-1

So I'm building a website and i need to access a table which holds the information about products

I'm using to navigate to the page

<a href="productDetails.php?table=FeaturedProducts&id=1" >

then in products details page I'm using this to run the php query

 <?php   

require "connection.php";

$table = $_GET["table"];
$id = $_GET["id"];

$sql = "select * from '.$table.' where ID  = '.$id.'";

$result = mysqli_query($conn, $sql);  
                  $row = mysqli_fetch_array($result);
    
    
    $pname= $row['Product_name'];



?>

this doesn't seem to work please tell me how i can do this.

Improve this question
7
  • Does this answer your question? Selecting data from SQL Server Using PHP Commented Sep 23, 2020 at 9:16
  • 3
    Ref: Bobby Tables or more formal: SQL Injection. So please do a lot of reading before you continue this. Commented Sep 23, 2020 at 9:17
  • Remove all single quote chars and dots from the query text. Or backward replace outer dquote chars with single quotes. Commented Sep 23, 2020 at 9:18
  • 1
    I would recommend reading up on strings (and how concatenation works) in the manual. This is a fundamental part of PHP that you need to have locked down, or you'll run into more issues along the way. However, in this case, you should rather use parameterized prepared statements instead of using completely unescaped user data directly in your queries like that. Never ever ever never trust user input. Commented Sep 23, 2020 at 9:23
  • 2
    As others have said, this is completely the wrong way to build a query. Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. Never insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. Commented Sep 23, 2020 at 9:29

1 Answer 1

Reset to default
1

You made mistake in your concatenation of string. Take a look to your code here :

$sql = "select * from '.$table.' where ID  = '.$id.'";

You try to concatanate the $table and $id variable. (we agree it's a SQL Injection problem).

But PHP will interpret the string result like this : select * from '.FeaturedProducts.' where ID = '.1.'

So you have the ' are not necessary in your code for the table name, and it's add point to your values. Because MySQL does to give you error message.

So your correct code will be (and make modification for use prepare statement to avoid SQL Injection) :

$sql = "select * from $table where ID  = '$id'";
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Be careful though, this allows SQL injection. You should escape the variables before putting them in the database
Warning: You are wide open to SQL Injections and should use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. Never trust any kind of input! Even when your queries are executed only by trusted users, you are still in risk of corrupting your data. Escaping is not enough!
Yes it's necessary to use modern SQL function for prepare the statement.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.