Reputation: 833
PDO SELECT WHERE not working
I am trying to execute the following statements:
$statement = $database->prepare("SELECT userID FROM user_sessions WHERE sessionID = ?");
$statement->execute(array($sessionID));
However, they fail to return the userID ($statement->rowCount() returns 0). If I modify the statements like this, it works but becomes vulnerable to SQL Injection.
$statement = $database->prepare("SELECT userID FROM user_sessions WHERE sessionID = '$sessionID'");
$statement->execute();
sessionID is a hash generated from PHP password_hash() function and is obtained via PHP $_GET.
Why don't the first two statements work and how can I correct them?
UPDATE: This is what I have discovered so far:
print_r($sessionID) outputs
$2y$10$YW2.87KPO2FqFxZD9jjH7ulmPXR2Mdy7Q2c\/RXjSJjH2yt.Q37aQS
var_export($sessionID) outputs
'$2y$10$YW2.87KPO2FqFxZD9jjH7ulmPXR2Mdy7Q2c\\/RXjSJjH2yt.Q37aQS'
The original $sessionID (value in database) is
$2y$10$YW2.87KPO2FqFxZD9jjH7ulmPXR2Mdy7Q2c/RXjSJjH2yt.Q37aQS
Upvotes: 1
Views: 188
Answers (1)
Reputation: 833
I've sorted out the problem. The function I was using to URL encode my sessionID automatically added a backslash before any forward slash. Hence, parameterised PDO statement failed. Somehow, the non-parameterised statement processes the backward slash (thus it escapes the meaning of the forward slash only) and the sessionID now becomes the same as the original sessionID.
Upvotes: 2
Related Questions
- Are PDO prepared statements sufficient to prevent SQL injection?
- Insert into ... values ( SELECT ... FROM ... )
- Select first row in each GROUP BY group?
- jQuery get value of select onChange
- How do I UPDATE from a SELECT in SQL Server?
- How do I perform an IF...THEN in an SQL SELECT?
- SQL SELECT WHERE field contains words
- MySQL - UPDATE query based on SELECT Query
- INNER JOIN ON vs WHERE clause