从mysql DB中检索数据不起作用/ PHP

Question

I hvae the following PHP source:

$type_ID =$_GET["typeID"];
try{                               
$article_ID =$_GET["articleID"];
$select_query = mysql_query("SELECT articleContent, articleTitle From articles WHERE articleID=$article_ID && typeID=$type_ID");
}
catch(Exception $e)
{ $select_query = mysql_query("SELECT articleContent, articleTitle From articles WHERE typeID=$type_ID");
                                   }
$row = mysql_fetch_assoc($select_query); 
echo '<h1>'.$row['articleTitle'].'</h1>';
echo  $row['articleContent'];

I know that this code is no safe, and yo can easlily do sql injection.

There problem here is that it's didn't go into the catch part (after the try )even when it should. The solution may be easy but I can't solve it.

Why it's didn't go into the catch section?

Answer 1

You'd have to change your queries to use the or to catch the fail in this case something like this may work though I'm not 100% (can anyone correct me?) You'd be far better off moving away from mysql_ functions though and moving to mysqli or pdo in an OO style then you can better trap and handle the errors.

$type_ID =$_GET["typeID"];
try{                               
$article_ID =$_GET["articleID"];
$select_query = mysql_query("SELECT articleContent, articleTitle From articles WHERE articleID=$article_ID && typeID=$type_ID") or throw new Exception("ERROR HERE");
}
catch(Exception $e)
{ 
 $select_query = mysql_query("SELECT articleContent, articleTitle From articles WHERE typeID=$type_ID"); // note we can't throw exception here because its already in the try catch. perhaps we should look at something like the finally statement.
//echo $e->getMessage(); //uncomment this line if you want to output the exception error text set above
}
$row = mysql_fetch_assoc($select_query); 
echo '<h1>'.$row['articleTitle'].'</h1>';
echo  $row['articleContent'];

Actually just had a thought you'd be much better doing something like this and validating your inputs before hand. (note i'm doing no string escaping here don't forget to do it)

$type_ID =$_GET["typeID"];
$article_ID =$_GET["articleID"];

if (strlen($type_ID)>0 && strlen($article_ID)>0 && is_numeric($type_ID) && is_numeric($article_ID)) { 
$sqlquery = "SELECT articleContent, articleTitle From articles WHERE articleID=$article_ID && typeID=$type_ID";
} else {
$sqlquery = "SELECT articleContent, articleTitle From articles WHERE typeID=$type_ID";
}

try {
    $queryresult = mysql_query($sqlquery) or throw new Exception("Query Failed");
} catch(Exception $e) { 
    echo $e->getMessage(); 
}

So basically you're validating and checking your inputs and switching your sql statements before then your try catch logic is purely for did the query succeed or fail which is far more sensible than what you were attempting.

Answer 2

Mysql query will return FALSE on error
So you can throw an exception for that
$result = mysql_query("SELECT articleContent, articleTitle From articles WHERE articleID=$article_ID && typeID=$type_ID");

if(!$result) throw new Exception("Invalid query: ". mysql_error());

And catch them in your catch block
catch(Exception $e) { echo $e->getMessage()}

Its up to you what you will do with it echo or log.