WHERE PIN = '$PIN' ? Commented Nov 25, 2013 at 16:53
  • Maybe connection isn't defined. Maybe PIN is a string and should be in quoatas? Commented Nov 25, 2013 at 16:53
  • Lovely SQL injection attack vulnerability. Enjoy having your server pwn3d. Commented Nov 25, 2013 at 17:00

2 Answers 2

Reset to default
1

Change $PIN to '$PIN' in SQL statement provided everything else works fine.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Also mysqli_real_escape_string will be useful.
Sanitize the string before directing it directly from $_GET.
Yes, one can refer to this link => php.net/manual/en/filter.filters.sanitize.php SQL injection prevention are next steps.
0 
$PIN = (!isset($_GET['Pin']) ? $_GET['Pin'] : null);
$query = "SELECT * FROM Accident_Investigation WHERE PIN = '" . $PIN . "'";
$result = mysqli_query($connection, $query);
if (!$result){
  mysqli_error($connection);
  die("Database query failed.");
}
Improve this answer

4 Comments

If PIN is an int, it shouldn't, AFAIK be in quotes, should it?
Do NOT use empty() like this, ESPECIALLY if the valid inputs can contain 0. empty(0) is true.
If it does happen to be an int, it won't matter. But if it happens to be a date, char or varchar, it sets things straight.
thanks mann, what i had to do was to add the quotes to $PIN. like so WHERE PIN = '$PIN'

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.