GTCR GTCR - 4 months ago 11
MySQL Question

Can i use a variable from the GET_ method to fetch mysql data?

im wondering if this can be done, or if is wrong:

i have a table in mysql wich contains this colums:

email_message | email_message_es | email_subject | email_subject_es

So i have this code:

$email_message = $_GET['langmess'];
$email_subject = $_GET['langsub'];

if ($payment == 'gateway1') {
//Admin Email DATA
$admin_mail = mysqli_query($link, "SELECT * FROM email_template WHERE email_type = 'email_me' ");
$admin_mailData = mysqli_fetch_array($admin_mail);
//Variables
$string = $admin_mailData['$email_message'];
$subjectmail = $admin_mailData['$email_subject'];
$pattern = '/{(\w+)}/i';
$replacement = "$$1";
$msnAdminbody = preg_replace($pattern, $replacement, $string);
eval("\$msnAdminbody = \"<html><body> " . $msnAdminbody . " </body></html>\";");


This is just part of the code, but im not sure if i can use a variable to get the data from mysql, the idea is that the URL contains: http://mydomain/file.php?langmess=email_message_es&langsub=email_subject_es

or

http://mydomain/file.php?langmess=email_message&langsub=email_subject

And so, the email can be sent in the right language to the admin and to the user in the future.

Thanks a lot in advance for your help, and im sorry for my english.

Answer

It doesn't have much to do with MySQL but the problem is this:

    $string         = $admin_mailData['$email_message'];
    $subjectmail    = $admin_mailData['$email_subject'];

With the single quotes, PHP looks for an index called literally '$email_message'. You need to remove the single quotes to retrieve the collumn named after the value of the variable.

    $string         = $admin_mailData[$email_message];
    $subjectmail    = $admin_mailData[$email_subject];

That doesn't solve all of the security issues in your code by the way. A safer way to do this is something like this:

$language_code = $_GET['lang'];

if ($payment == 'gateway1') {
    //Admin Email DATA
    $admin_mail     = mysqli_query($link, "SELECT * FROM email_template WHERE email_type = 'email_me' ");
    $admin_mailData = mysqli_fetch_array($admin_mail);
    //Variables

    switch($language_code)
    {
        case 'es':
            $string         = $admin_mailData['email_message_es'];
            $subjectmail    = $admin_mailData['email_subject_es'];
            break;
        default:
            $string         = $admin_mailData['email_message'];
            $subjectmail    = $admin_mailData['email_subject'];
            break;
    }
    $pattern        = '/{(\w+)}/i';
    $replacement    = "$$1";
    $msnAdminbody   = preg_replace($pattern, $replacement, $string);

And the eval() is really unneccessary here and can be replaced with:

    $msnAdminbody = "<html><body> " . $msnAdminbody . " </body></html>";