I saw this (Symfony) Doctrine query. Is this SQL injection-proof?
$input = $_GET['input'];
$query = $connection->createQueryBuilder();
$query->select('id')->from('table')->where('name = ' . $input); // does Doctrine escape this input?
$statement = $query->execute();
var_dump($statement->fetchAll());
It is not. You have to use prepared queries with parameters. Something along thoses lines :
$input = $_GET['input'];
$query = $connection->createQueryBuilder();
$query->select('id')->from('table')->where('name = :input');
$query->setParameter('input', $input)
...
Related
When I executed this code,
while($row = mysql_fetch_array($res))
there was an error of the following plan:
Warning: mysql_fetch_array() expects parameter 1 to be resource,
boolean given in String of treatment:while($row =
mysql_fetch_array($res))
$res should be an resource , for example
$res = mysql_query("SELECT * FROM table;");
after that only use mysql_fetch_array. Just for information
This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used.
Would be better to use mysqli_query instead of mysql_query. Read this answer and this PHP documentation about differences between them. So I advice you to use mysqli:
$result = mysqli_query($connection, 'SELECT id, name FROM some_table');
if($result){
while($row = mysqli_fetch_assoc($result)){
//extract values from row
$id = $row['id'];
$name = $row['name'];
}
}
i'm a newbie on perl scripting and i found a problem while trying to execute two sqls, here you have the code, for sure not the best one.
use DBI;
use DBD::mysql;
use Socket;
use strict;
use warnings;
# CONFIG VARIABLES
my $platform = 'mysql';
my $database = 'database_name';
my $host = 'hostname';
my $port = '3306';
my $user ='user';
my $pw ='password';
# DATA SOURCE NAME
my $dsn = "dbi:mysql:$database:$host:3306";
# PERL DBI CONNECT
my $dbh = DBI->connect($dsn,$user,$pw,{RaiseError=>1,PrintError=>1}) or die "Could not connect to database: $DBI::errstr";
# READ THE LASTID OF THE DATABASE
my $queryID = "SELECT event.id from snorby.event order by event.id desc limit 1";
my $lastid = $dbh->selectrow_array($queryID);
#HIGH
while ( 1 == 1 )
{
my $query = "SELECT event.id, inet_ntoa(iphdr.ip_src) as 'src', tcp_sport, inet_ntoa(iphdr.ip_dst) as 'dst', tcp_dport, signature.sig_name, event.timestamp, unhex(data.data_payload) from snorby.event join snorby.signature on signature.sig_id = event.signature join snorby.iphdr on event.cid=iphdr.cid and event.sid=iphdr.sid join snorby.data on event.cid=data.cid and event.sid=data.sid join snorby.tcphdr on event.cid=tcphdr.cid and event.sid=tcphdr.sid where event.id > $lastid and signature.sig_priority = '1' order by event.id";
my $sth = $dbh->prepare($query);
$sth->execute() or die "SQL Error: $DBI::errstr\n";
# BIND TABLE COLUMNS TO VARIABLES
my($eventid,$src,$sport,$dst,$dport,$signature,$timestamp,$payload);
$sth->bind_columns(undef, \$eventid, \$src, \$sport, \$dst, \$dport, \$signature, \$timestamp, \$payload);
# LOOP THROUGH RESULTS
while($sth->fetch) {
my $src_temp = inet_aton($src);
my $dst_temp = inet_aton($dst);
print "IT WORKS!";
}
So, if i comment this part of the code
# READ THE LASTID OF THE DATABASE
my $queryID = "SELECT event.id from snorby.event order by event.id desc limit 1";
my $lastid = $dbh->selectrow_array($queryID);
Everything works fine, but when i try to execute first this one, script stops responding exactly on this line:
while($sth->fetch) {
I tried to debug the code, look for tutorials, read a lot of pages and cannot figure where is the problem :(
Regards.
**** UPDATE ********
I think i found the problem after some more debug but not the solution. On the second sql named $query i passed the variable $lastid that i get on the first sql, see:
my $query = "SELECT stuff from table join things where event.id > **$lastid** and blablabla
If i change the $lastid for, as an example, 13330506, everything works, so seems to be that there is an issue about how this variable is passed. The strange thing is that when i print the $query with $lastid inside the content of $lastid is correct, the number appears... strange, at least for me.
If you read the documentation http://search.cpan.org/dist/DBI/DBI.pm
you'll see there is no ->fetch function, but there are various fetch methods:
#row_ary = $sth->fetchrow_array;
$ary_ref = $sth->fetchrow_arrayref;
$hash_ref = $sth->fetchrow_hashref;
$ary_ref = $sth->fetchall_arrayref;
$ary_ref = $sth->fetchall_arrayref( $slice, $max_rows );
$hash_ref = $sth->fetchall_hashref( $key_field );
Each one returns a reference you should store in variable for later use, for example:
while ( #row = $sth->fetchrow_array ) { ... }
while (my $data = $sth->fetchrow_hashref) { ... }
Then, you can use #row or $data inside the loop to retrieve the data you need.
Connect with mysql and retrive data from the table.
my $db ="JJusers";
my $user ="root";
my $password ="abcdef";
my $host ="localhost";
my $dbh =DBI->connect("DBI:mysql:$db:$host",$user,$password);
my $uDt = $dbh->prepare("select Username,Password from Users");
my $rv = $uDt->execute;
print "<script>alert($rv)</script>";
When I execute this code I am getting the result as 1. In database the data stored as:
1, jj, pp(SNO, USERNAME,PASSWORD)
Why isn't it getting the right data?
You are printing the result of execute, not the actual database results. You want to do something like this...
while (my #data = $rv->fetchrow_array()) {
my $username = $data[0];
my $password = $data[1];
// ...
}
->execute returns just query result(0, 1, 0E0), but not resultset.
As for me, best way is:
my $res = $dbh->selectall_arrayref('select Username,Password from Users', {Slice=>{}});
# now, you can iterate result.
# for example:
foreach my $row(#$res) {
print $row->{Username};
}
If you need bind vaiables, you can use selectall_arrayref also:
my $res = $dbh->selectall_arrayref('select Username,Password from Users where id = ?',
{Slice=>{}}, 1
);
basically I am try to get the php file to create another php file which has XHTML, PHP and MYSQL within it. I am trying to include a MYSQL query but the problem is that the apostrophe (') that I use to start the fwrite string get confused when it reaches a MYSQL query because it too also has an apostrophe but I just want that string to continue not end. What should I do for this to work? Thanks in advance for any help.
The code (just the relevant bit):
$filename = "websites/".$firstpage.".php";
$filehandle = fopen($filename, 'w') or die("error opening file");
$datawrite = '
$query = "SELECT websitetitle FROM $weblist WHERE webID='$webID'";
$result = mysql_query ($query);
$row = mysql_fetch_array( $result );
echo $row['webID'];
';
fwrite($filehandle, $datawrite);
fclose($filehandle);
You should escape the ' in the query with \' This will not exec and end the string
$filename = "websites/".$firstpage.".php";
$filehandle = fopen($filename, 'w') or die("error opening file");
$datawrite = '
$query = "SELECT websitetitle FROM $weblist WHERE webID=\'$webID\'";
$result = mysql_query ($query);
$row = mysql_fetch_array( $result );
echo $row[\'webID\'];
';
fwrite($filehandle, $datawrite);
fclose($filehandle);
Check this out for reference
http://php.net/manual/en/language.types.string.php
Just use proper escaping and place a \ before the apostrophe.
$datawrite = '
$query = "SELECT websitetitle FROM $weblist WHERE webID=\'$webID\'";
$result = mysql_query ($query);
$row = mysql_fetch_array( $result );
echo $row[\'webID\'];
';
Is it possible to perform a MySQL search and replace while honoring wildcards?
eg:
$search = "id='%wildcard%-houselisting-rental'>";
$replace = "class='house_rentals'>";
$query = "UPDATE tables SET field = replace(field,'$search','$replace')";
$result = mysql_query($query);
I appreciate any advise on the subject
-h
I found out this wasn't possible for mysql.