Help with existing code

lawrence28 · October 30, 2018, 2:24pm

Hey guys, I need some help debugging this script (I didn’t write it). I am pretty new to PHP so it is probably something stupid. When I run this, I get an error that I am missing a right parenthesis but it looks like they are all there. If I remove the parenthesis from around the query, I get a missing expression error. Thanks for the help.

Here is my code:

<link rel="stylesheet" type="text/css" href="../style.css" />
<link rel='stylesheet' type='text/css' href='https://bert.marshall.edu/styles/brite.css' />
<?php
  include('../bannerConnect.php');
  $from = $_POST['from'];
  $to = $_POST['to'];
  $query = "SELECT DISTINCT spriden_id AS muid,
(
SELECT TO_CHAR(spbpers_birth_date,'MM/DD/YYYY')
    FROM spbpers
    WHERE spbpers_pidm = spriden_pidm AS DOB,
                spriden_first_name AS First,
                spriden_last_name AS Last,
                spraddr_street_line1 AS Street_1,
                spraddr_street_line2 AS Street_2,
                spraddr_city AS city,
                spraddr_stat_code AS state,
                spraddr_zip AS zip,
                saradap_majr_code_1 AS Major_Code,
                stvmajr_desc AS Major_Desc,
                saradap_styp_code AS Stype,
                saradap_term_code_entry AS App_Term

    (SELECT goremal_email_address FROM goremal
    WHERE goremal_pidm = spriden_pidm
          AND   TO_CHAR(goremal_activity_date,'YYYYMMDD')
    || ''
    || goremal_surrogate_id = (
      SELECT MAX (TO_CHAR(goremal_activity_date,'YYYYMMDD')
      || ''
      || goremal_surrogate_id)
      FROM goremal
      WHERE goremal_pidm = spriden_pidm
            AND   goremal_emal_code = 'PROS'
            AND   goremal_status_ind = 'A')
          ) AS Email

  FROM spriden
      ,saradap
      ,sarappd
      ,spraddr
      ,stvmajr
      ,spbpers
      ,sorhsch
      ,gurmail
  WHERE spriden_change_ind IS NULL
        AND   spriden_last_name NOT LIKE '%901%'
        AND   spriden_pidm = saradap_pidm
        AND   saradap_term_code_entry = (
    SELECT MAX (saradap_term_code_entry)
    FROM saradap
    WHERE saradap_pidm = spriden_pidm)
        AND   saradap_term_code_entry IN (
    '201903'
   ,'202001'
  )
        AND   saradap_levl_code = '01'
        AND   saradap_styp_code IN (
    '1'
  )
        AND   saradap_coll_code_1 NOT IN (
    'CC'
   ,'IM'
  )
        AND   saradap_resd_code in ('N','M','R')
        AND   spriden_pidm = sarappd_pidm
        AND   sarappd_seq_no = (
    SELECT MAX (sarappd_seq_no)
    FROM sarappd
    WHERE sarappd_pidm = saradap_pidm
          AND   sarappd_term_code_entry = saradap_term_code_entry
          AND   sarappd_appl_no = saradap_appl_no
  )
        AND   sarappd_term_code_entry = saradap_term_code_entry
        AND   sarappd_appl_no = saradap_appl_no
        AND   sarappd_apdc_code IN (
    '01'
   ,'02'
   ,'03'
   ,'08'
   ,'09'
   ,'16'
   ,'17'
   ,'73'
   ,'77'
   ,'79'
   ,'80'
   ,'81'
   ,'88'
   ,'8E'
   ,'E8'
   ,'99'
   ,'9E'
   ,'E9'
  )
        AND   spriden_pidm = spraddr_pidm
        AND   spraddr_seqno = (
    SELECT MAX (spraddr_seqno)
    FROM spraddr
    WHERE spraddr_pidm = spriden_pidm
          AND   spraddr_atyp_code = 'PR'
          AND   spraddr_to_date IS NULL
          AND   spraddr_status_ind IS NULL
  )
        AND   spraddr_to_date IS NULL
        AND   spraddr_atyp_code = 'PR'
        AND   spraddr_status_ind IS NULL
        AND   saradap_majr_code_1 = stvmajr_code
        AND   spriden_pidm = spbpers_pidm (+)
        AND   spriden_pidm = sorhsch_pidm
        AND   TO_CHAR (sorhsch_graduation_date,'YYYY') IN (
    '2017'
   ,'2018'
   ,'2019'
  )
        AND   spriden_pidm = gurmail_pidm
        AND   gurmail_letr_code = 'ADM_ACCEPT'
        AND   gurmail_date_printed BETWEEN '$from' AND '$to'
        AND   EXISTS (
    SELECT 'X'
    FROM sarappd
    WHERE spriden_pidm = sarappd_pidm
          AND   sarappd_seq_no = (
      SELECT MAX (sarappd_seq_no)
      FROM sarappd
      WHERE sarappd_pidm = saradap_pidm
            AND   sarappd_term_code_entry = saradap_term_code_entry
            AND   sarappd_appl_no = saradap_appl_no
            AND   sarappd_apdc_date BETWEEN '$from' AND '$to'
            AND   sarappd_apdc_code IN (
        '01'
       ,'02'
       ,'03'
       ,'08'
       ,'09'
       ,'16'
       ,'17'
       ,'73'
       ,'77'
       ,'79'
       ,'80'
       ,'81'
       ,'88'
       ,'8E'
       ,'E8'
       ,'99'
       ,'9E'
       ,'E9'
      )
    )
          AND   sarappd_term_code_entry = saradap_term_code_entry
          AND   sarappd_appl_no = saradap_appl_no
          AND   sarappd_apdc_code IN (
      '01'
     ,'02'
     ,'03'
     ,'08'
     ,'09'
     ,'16'
     ,'17'
     ,'73'
     ,'77'
     ,'79'
     ,'80'
     ,'81'
     ,'88'
     ,'8E'
     ,'E8'
     ,'99'
     ,'9E'
     ,'E9'
    )
          AND   sarappd_apdc_date BETWEEN '$from' AND '$to'
  )
        AND   NOT EXISTS (
    SELECT 'X'
    FROM spbpers
    WHERE spbpers_pidm = spriden_pidm
          AND   (
      (spbpers_dead_date IS NOT NULL)
      OR    (spbpers_dead_ind IS NOT NULL)
    )
  )  
)";

  $c = OCIParse($conn, $query);
  if (!OCIExecute($c))
  {
    var_dump(ocierror($c));
    exit();
  }

  $nrows = oci_fetch_all($c, $results);

  echo "<table class='styled'>";
  if ($nrows > 0)
  {

     echo "<tr>";
     foreach ($results as $key => $val)
     {
        $column_type  = oci_field_type($c, $key);
        if ($column_type != "ROWID")
          echo "<th>$key</th>";
        else
          unset($results[$key]);
     }
     echo "</tr>";

     for ($i=0; $i<$nrows; $i++)
     {
        echo "<tr>";
        foreach ($results as $data)
          echo "<td>" . $data[$i] . "</td>";
        echo "</tr>";
     }
   }
echo "</table>";
?>

benanamen · October 30, 2018, 6:31pm

Your code is vulnerable to an SQL Injection Attack. NEVER EVER put user supplied variables in your query. You need to use prepared statements.

Second, if that query runs, it must be slow as fun. Try joining your tables. I would suggest you post your DB schema so we can review it.