0

Hi guys I'm sure I'm missing something but I can't figure out why this is not working! So I have a table and some data, and I'm trying to get the image column, but for some reason, it's not working.

This is what I'm getting (empty url):

<div class="forma_reservas_datos_imagen imgPack" style="background-image:url()"></div>

PHP

<?php 

global $wpdb;

$tablePacks = 'packs';

$res =  "SELECT * FROM ".$tablePacks." where nom_pack_get = '".$_GET["pack"]."'";

$packImg = $wpdb->get_results($res, ARRAY_A);

if(count($packImg) == 1){
    ?>
    <div class="forma_reservas_datos_imagen imgPack" style="background-image:url(<?php echo $packImg->imatge_url; ?>)">
<?php   

}

?>
Improve this question
6
  • 2
    Your code is vulnerable to SQL injection attacks. You should use prepared statements with bound parameters, via either the mysqli or PDO drivers. This post has some good examples. Commented Nov 10, 2017 at 19:39
  • Thanks I don't know much about PDO tho so I'm gonna implement it sometime in the future when the website is all setup and working Commented Nov 10, 2017 at 19:53
  • Don't do that. Learn PDO, it's easy. Otherwise, you'll be learning how to restore your compromised website from backup. Commented Nov 10, 2017 at 19:54
  • @JJCarlk3, try to var_dump($packIg); at first, and check what is inside; And if you still insist on not using PDO, than at least, please sanitise your GET['pack'] variable, in any way; Commented Nov 10, 2017 at 20:03
  • Added language formatting Commented Nov 10, 2017 at 21:43

1 Answer 1

Reset to default
1

$packImg will be an array of associative arrays, no an object, so you should use it as $packImg[0]["imatge_url"].

As others have pointed out in the comments, watch out for SQL injections. Use wpdb's prepare method:

$res = $wpdb->prepare("SELECT * FROM ".$tablePacks." where nom_pack_get = %s", $_GET["pack"]);

prepare will return SQL that is safe to send to the database (and you don't have to type '" . $myvar . "' all the time, it really helps a lot, and makes your code secure at the same time).

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you I'm gonna try that and will let you know if it works. And you guys are probably right I gotta learn pdo and sql injections.. It's just that I thought, such a normal small business like mine why would anyone want to hack it? But yeah I guess it could happen to anyone.
Glad that it works. And regarding the SQL injections: it's probably not that you will be targeted specifically. But there are bots that just mass check websites, and will manipulate variables passed via query string, and report their findings to their owners. Think of them like somebody just checking whether your door is locked, not trying to unlock it, and then deciding whether breaking into your house is worth it.
That makes sense, I'm going to keep this in mind from now on and will replace all my wpdb queries with these prepare statements, thanks a lot man!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.