-1

First of all, I know it's not how it's supposed to be. But the system has been setup like this so I have to try and work with it.

I have a column of entries in a mySQL table that look like this {12}-{32} and so forth. 12 is the id of the brand of a car, 32 the model.

Now I have to create a query in PHP where a part of it is like this: (PD1.fieldValue = '{". $_SESSION['carId'] ."}-{". $_SESSION['carModelId'] ."}'

Guess what, that doesnt work with curly braces ofcourse. The SESSION part is completely empty (yes, they have a value outside the query).

Is there anyway to fix this so I still can send the variables inside the braces to mySQL?

Jeroen
  • 147
  • 1
  • 1
  • 6
  • Could you post your entire code snippet? I assume the code you have is inside a PHP double quoted string, but I shouldn't have to assume. It's also important what database API you are using. The answer to your question depends on this context. – meustrus Oct 03 '14 at 14:28
  • Here a piece of it: `$SQL = "SELECT PC.id AS cId, P.id AS pId, ... FROM PAGE_CATALOG AS P LEFT JOIN PAGE_CATALOG_CONFIG AS PC ON(PC.id = P.cId) ... WHERE (PD1.fieldValue = '{". $_SESSION['carId'] ."}-{". $_SESSION['carModelId'] ."}' AND (P.productCode REGEXP '". $MAL_TYPE ."') AND PC.id = '1' AND P.enabled = '1' GROUP BY P.id ORDER BY P.productVolgorde ASC LIMIT 0, 10";` – Jeroen Oct 03 '14 at 14:51

1 Answers1

3

Whenever you find yourself having trouble getting some characters into your database, that is a strong hint that your database code is insecure and vulnerable to SQL injection. You have to take a step back and look a little more broadly, thinking "What are all of the possible characters that aren't being escaped properly?" Luckily, you don't have to actually know. You just need to use the built-in escape functions.

The ideal solution is to use placeholders. The syntax depends on what database API you're using (mysqli, or PDO; deprecated mysql doesn't support them). There exist many excellent resources on how to use placeholders; this is the first result I pulled from Google and it looks right to me.

The somewhat less ideal solution is to use the real_escape_string function for your database API. Example for either mysqli or mysql:

// Using heredoc syntax, you can clean up your queries like so.
$sql_template = <<<SQL
  SELECT
    PC.id AS cId,
    P.id AS pId
  FROM PAGE_CATALOG P
    LEFT JOIN PAGE_CATALOG_CONFIG PC ON (PC.id = P.cId)
  WHERE PD1.fieldValue = '%s'
    AND P.productCode REGEXP '%s'
    AND PC.id = '1'
    AND P.enabled = '1'
  GROUP BY P.id
  ORDER BY P.productVolgorde ASC
  LIMIT 0, 10
SQL;

// For mysqli:
// $mysqli = new mysqli(...)
$sql = sprintf(
  $sql_template,
  $mysqli->real_escape_string('{' . $_SESSION['carId'] . '}-{' . $_SESSION['carModelId'] . '}'),
  $mysqli->real_escape_string($MAL_TYPE)
);
$result = $mysqli->query($sql);
// For mysql:
$sql = sprintf(
  $sql_template,
  mysql_real_escape_string('{' . $_SESSION['carId'] . '}-{' . $_SESSION['carModelId'] . '}'),
  mysql_real_escape_string($MAL_TYPE)
);
$result = mysql_query($sql);
meustrus
  • 6,637
  • 5
  • 42
  • 53
  • Thanks for your answer, at this time we are still using mysql and not yet mysqli. The query starts with: `$SQL = "SELECT PC.id AS cId, P.id AS pId, etc etc`. I will try and play some more with the quotes. – Jeroen Oct 03 '14 at 14:47