-3

The mysql table record:

definitionID = 1,
term = alert('Hello World'); ,
definition = Javascript pop-up box

I am having some issues querying the definition field from the above example. Everything has already been through mysqli_real_escape_string as part of its form input method/validation.

The term is assigned to a variable earlier in my PHP. I think this worked fine.

//So, $term = alert('Hello World');

$definitionQuery="SELECT definition FROM definitionTable WHERE term='".$term."'";
$definitionArray = mysqli_query($dbc,$definitionQuery);
$row = mysqli_fetch_array($definitionArray);
$answer = $row['definition'];

/*In addition, document.getElementByID('test'); as a term doesn't work either
but the following do. Gotta be something to do with single quotes but cant
figure out what. Whilst the quotes are in a variable and not processed by PHP,
might they be processed in mysql?*/

<script></script> or,
document.getElementByID("DOUBLE");

The PHP error is:

mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given
hichris123
  • 9,955
  • 15
  • 53
  • 68
DVCITIS
  • 1,043
  • 3
  • 16
  • 36
  • 2
    You're vulnerable to and suffering from [SQL injection attacks](http://bobby-tables.com). once you learn about that and how to avoid/prevent it, you'll have the answer to your question. – Marc B Jan 11 '14 at 20:45
  • 1
    Use prepared statements. – u_mulder Jan 11 '14 at 20:45
  • it's returning a boolean because the `mysqli_query()` is probably returning false due to an sql error; try adding ` or die(mysqli_error())` to the end of your `mysqli_query` –  Jan 11 '14 at 20:45
  • @josh: not probably. definitely. OP is trying to do `WHERE term=alert('Hello world')` – Marc B Jan 11 '14 at 20:46

1 Answers1

0

Judging from the pattern, your problem is that, even though you say you have used mysqli_real_escape_string, you have not done so correctly. Queries with apostrophes in the $term are failing, but queries without them are okay. This clearly says that you have not escaped the apostrophes, so your query is malformed. This is the query mysql is receiving:

SELECT definition FROM definitionTable WHERE term='alert('Hello World')'

As one comment said, you should look into using prepared statements. They only take a little getting used to, and if you use them, you don't have to worry about proper escaping. If you choose not to use them (for example, because you are building your queries dynamically), then double check that your escaping is actually happening. I'm betting you're doing something like this:

mysqli_real_escape_string($dbc, $term);

instead of

$term = mysqli_real_escape_string($dbc, $term);

The bigger problem here is that you don't know when mysqli errors occur. Every time you run mysql_query or any other query function, you should immediately afterward put the following lines (or something similar):

if(mysqli_error($dbc)) {
    throw new Exception(mysqli_error($dbc), mysqli_errno($dbc));
}

I use exceptions instead of the far-too-ubiquitous die() because you can then write an exception handler to do something with this error. You can log it, email it to yourself, show an error message to the user, or all of the above. You are not stuck only seeing the error if you happen to be the one using the page, as is what happens with die().

miyasudokoro
  • 1,712
  • 1
  • 15
  • 23