Click here to Skip to main content
16,022,309 members
Search within:


Overriding a variable
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
PHP
MySQL
condition
I am trying to print a variable value for variable $getparam in an image (which worked). Then I added that if the addressVal doesn't have both letters and numbers (because it's an address) then $getparam (getparam is like a token) should then be blank and this is where it went wrong. But what seems to be happening is the condition to check if both letters and numbers happens and only the first variable value is used and not the change to basically clear the value with the str_replace.

PHP
<?php
$getparam = $_POST['param']; // I will have this post data
$tName = 'user1';

$addressQuery = "select address from testdb WHERE username = '$tName'"; 
$addressResult = mysqli_query($dbconnection, $addressQuery); //I have a db connection
$addressArray = mysqli_fetch_array($addressResult, MYSQLI_ASSOC);
$addressVal = $addressArray['address'];



$addrexp = '/[A-Za-z].*[0-9]|[0-9].*[A-Za-z]/';
 

if(!preg_match($addrexp, $addressVal)) 
{
    $getparam = str_replace($_POST['param'], '', $_POST['param']); 
} 
?>

<html>
<head></head>
<body>
<img src="https://www.testingurl.com/trigger.php?param=<?php print $getparam; ?>" />
</body>
</html>


What I have tried:

I have tried to print each image in an if... else and other basic changes, but I would like to just have an if() to change $getparam and print conditional $getparam
Posted
Add a Solution
Comments
Peter_in_2780 7-Jun-24 21:06pm    
A couple of comments:
1. Not checking the return from mysqli* calls is a sure route to disaster.
2. Your use of str_replace() is unnecessarily convoluted.
Why not just $getparam = ''; ?
mcbain19 8-Jun-24 15:27pm    
Peter_in_2780 I have to unfortunately start getparam with that post data value and change later due to earlier parts in the code. How would I check the return value from mysqli?
Peter_in_2780 8-Jun-24 18:01pm    
My point was that you don't need to go to the complexity of str_replace() to modify $getparam, but should simply just overwrite the variable with the new value.
If you had a variable $x holding some integer value and you wanted to set it to 7, it's much more natural to write
$x = 7;
than
$x += (7 - $x); or something similar.
Same thing with strings.

Most of the SQL functions return null on failure, so check that return is non-null. That doesn't guarantee that the result is reasonable or correct, but it'll stop you crashing a few lines later attempting to use the null value.
Thava Rajan 25-Jun-24 10:10am    
From all your comments, I hope you understand the types of requests, you are passing the param using the get method, it will not be available in the post params you need to use _GET variable,
hope now you know why the $getparam didn't get any values

2 solutions

Firstly, don't do SQL like that: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

Secondly, use the debugger (PHP: About debugging in PHP - Manual[^]) to show you exactly what is going on - though your regex looks like it should work, you need to check exactly what is being fed to it from the address array to have any idea what is going when your code runs.
 
Share this answer
 
Posted
Thanks OriginalGriff I will change any spots like that in the future. Does anyone know why 
$getparam
never seems to get changed when that condition is hit for address missing numbers and letters?
 
Share this answer
 
Posted
Comments
OriginalGriff 8-Jun-24 23:34pm    
What does the debugger show you is happening?
mcbain19 10-Jun-24 10:19am    
OriginalGriff I made the below change hoping it would print $getparam correctly and it did hit in the valid message and had a value for my debugging. But it never inserted the value in the image (which happens after)??




img src="https://www.testingurl.com/trigger.php?param=" ...print $getparam;...

...
if(preg_match($addr_exp, $addressVal))
{
$getparam = $_POST['param'];
//echo "valid" . $getparam;
} else {
$getparam = '';
//echo "not valid" . $getparam;
}
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to override appsettings.json with environment variables?
Variable hiding vs overriding
Overrides & Overridable
How to retrieve values from session variables without overrides it?
overriding and overloading
URL rewriting to override querystring
Override CSplitterWnd (m_cxBorder & m_cyBorder Problem)
Looking to override the base type 'Double'
How to override the functionality of "Windows+R" shortcut key
Wpf listviewitem style not overriding default behavior

Advertise
Privacy
Cookies
Terms of Use
Last Updated 8 Jun 2024
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-07-22:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900