Reputation: 85
MySQL query using url parameters in PHP
First of all this is the first time i try PHP..
here is the code :
<?php
if (isset($_GET['name']) && isset($_GET['password'])
$uname = $_GET['name'];
$pass = $_GET['password'];
$conn = mysql_connect("localhost","DBusername","DBpassword");
mysql_select_db("DBname",$conn);
$result = mysql_query("SELECT * FROM table WHERE username=$uname and password =$password");
$row = mysql_fetch_array($result);
if(is_array($row)) {
$ip = $row[ip];
echo $ip ;
}else {
echo = "Invalid Username or Password!";
}
?>
When i try this link : http://www.mywebsite.com/page.php?name=user&password=mypassword
This is a Hidden page, i use it to get my recorded members IP address, when a user tries to login in my Windows Form application which is written in C#
always get a blank page ..
thanks in advance
Upvotes: 2
Views: 23914
Answers (2)
Reputation: 1550
use single quotes in $row['ip'] and variables also. Your query is vunerable ( SQl Injection) so better use mysql_real_escape_string() for parameters like name , password.
<?php
echo "<br/> Outside loop";
if (isset($_GET['name']) && isset($_GET['password']) {
echo "<br/> Inside if loop";
$uname = mysql_real_escape_string($_GET['name']);
$pass = mysql_real_escape_string($_GET['password']);
$conn = mysql_connect("localhost","DBusername","DBpassword");
if($conn == false ){ echo "Database not connected. DB error. " ; }
echo "<br/> after connection ";
mysql_select_db("Tablename",$conn);
echo "<br/> after db selection";
$result = mysql_query("SELECT * FROM dvtmembers WHERE username= '$uname' and password = '$pass' ") or die(mysql_error());
$row = mysql_fetch_array($result);
if(mysql_num_rows($result) > 0) {
$ip = $row['ip'];
echo $ip ;
echo "<br/>final If loop";
}else {
echo "<Br/> final else loop";
echo = "Invalid Username or Password!";
}
}
else {
echo "Parameters are not passed" ;
}
?>
Upvotes: 2
Reputation: 68476
Surround your variables with single quotes and add a die(mysql_error()); at the end as shown.
$result = mysql_query("SELECT * FROM `dvtmembers` WHERE username='$uname' and password ='$pass'") or die(mysql_error());
Warning : Your code is open to SQL Injection attack.
Other Major Errors.
- It should be
$unamenot$uanme - You have missed a parenthesis after the
issetconstruct - You are doing an assignment to the
echostatement.
Modified Code
<?php
ini_set('display_startup_errors',1);
ini_set('display_errors',1);
error_reporting(-1);
if (isset($_GET['name']) && isset($_GET['password']))
{
$conn = mysql_connect("localhost","DBusername","DBpassword");
mysql_select_db("DBname",$conn);
$uname = mysql_real_escape_string($_GET['name']);
$pass = mysql_real_escape_string($_GET['password']);
$result = mysql_query("SELECT * FROM table WHERE username='$uname' and password ='$pass'") or die(mysql_error());
$row = mysql_fetch_array($result);
if(is_array($row)) {
$ip = $row['ip'];
echo $ip ;
}else {
echo "Invalid Username or Password!";
}
}
else { echo "Name and Password was not passed !";}
?>
This(mysql_*) extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Switching to PreparedStatements is even more better to ward off SQL Injection attacks !
Upvotes: 5
Related Questions
- How to get parameters from a URL and use them in a MySQL query in PHP
- Pass PHP variable in URL query
- How to get values from MySQL database with PHP code using WHERE clause and variable set from url
- Use of parameters for mysql_query
- Creating a dynamic MySQL query from URL paramaters
- MySQL How to get a column from a parameter passed from the URL
- mySQL getting multiple arguments for single column from URL query
- Variable from URL in PHP MySQL query
- php url parameters
- Using a get variable from URL to do a MYSQL Query