SQL Select not retrieving data based on query

Question

I'm trying to push a file to browser from SQL via the use of the file token which is created and assigned to the file during the upload process. But my SELECT SQL is not working for anything other then file id field which is the only one that seems to fire up SELECT request here is the code

$item = $_GET['item'];

$sql = 'SELECT * FROM `files` WHERE file_token = '.$item.'';
            $result = mysql_query($sql);

            if(!$result) {

                echo '<div style="padding:8px;background-color:#fae3e3;border:2px solid #b25959;color:#313131;">Error!</div>';

             } else {

                  while($obj = mysql_fetch_array($result)) {

                                     $file_type = $obj['file_type'];
                                     $file_size = $obj['file_size'];
                                     $file_name = $obj['file_name'];
                                     $file_hash = $obj['file_hash'];

                                     $name = 'encrypted/'.$file_hash;

if (file_exists($name)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file_name));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($name));
    ob_clean();
    flush();
    readfile($name);
    exit;
}

                   }
            }
mysql_query("UPDATE `files` SET file_views = file_views+1 WHERE file_token = '.$item.'");

mysql_close();

Is there something wrong with my SELECT statement? And tokens look like this in SQL

Example: 3ed3:3ba6:eb24:5816:6d8b:be06:79e1:b20b

Answer 1

尝试：

$sql = 'SELECT * FROM `files` WHERE file_token = \''.$item.'\'';

Answer 2

try to put quotes arround the $item

$sql = 'SELECT * FROM files WHERE file_token = "'.$item.'"';

Answer 3

As others have pointed out your issue has to do with no properly quoting strings when querying the database. That said there is a more fundamental issue at play with SQL Injection in general. Let's take a look at your first two lines:

$item = $_GET['item'];
$sql = 'SELECT * FROM `files` WHERE file_token = '.$item.'';

$item is set to whatever the user feels like providing to you and then directly dropped into your query. If the user is polite and sends along an actual file token everything ends up nice:

// http://example.com/yourapp.php?item=5
SELECT * FROM `files` where file_token = 5;

What if the user sends in some random string of data instead?

// http://example.com/yourapp.php?item=John%20Doe
SELECT * FROM `files` where file_token = John Doe;

The above SQL would be invalid. That string would need to have quotes around it such as:

SELECT * FROM `files` where file_token = "John Doe";

Editing your code to simply add the quotes may seem like enough of a solution, but it isn't. If we look at a solution like:

$sql = 'SELECT * FROM files WHERE file_token = "'.$item.'"';

We will indeed add quotes around whatever is passed in by the user. So in the example of John Doe we would get the proper SQL with John Doe quoted. What if the user decides instead that they wish to submit a GET request with the term 5"; TRUNCATE TABLE files; ";

our SQL would end up looking like:

SELECT * FROM files WHERE file_token = "5"; TRUNCATE TABLE files; "";

The single query now becomes 3:

SELECT * FROM files WHERE file_token = "5";
TRUNCATE TABLE files; 
"";

You could try to go farther by stipping out semi-colons or similar; but there's no need to reinvent the wheel. Check out this great SO answer for specifics on preventing SQL injection in PHP.