PDO not retrieving data from SQL via SELECT query

Question

Not sure what is the problem as the script worked on previous pages fetching "folders" that have allocated user_id to them of the current active user.

What I am trying to do in this one is same as before but instead of fetching folders information from SQL based on user_id assigned to them I am trying to fetch files with folder id's assigned to them.

Here is the example query: ?o=folder&fid=0ec741fa-e708-4314-83c4-c05966a56110#!/New_Folder

?o=folder is passing folder.php to index.php which serves all internal files

&fid=0ec741fa-e708-4314-83c4-c05966a56110 is the folder id, not the actuall id as there are two fields in folders table ID and FID this is the FID generated uniquely ones user creates a new folder, and the ID is assigned automatically as its AUTO_INCR + Primary Key in table.

And here is the PDO script

require ("sql/pdo.php");

    // Lets get user's folder information
    $query = " SELECT * FROM files WHERE fid = ".$_REQUEST['fid']." "; 

    try 
    { 
        // These two statements run the query against your database table. 
        $stmt = $db->prepare($query); 
        $stmt->execute(); 
    } 
    catch(PDOException $ex) 
    { 
        // Note: On a production website, you should not output $ex->getMessage(). 
        // It may provide an attacker with helpful information about your code.  
        die("Failed to run query: " . $ex->getMessage()); 
    } 

    // Finally, we can retrieve all of the found rows into an array using fetchAll 
    $rows = $stmt->fetchAll(); 

?>
<table width="100%"> 
    <?php foreach($rows as $row): ?> 
        <tr onclick="window.location = 'file.php?fid=<?php echo htmlentities($row['id'], ENT_QUOTES, 'UTF-8')."'"> 
            <td style="width:4%;"><img src="ast/images/fs-directory.png" /></td>
            <td style="width:86%;text-align:left;"><?php echo htmlentities($row['name'], ENT_QUOTES, 'UTF-8'); ?></td>
            <td style="width:10%;text-align:center;"><?php echo htmlentities($row['privacy'], ENT_QUOTES, 'UTF-8'); ?></td> 
        </tr> 
    <?php endforeach; ?> 
</table> 

There is no errors or anything being returned and nothing in the erro_log file either, which as I said is odd because it works for folders but not files tables. I am assuming it may be do to the way they handle the data. In order to fetch data from folders it requests any folder assigned to uid (user_id) which in term is a numerical value, and here we are using a non-numerical value but a randomized folder string instead which may be the source of problem, but it really should not.

Any suggestions as to what may be wrong with the code?

Answer 1

As I can see, fid contains alphanumeric value while you are adding it into query not as string.

Also, I hope you are aware of the sql injection allowed by your code.

So, it's better to change direct placing to using prepared statements. There are plenty of examples around, under this very tag.