sql query not pulling records

Question

For some reason SQL does not pull required info from needed table. Which is odd because I use exactly same code for pulling list of Folders associated with user id from SQL and that works like it should. So a URL query would look something like this ?o=folder&fid=0ec741fa-e708-4314-83c4-c05966a56110, fid is the folder ID and the query below should pull any files assosiated with such folder ID but instead there is nothing being returned, not even an error message/code.

Is there a problem with the syntax? Or what is the cause of the problem?

CORRECTION I USED WRONG CODE AS I HAVE BUNCH OF TABS OPEN IN NOTEPAD++

Here is the actuall code written in SQL PDO

require ("sql/pdo.php");

    // Lets get user's folder information
    $query = " SELECT * FROM files WHERE fid = ".$_REQUEST['fid']." "; 

    try 
    { 
        // These two statements run the query against your database table. 
        $stmt = $db->prepare($query); 
        $stmt->execute(); 
    } 
    catch(PDOException $ex) 
    { 
        // Note: On a production website, you should not output $ex->getMessage(). 
        // It may provide an attacker with helpful information about your code.  
        die("Failed to run query: " . $ex->getMessage()); 
    } 

    // Finally, we can retrieve all of the found rows into an array using fetchAll 
    $rows = $stmt->fetchAll(); 

?>
<table width="100%"> 
    <?php foreach($rows as $row): ?> 
        <tr onclick="window.location = 'file.php?fid=<?php echo htmlentities($row['id'], ENT_QUOTES, 'UTF-8')."'"> 
            <td style="width:4%;"><img src="ast/images/fs-directory.png" /></td>
            <td style="width:86%;text-align:left;"><?php echo htmlentities($row['name'], ENT_QUOTES, 'UTF-8'); ?></td>
            <td style="width:10%;text-align:center;"><?php echo htmlentities($row['privacy'], ENT_QUOTES, 'UTF-8'); ?></td> 
        </tr> 
    <?php endforeach; ?> 
</table> 

Answer 1

The code is basically correct, you should use PHPmyadmin or other tools to check the content of the database to see what it's retrieving.

Be careful because putting values inside the SQL query directly from the GET parameters is dangerous, in your case someone (or a n automatic script) may inject an arbitrary SQL code using the 'f' GET parameter. You should escape it removing all characters not strictly used by your case (for example, keep only letters and numbers).
The same applies to the same parameters inside $file_path, it could be used to insert an arbitrary image from anywhere in internet, or even a script or an arbitrary HTML code.

You should describe your table schema to understand what's happening here.

Answer 2

In your query u are using $_GET['f']

but in your url u are passing fid

code might work when u replace $_GET['f'] with $_GET['fid']

<?php

             $sql = mysql_query("SELECT * FROM `fs_files` WHERE fid = '".$_GET['fid']."'") or die(mysql_error());


             while($row = mysql_fetch_array( $sql )) {

                 if (in_array($row['file_type'], array('jpeg', 'jpg', 'png', 'gif'))) { 

                 $img = "obj.php?id=".base64_encode($row['file_path'])."&mode;thumb";

                 } else {

                 $img = "assets/filesystem/file_extension_".$row['file_type'].".png";

                 }

                 $type = $row['file_type'];



                 $file_name = substr($row['file_name'], 0, 50);
                 $file_path = "view/".$_GET['fid']."/".$row['id']."/".$row['file_name'];

                 echo '<a href="?p=view&f='.$row['id'].'&q='.$file_path.'"><img src="'.$img.'" />'.$file_name.'
                 <span style="float:right;">'.$type.'</span></a>';
             } 
             ?>