在一个mysql查询中查询两个表

Question

im having trouble getting data from two seperate tables

so far i have this

<? 
include('config.php'); 
$xid = $_GET['xid'];

$result = mysql_query("SELECT * FROM `config`") or trigger_error(mysql_error()); 
while($row = mysql_fetch_array($result)){ 
foreach($row AS $key => $value) { $row[$key] = stripslashes($value); } 

$result = mysql_query("SELECT * FROM `utinfo` WHERE `xid` = $xid") or trigger_error(mysql_error()); 
while($row2 = mysql_fetch_array($result)){ 
foreach($row2 AS $key => $value) { $row2[$key] = stripslashes($value); } 
$un = urldecode($row2['un']);
};

switch ($row['module'])
{
case 1:
  echo "Function 1 for user $uid on account $un";
  break;
case 2:
  echo "Function 2 for user $uid on account $un";
  break;
case 3:
  echo "Function 3 for user $uid on account $un";
  break;
default:
  echo "No module defined.";

};
};
?>

The config table config has the row named modules, and its populated by 2 entries, one of which is 1, the other 3. So i should be seeing case 1 and then case 3. But all im getting is the default echo.

Answer 1

(This is not an answer to the OP, but something you really should care about, so I think it's worth writting it)

It seems there is a enormous SQL-injection in your code.

The normal way of calling your page would be with something like " xid=5 " in the URL, to get informations of user #5.

Now, suppose someone give " xid=5 or 1=1 ". The resulting query would be :

SELECT * FROM `utinfo` WHERE `xid` = 5 or 1=1

The condition is always true ; you'd get informations of ALL users as an output, as you iterate through the resultset.

Another possibility : " xid=5; delete from utinfo; " ; which would give this query :

SELECT * FROM `utinfo` WHERE `xid` = 5; delete from utinfo;

That would empty your table :-(

You must always escape / check / sanitize / whatever you data before putting them in a SQL query, especially (but not only) if they come from a user of the application.

For strings, see the mysql_real_escape_string function.
For data that sould be integers, you could use intval (worst case, if data was not valid, you'll get 0, which might get no result from the DB, but, at least, won't break it ^^ )

Another solution would be to use prepared statements ; but those are not available with mysql_* function : you have to switch to either

• mysqli_*
• or PDO

Anyway, for a new application, you shouldn't use mysql_* : it is old, and doesn't get new functionnalities / improvements that mysqli and PDO get...

Answer 2

stripslashes() is used on strings. Your case values are integers. It seems like you have a type mismatch here?

Answer 3

1. Why are you not using PDO? You should really standardis on PDO if you can.
2. Table names in SQL select should not be quoted.
3. You should consider using prepared statements in order to avoid SQL Injection and then you don't have to worry about having to quote your paramaters

Answer 4

The first answer is probably correct regarding type mismatches, you should be able to fix the issue by using the following code:

switch ((integer) $row['module'])

See the following: http://us.php.net/manual/en/language.types.type-juggling.php#language.types.typecasting

Alternatively, you could try this:

settype($row['module'], "integer");

switch ($row['module'])

See: http://us.php.net/manual/en/function.settype.php

I would also suggest echo'ing the value of $row['module'] onto the page just to check that it is indeed an integer.