Trying to prevent SQL Injection, but nothing is showing up.

gfloridafan93 · September 2, 2013, 4:53pm

I have a drop down box set up to allow users to select requirements for economic data. Users can select year choices which creates a time interval, a month, and a location. I am trying to prevent sql injection, but I am having no luck. Here is my code:

[php]

if (isset($_POST[‘submitted’])) {

$gYear = $_POST[“year”];
$gYear2 = $_POST[“year2”];
$gMonth = $_POST[“month”];
$gSelect = $_POST[“location”];

$array = array(‘loc1’ -> ‘Fayette’, ‘loc2’ -> ‘Wayne’, ‘loc3’ -> ‘Indiana’, ‘loc4’ -> ‘US’);

if(array_key_exists($_POST[‘location’], $array)) {

$column = $array[$_POST[‘location’]]
}

if ($gYear > $gYear2) {

die(‘ERROR: Your second year cant be a time period before the first year you selected’);
}

else {

$query = $conn->prepare(“SELECT $column, Year, Month, FROM unemployed WHERE year BETWEEN ? AND ? and month= ?”);

$query->bind_param(‘sss’, $gyear, $gYear2, $gMonth);

$query->execute();
$result = $query->get_result();

echo “

”;
echo “”;

while ($row = $result->fetch_object()){

echo “

”;

}

$query->close();

echo “

Year	Month	$column
”; echo $row->$column; echo “	”; echo $row->Year; echo “	”; echo $row->Month; echo “

”;

} // end of main if statement

?>
[/php]

Now that I have tried preventing sql injection, when I click the submit button, no data is being displayed. This is the only portion of my code that I have edited, so the error is occurring in here. I can’t seem to figure out what I am doing wrong. Can you guys help me out? Any help would be greatly appreciated.

fastsol · September 2, 2013, 5:51pm

Well without seeing the form you are using it’s hard to say too much. But one main issue is that you can’t declare a table column name through a variable. So $column can’t be used in the manner you are. So basically your query is failing which is why you would have no display. If you build the query string before the prepare() then it should work in the way you want. Also it’s always best to use backticks around column and table names in a query.

Try this.
[php]
$sql = “SELECT $column, Year, Month FROM unemployed WHERE year BETWEEN ? AND ? AND month= ?”;
$query = $conn->prepare($sql);
[/php]
Noticed you also had a extra , just before the FROM which would also make the query fail for a syntax error.

gfloridafan93 · September 12, 2013, 6:57pm

I am still having issues. Nothing is showing up after I press submit. Here is all of my code including the form portion.

[php]

<?php require_once 'db_connect.php'; // Database Connection File ?> Data

Data Research Center

Data Home Page

Step 1: Please select your first year you want to gather data from.
Step 2: Next, select a second year to create a time interval.
Step 3: Then, select the time of year you want to retrieve data from.
Step 4: Finally, specify a specific regional location.

Specify Date, Month, and County

Please Select years: From <?php $query = "select distinct year from unemployed";

$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo “”.$row->year."";
}
?>

To <?php $query = "select distinct year from unemployed";

$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo “”.$row->year."";
}
?>

Please select a month <?php $query = "select distinct month from unemployed";

$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo “”.$row->month."";
}
?>

All Months

Please specify a location Fayette County (IN) Henry County (IN) Randolph County (IN) Rush County (IN) Union County (IN) Wayne County (IN) Local Indiana Counties Indiana Butler County (OH) Darke County (OH) Mercer County (OH) Preble County (OH) Local Ohio Counties Ohio United States

<?php if (isset($_POST['submitted'])) { //Main If Statement $gYear = $_POST["year"]; $gYear2 = $_POST["year2"]; $gMonth = $_POST["month"]; $gSelect = $_POST["location"]; $array = array('loc1' => 'Fayette', 'loc2' => 'Henry', 'loc3' => 'Randolph', 'loc4' => 'Rush', 'loc5' => 'Union', 'loc6' => 'Wayne', 'loc7 => 'INCounties','loc8' => 'Indiana', 'loc9' => 'Butler', 'loc10' => 'Darke', 'loc11' => 'Mercer', 'loc12' => 'Preble', 'loc13' => 'OHCounties', 'loc14' => 'Ohio', 'loc15' => 'US'); if ($gYear > $gYear2) { die('ERROR: Your second year cant be a time period before the first year you selected'); } else { if (array_key_exists($_POST["location"], $array)) { $column = $_POST["location"]; } else { echo "ERROR"; } $sql = "SELECT `$column`, `Year`, `Month` FROM unemployed WHERE year BETWEEN ? AND ? and month= ?"; $query = $conn->prepare($sql); $query->bind_param('sss', $gyear, $gYear2, $gMonth); $query->execute(); $result = $query->get_result(); echo ""; echo ""; while ($row = $result->fetch_object()){ echo ""; } $query->close(); echo "

Year	Month	$column
"; echo $row->Year; echo "	"; echo $row->Month; echo "	"; echo $row->$column; echo "

"; } } // end of main if statement ?>

[/php]

Can anyone please help me out? I have no idea what I am doing wrong. Any help would be greatly appreciated.

JimL · September 13, 2013, 5:59pm

Do you use an IDE, or do you write this in notepad? The reason I ask is because it’s quite obvious there’s something wrong the second you paste this in an IDE (like netbeans).

Trying to run your code I get this, don’t you get any error messages?

Parse error: syntax error, unexpected 'INCounties' (T_STRING), expecting ')' in /srv/www/test2/public/test.php on line 132

ttbakiatwoam · September 16, 2013, 5:50am

[php]
$array = array(‘loc1’ => ‘Fayette’, ‘loc2’ => ‘Henry’, ‘loc3’ => ‘Randolph’,
‘loc4’ => ‘Rush’, ‘loc5’ => ‘Union’, ‘loc6’ => ‘Wayne’,
'loc7 => ‘INCounties’,‘loc8’ => ‘Indiana’, ‘loc9’ => ‘Butler’, ‘loc10’ => ‘Darke’,
‘loc11’ => ‘Mercer’, ‘loc12’ => ‘Preble’, ‘loc13’ => ‘OHCounties’,
‘loc14’ => ‘Ohio’, ‘loc15’ => ‘US’);

[/php]

missing a ’ on the loc7 line… should be

[php] ‘loc7’ => ‘INCounties’,‘loc8’ => ‘Indiana’, ‘loc9’ => ‘Butler’, ‘loc10’ => ‘Darke’,
[/php]

gfloridafan93 · September 16, 2013, 1:08pm

Nope I am not really getting any error messages at all. I fixed the error with 'loc7 (changed it to ‘loc7’), but now when I select my choices from my drop down menus click submit, I get ERROR. This is coming from my if else statement which prints ERROR. Something is wrong with my _POST[“location”] variable I believe. I really have no idea though. Any other things I can try? Any help would be greatly appreciated.

JimL · September 16, 2013, 1:11pm

Can you add the code you have atm? Preferably the files for both the form and the php which handles it.

gfloridafan93 · September 16, 2013, 1:18pm

Form File:

[php]

<?php require_once 'db_connect.php'; ?> Data

Research Center

Data Home Page

Step 1: Please select your first year you want to gather data from.
Step 2: Next, select a second year to create a time interval.
Step 3: Then, select the time of year you want to retrieve data from.
Step 4: Finally, specify a specific regional location.

Specify Date, Month, and County

Please Select years: From <?php $query = "select distinct year from unemployed";

$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo “”.$row->year."";
}
?>

To <?php $query = "select distinct year from unemployed";

$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo “”.$row->year."";
}
?>

Please select a month <?php $query = "select distinct month from unemployed";

$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo “”.$row->month."";
}
?>

All Months

Please specify a location Fayette County (IN) Henry County (IN) Randolph County (IN) Rush County (IN) Union County (IN) Wayne County (IN) Local Indiana Counties Indiana Butler County (OH) Darke County (OH) Mercer County (OH) Preble County (OH) Local Ohio Counties Ohio United States

[/php]

Here is the php code that retrieves the data after the form is submitted:

[php]

<?php if (isset($_POST['submitted'])) { $gYear = $_POST["year"]; $gYear2 = $_POST["year2"]; $gMonth = $_POST["month"]; $array = array('loc1' => 'Fayette', 'loc2' => 'Henry', 'loc3' => 'Randolph', 'loc4' => 'Rush', 'loc5' => 'Union', 'loc6' => 'Wayne', 'loc7' => 'INCounties','loc8' => 'Indiana', 'loc9' => 'Butler', 'loc10' => 'Darke', 'loc11' => 'Mercer', 'loc12' => 'Preble', 'loc13' => 'OHCounties', 'loc14' => 'Ohio', 'loc15' => 'US'); if ($gYear > $gYear2) { die('ERROR: Your second year cant be a time period before the first year you selected'); } else { if (array_key_exists($_POST["location"], $array)) { $column = $_POST["location"]; } else { echo "ERROR"; } $sql = "SELECT `$column`, `Year`, `Month` FROM unemployed WHERE year BETWEEN ? AND ? and month= ?"; $query = $conn->prepare($sql); $query->bind_param('sss', $gyear, $gYear2, $gMonth); $query->execute(); $result = $query->get_result(); echo ""; echo ""; while ($row = $result->fetch_object()){ echo ""; } $query->close(); echo "

Year	Month	$column
"; echo $row->$column; echo "	"; echo $row->Year; echo "	"; echo $row->Month; echo "

"; } } // end of main if statement ?> [/php]

I really don’t know what is going on. Like I said, I believe it is my _POST[“location”] that is screwing me up, but I really have no clue.

JimL · September 16, 2013, 1:26pm

Im on my phone so I might be missing it, but do you even have a form field for year (year2 is ok), I just saw a label…

gfloridafan93 · September 16, 2013, 1:31pm

I have <select name = 'year> and tags on both year dropdown boxes.

JimL · September 16, 2013, 1:35pm

Yeah, sorry I must have missed it while walking

Try to add this before line 19 of the form processing script (if ($gYear > $gYear2) {)
[php]var_dump($gYear);
var_dump($gYear2);
var_dump($gYear > $gYear2);[/php]

Does it help in any way figuring out why the condition fails?

gfloridafan93 · September 16, 2013, 2:15pm

Okay I selected 1990 for the first year, and 1995 for the second. Here is the output when I press submit:

string(4) “1990” string(4) “1995” bool(false) ERROR

What does the bool(false) mean?

JimL · September 16, 2013, 2:18pm

It means that the condition ($gYear > $gYear2) is false

And yeah, 1990 is not larger than 1995, so you are getting the expected output.

fastsol · September 16, 2013, 2:18pm

It’s saying that the last var_dump is returning false cause 1990 is NOT greater than 1995.

gfloridafan93 · September 16, 2013, 2:21pm

If I had to guess, my error is coming within these lines of code:

[php]

if (isset($_POST[‘submitted’])) {

$gYear = $_POST[“year”];
$gYear2 = $_POST[“year2”];
$gMonth = $_POST[“month”];

$array = array(‘loc1’ => ‘Fayette’, ‘loc2’ => ‘Henry’, ‘loc3’ => ‘Randolph’,
‘loc4’ => ‘Rush’, ‘loc5’ => ‘Union’, ‘loc6’ => ‘Wayne’,
‘loc7’ => ‘INCounties’,‘loc8’ => ‘Indiana’, ‘loc9’ => ‘Butler’, ‘loc10’ => ‘Darke’,
‘loc11’ => ‘Mercer’, ‘loc12’ => ‘Preble’, ‘loc13’ => ‘OHCounties’,
‘loc14’ => ‘Ohio’, ‘loc15’ => ‘US’);

if ($gYear > $gYear2) {

die(‘ERROR: Your second year cant be a time period before the first year you selected’);
}

else {

if (array_key_exists($_POST[“location”], $array)) {

$column = $_POST[“location”];
}

else {
echo “ERROR”;
}

[/php]

Does anything look wrong with this?

fastsol · September 16, 2013, 5:21pm

You’re missing a closing } on line 32