0

I have 4 tables in database and an unique clientid is common in all tables but rest field are different. if we search for any client id , how can we get the information stored corresponding to the searched client id from the any table.

$clientid=$_POST['client'];
$query = "SELECT * FROM 'pfs'
          JOIN 'pfssurety' 
          JOIN 'iso'
          JOIN 'incometax'
          WHERE clientid='$clientid'";
$result = mysql_query($query)or die (mysql_error());

while($row=mysql_fetch_array($result)) {
    echo $row['clientid'];
    echo $row['name'];
}
Improve this question
4
  • You miss the on clause Commented May 26, 2017 at 12:22
  • 1
    Stop using deprecated mysql_* API. Use mysqli_* or PDO Commented May 26, 2017 at 12:22
  • 1
    This will not work cause when you are using JOIN you need to use the ON clause and the mysql_query , mysql_fetch_array() will not work you need to use the mysqli_.... Commented May 26, 2017 at 12:23
  • Your code is vulnerable to SQL Injection, check my answer for a simple example on how to prevent this. Additionally read about what SQL Injection is and how to prevent it. Commented May 26, 2017 at 12:38

5 Answers 5

Reset to default
1

Here is an implementation using mysqli and prevents injection for your $clientid where the id is a number grate then zero as AUTO_INCREMENT columns will never have a 0 value they start at 1

// as this is an int using inval will force it to be a valid whole number 
// basic SQL Injection Protection for a fixed id

$clientid = intval($_POST['client']);
if($clientid === 0){
    // it was not a valid number as an auto_increment field in mysql can never be 0
    die("invalid client");
}

$query="SELECT * FROM `pfs` 
    JOIN `pfssurety`  ON  pfssurety.clientid = pfs.clientid 
    JOIN `iso` ON  iso.clientid = pfs.clientid 
    JOIN `incometax` ON  incometax.clientid = pfs.clientid 
    WHERE pfs.clientid=$clientid";

$result= mysqi_query($query) or die("Query Failed");

while($row=mysql_fetch_array($result))
{
    echo $row['clientid'];
    echo $row['name'];
}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

How is this preventing SQL Injection? You are still using the user input directly into the query, You should use prepared statements.
no im not $clientid = intval($_POST['client']); intval will turn it into an int no matter what so if it has any none number chars in it it will result in 0 go learn php...
I missed the intval() part, sorry. Still IMO you should use prepared statements, since this is one of the main reasons why you would like to use them, read more about them here: w3schools.com/php/php_mysql_prepared_statements.asp
yeah i know but i thought that might be a bit to complex since the OP is using mysql_ instead of mysqli_ let alone mysqli::(objective) or PDO before trying to work out why his $_POST['clientid'] would bugger up coz of array value not passed by reference
0

You meant to use backtique instead of single quote. Otherwise your table names are considered as normal string literal. Also, you are missing ON condition for all your JOIN clauses So your query

SELECT * FROM 'pfs'

Should actually be

SELECT * FROM `pfs`

Change your query to be

SELECT * FROM `pfs`
JOIN `pfssurety` ON condition
JOIN `iso` ON condition
JOIN `incometax` ON condition
WHERE clientid='$clientid'
Improve this answer

Comments

0

Maybe you need to set the on in your join as something like this:

SELECT * FROM 'pfs'
JOIN 'pfssurety'  ON pfs.clientid=pfssurety.clientid
JOIN 'iso' ON pfs.clientid=iso.clientid
JOIN 'incometax' ON pfs.clientid=incometax.clientid
WHERE clientid='$clientid'

Y suposed that all tables have the clientid attribute.

  • Instead of using the SELECT * you could use the enumeration of the different attributes you need
Improve this answer

Comments

0

You are on the right track using JOIN. You need to specify the common column that the JOIN should be made on.

https://www.w3schools.com/sql/sql_join_left.asp

SELECT a.fieldname, i.fieldname, t.fieldname, p.fieldname FROM 'pfs' as a
LEFT JOIN 'pfssurety' as p ON p.clientid  = a.clientid 
LEFT JOIN 'iso' as i ON i.clientid  = a.clientid 
LFT JOIN 'incometax' as t ON t.clientid  = a.clientid 
WHERE a.clientid='$clientid'";

Also, you should escape your variables to prevent SQL Injection. At a minimum:

a.clientid= "' . mysqli_real_escape_string($clientid) . '"';

http://php.net/manual/en/mysqli.real-escape-string.php

Improve this answer

3 Comments

why did you pic left join he might want nulls stackoverflow.com/questions/38549/…
Have added a one liner on injection, I swear every sql question has unescaped variables.
Regarding the joins good point. LEFT JOIN is a habit for me for most joins.
0

Your code is vulnerable to SQL Injection, you should never use user input directly into your SQL queries. In your code the problem is here:

$clientid = $_POST['client']; // anyone could manipulate this field to inject malicious code
# ...
WHERE clientid='$clientid'";

Check what happens if the value for $_POST['client'] is: ' or 1 = 1;

Next as mentioned in one of the comments stop using deprecated methods, instead for example you can use mysqli. Here is an example of how to use mysqli with prepared statements to avoid SQL Injection:

$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$stmt = $conn->prepare('SELECT * FROM `pfs` JOIN `pfssurety` ON condition JOIN `iso` ON condition JOIN `incometax` ON condition WHERE clientid = ?');

$stmt->bind_param('i', $clientid);
$stmt->execute();
$stmt->close();
$conn->close();

A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency.

Compared to executing SQL statements directly, prepared statements have three main advantages:

  • Prepared statements reduces parsing time as the preparation on the query is done only once (although the statement is executed multiple times)

  • Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query

  • Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

Finally one more thing worth mentioning, try not using * to fetch all columns, instead simply list the columns you need to get. Even if you need to get all columns there are good reasons why not to use *, but instead list all columns.

Improve this answer

1 Comment

your missing the set for $clientid between $stmt->bind_param('i', $clientid); and $stmt->execute();

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.