Programmer's Corner Forum Index
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Programmer's Corner - Forums


mysql_query question

 
Post new topic   Reply to topic    Programmer's Corner Forum Index -> PHP
Author Message
blcArmadillo
Samurai++


Joined: 04 Mar 2005
Posts: 85
Location: Michigan
PostPosted: Sun Jan 29, 2006 6:22 pm    Post subject: mysql_query question Reply with quote
I'm relatively new to using PHP and have a quick question regarding the mysql_query command. For my question I'll be using the following code:
Code:
$cmpycheck = mysql_query("SELECT name FROM cmpydb WHERE name='$name'");

My question is what the values mean. After "SELECT" does "name" refer to the name of the mysql table column? After "FROM" does "cmpydb" refer to the table you want to query? After "WHERE" does "name='$name'" mean where name is equal two the variable "$name"? I have a feeling I'm wrong so if you could write out something like:
Code:
mysql_query("SELECT table_column_name FROM table_name WHERE search_paramerters")

That would be great. Thanks.
Back to top
WannaBe
Wiggles


Joined: 22 Oct 2004
Posts: 714
Location: CA
PostPosted: Sun Jan 29, 2006 8:10 pm    Post subject: Reply with quote
Quote:
mysql_query("SELECT table_column_name FROM table_name WHERE search_paramerters")

looks correct to me.

Code:

SELECT
    [ALL | DISTINCT | DISTINCTROW ]
      [HIGH_PRIORITY]
      [STRAIGHT_JOIN]
      [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]
      [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]
    select_expr, ...
    [FROM table_references
    [WHERE where_condition]
    [GROUP BY {col_name | expr | position}
      [ASC | DESC], ... [WITH ROLLUP]]
    [HAVING where_condition]
    [ORDER BY {col_name | expr | position}
      [ASC | DESC], ...]
    [LIMIT {[offset,] row_count | row_count OFFSET offset}]
    [PROCEDURE procedure_name(argument_list)]
    [INTO OUTFILE 'file_name' export_options
      | INTO DUMPFILE 'file_name']
    [FOR UPDATE | LOCK IN SHARE MODE]]

SELECT syntax
Back to top
blcArmadillo
Samurai++


Joined: 04 Mar 2005
Posts: 85
Location: Michigan
PostPosted: Sun Jan 29, 2006 8:13 pm    Post subject: Reply with quote
ok thank you.
Back to top
bdi
Nobody


Joined: 21 Oct 2004
Posts: 1646
Location: Chicago
PostPosted: Tue Jan 31, 2006 10:17 am    Post subject: Reply with quote
Just a quick note on security.

Beware the select statement you are using. By itself it is vulnerable to a SQL Injection attack.

Assuming $name comes from a user's input, what happens if they pass in:

';delete from cmpydb;select '

The final SQL to be run will be:

SELECT name FROM cmpydb WHERE name='';delete from cmpydb;select ''

While the PHP page might not know what to do with it, MySQL wil first try to select from cmpydb where name is blank, then delete all rows in cmpydb, then select a blank space. Ok, I'm not sure if the last select works in MySQL, but it does work in SQL Server and illustrates the point that someone can manipuate the form, pass in different data, and delete an entire table.
Back to top
blcArmadillo
Samurai++


Joined: 04 Mar 2005
Posts: 85
Location: Michigan
PostPosted: Tue Jan 31, 2006 4:15 pm    Post subject: Reply with quote
Humm intresting... Thank you for the information bdi I'll have to look into that.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Programmer's Corner Forum Index -> PHP All times are GMT - 5 Hours
Page 1 of 1

 


Powered by phpBB © 2001, 2002 phpBB Group