10
caiofior
10d

How do you call this php error, data not assigned to variable?

Comments
  • 1
    Because it's php
  • 9
    Yes. concating the sql query and parameters, and not using prepared statement will get far....
    Specially the >0 at the start.
  • 4
    @magicMirror look at his code, he's probably getting started and learning, no reason to be a dumbfuck about it
  • 2
    I don't know exactly how this would be called, the ; (what probably should be a point to continue the concatenation) finishes your assignment, so everything after will be handled as a new statement / expression / however you call it. Because said statement cannot be invoked, since it's not a method, nor a assignment, etc., it'd throw some error along the lines of "Cannot invoke non method", or maybe PHP just ignores the entire block.
    As @magicMirror pointed out, after getting that sorted out you should read up on "SQL Injections" and how to prevent them. Also FYI you can use $variables directly "in strings $like this", instead of explicitly wrapping them
  • 1
    @Kimmax there is no excuse for learning something wrong. Everyone should learn proper way of doing something from the very beginning.
  • 0
    As some has pointed out, string concatenation isn't save for SQL stuff, especially when inserting user controlled variables. What you (@caiofior) should do instead is use prepared statements (PDO)

    I know, sadly most (beginner) tutorials don't cover this, which is a reason for so many people not doing it and helps to uphold PHP as a "joke" language...
    I'd recommend to read https://phptherightway.com//...
  • 0
    I would recommend to always use prepared statements, as others have already pointed out.

    However, in this case it is not that bad. One variable is cast to an integer and, assuming, the other ID is also an integer no SQL injection should be possible.

    If, and if, OP is a beginner, I still think the coding style is very consistent. I've seen far worse than this, even from guys with years of experience.

    Ontopic: I don't think this has a specific name, because I think this code will execute. A decent editor will probably give you warnings though (I think PHPStorm does, but not sure).
  • 0
    @Hel8y let's assume a system that has urls like `/profile/{id}` or `/bankaccount/{id}` if the user is allowed to submit anything and that gets cast to an int, we're looking at a potential SQL injection (sure, it's far fetched, but stil it's an attack surface...)
  • 1
    @Wack That's way I said, assuming, it is an in integer :) Not like a PHP string type integer, but a real integer.
  • 1
    @Wack depending on the code we cannot see the code might return the rows matching ID 0. Using auto increment values in MySQL staring at 1, the 0 should normally not exist. They can manually be set to 0, which could result in a security flaw. Otherwise, I can not see how this would impact system security. It could still be a bug, be not related to security.
  • 1
    I call it why-not-orm exception
  • 0
    Why light/white theme?
Your Job Suck?
Get a Better Job
Add Comment