0

I'm toying around with mysql and PHP and hit a VERY strange problem:

After establishing a successful database connection I set two variables for the query:

$searchcolor = $_SESSION["color"];
$searchprice = $_POST["price"];

$query = "SELECT `toys`.`id` FROM `database`.`toys` WHERE `toys`.`color` = $searchcolor AND `toys`.`price` = $searchprice;";
$result = mysqli_query($link, $query);

echo $query;

This querys won't work. When echoing it, it reads the correct string, like:

SELECT `toys`.`id` FROM `database`.`toys` WHERE `toys`.`color` = brown AND `toys`.`price` = 1500;

This code, however, works just fine:

$searchcolor = $_SESSION["color"];
$searchprice = $_POST["price"];

$query = "SELECT `toys`.`id` FROM `database`.`toys` WHERE `toys`.`color` = $searchcolor AND `toys`.`price` = 1500;";
$result = mysqli_query($link, $query);

echo $query;

First I though the $searchprice wasn't getting it's content by the $_POST array correctly. But the echoed search query in the first example seems to be fine.

It also works when setting $searchprice = 1500; instead of getting the $_POST-value.

I tried casting it to integer and stuff, but that didn't worked.

Cheers and thanks for every hint on this!

(The code is shortened!)

Table structure of toys:

id int(10)
name varchar(10)
color varchar(10)
price int(20)

Edit:

Woah, just made an interesting discovery:

echo "-".$searchprice."-";

Gives -5-

if ($searchprice == 5){echo "1";}
if ($searchprice == "5"){echo "2";}

Gives.. nothing?!

var_dump($searchprice);

Gives string(14) "5"

Edit:

echo bin2hex($searchprice);

Gives 3c6e6f62723e353c2f6e6f62723e (?!)

Solution: I used a unicode character in the submitting form. That broke everything. Lesson: Avoid unicode.

Improve this question
7
  • 3
    One thing that would stop those queries from working is that you have a string in the sql for the color which does not have quotes around it. Commented Nov 8, 2013 at 23:34
  • Are you supposed to get the 2 variables one from POST and one from SESSION? Commented Nov 8, 2013 at 23:38
  • Even with quotes it won't work. The variables are substituted correctly. Commented Nov 8, 2013 at 23:43
  • what do you mean with "won't work"? do you have some errors? Commented Nov 8, 2013 at 23:44
  • Getting the variables from SESSION and POST is correct. Commented Nov 8, 2013 at 23:44

1 Answer 1

Reset to default
2

First of all you should read this: How can I prevent SQL injection in PHP?

Try this:

$q = mysqli_prepare($link, 'SELECT toys.id FROM toys WHERE toys.color = ? AND toys.price = ?');

mysqli_stmt_bind_param($q, 'si', $searchcolor, $searchprice); //d for double

$searchcolor = $_SESSION['color'];
$searchprice = $_POST['price'];

mysqli_stmt_execute($q);

Before that you should connect properly with DB. I see that you used database in FROM.

$link = mysqli_connect('localhost', 'my_user', 'my_password', 'my_db');
Improve this answer
Sign up to request clarification or add additional context in comments.

12 Comments

Even when putting $searchcolor and $searchprice before the preparation it won't work. Thanks for the link :)
Did you try that query manually? There are any results? There is any error maybe?
Are you getting a DB connection. This example shows bare bones for setting of parametrized prepared statements, you really hshould capture and handle errors in your real code. This includes when making DB connection.
Jep, I do have an active connection. When I substitute $searchprice by 1500 in the query string every works just as pleased.
What var_dump($_POST['price']) will show you? Stupid question but - are you 100% sure that you're connecting to good database?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.