GET ID look up in mysql and show the information

Question

I'm trying to get information from mysql database using GET id. I use the following code to check what the id is.

            $qry    = "SELECT name,country FROM databasetable WHERE uid=$id";

I get error which means that it couldn't find any entry with the specified uid. If I change the uid to only to numbers, then it works can look it up. Example: ?id=1000000000 works fine, ?id=1kKV0LEfMi . Can't be found Please help me

It may not help answer your question, but you should stop using `mysql_*` functions. They're being deprecated. Instead use [PDO](http://php.net/manual/en/book.pdo.php) (supported as of PHP 5.1) or [mysqli](http://php.net/manual/en/book.mysqli.php) (supported as of PHP 4.1). If you're not sure which one to use, [read this article](http://net.tutsplus.com/tutorials/php/pdo-vs-mysqli-which-should-you-use/). — Matt, Aug 20 '12 at 18:16
Also, `htmlspecialchars` doesn't stop SQL Injections. You have to use `mysql_real_esacape_string`, though it's outdated (!) as Matt said. — ComFreek, Aug 20 '12 at 18:19

score 1 · Answer 1 · answered Aug 20 '12 at 18:19

1

you need to add quotes around the $id to allow strings in the query

$qry= "SELECT name,country FROM databasetable WHERE uid='$id'";

btw. why are you doing $id = htmlspecialchars($_GET['id']); ?

this should rather be $id = mysql_escape_string($_GET['id']);!

answered Aug 20 '12 at 18:19

Andreas Linden

12,489
7
51
67

What is the difference between them? – andrew Aug 20 '12 at 18:22
@AppStore TL;DR DNE if you want help here. – Matt Aug 20 '12 at 18:29
Actually this question was asked to Andreas and if you didn't want to help me on this you should't have commented back. – andrew Aug 20 '12 at 18:34
htmlspecialcars encodes some chars into a form whis a browser will output as is. mysql_escape_string escapes some chars to avoid breaking your mysql query. – Andreas Linden Aug 20 '12 at 18:40

score 0 · Answer 2 · edited Aug 20 '12 at 18:20

0

 '$id'  <-- first put the variable in single quotes. good practice.

Secondly, if you're not using special chars take that out because that could be your problem. Try stripping html special chars and try again

edited Aug 20 '12 at 18:20

Matt

6,993
4
29
50

answered Aug 20 '12 at 18:19

Dnaso

1,335
4
22
48

@D.Müller The id is not numeric. – Mike Brant Aug 20 '12 at 18:22
Oops, just noticed, yes. Sorry. – Daniel M Aug 20 '12 at 18:22
oh just saw as well. ok well make sure when you input stuff in the database that it also is stored as htmlspecialchars or you wont be able to query it anyway – Dnaso Aug 20 '12 at 18:28
coming from the guy who cant replace text in php ? i mean sorry your just an expert, good luck trying to query things out of a database when they are nto in the same format – Dnaso Aug 20 '12 at 18:38
@user1610582 yes, why should you not be able to query unhtmlspecialchar-ized strings? that's nonsense! – Andreas Linden Aug 20 '12 at 18:38
@user1610582 who can't replace text? ^^ – Andreas Linden Aug 20 '12 at 18:39
he can thats not the point i was getting at. i said if he WANTS TO QUERY HTML SPECIAL CHARS MAKE SURE THEY ARE STORED IN THE DB AS HTML SPECIAL CHARS – Dnaso Aug 20 '12 at 18:39

score 0 · Accepted Answer · answered Aug 20 '12 at 18:21

You need to change your query to have single quotes around the uid value like this

$qry = "SELECT name,country FROM databasetable WHERE uid='$id'";

That being said you also really need to look into using the newer MySQL connection support (not the mysql_* functions) and you need to learn how to escape your data so you protect against SQL injection.

GET ID look up in mysql and show the information

3 Answers3