Select row from Mysql + Send in email problems

[Reed92]

What's wrong here? I am getting no values in the email.

if(isset($_GET['email'])){
	$sql = ("SELECT FROM xxxxx WHERE id='" . $_GET['email'] . "'");
	$result = mysql_query($sql);
	$row = mysql_fetch_array($result);
	echo $row['timestamp'];
	$to = "[email protected]";
	$from = $row['email'];
	$subject = "Quote Request";
	$body = "<html><body><p>" . 
  		"Time:           " 			. $row['timestamp'] 	. "<br />" . 
  		"Name:           " 			. $row['fullname'] 		. "<br />" .
  		"Company:        " 			. $row['company'] 		. "<br />" . 
  		"Phone:          " 			. $row['phonenumber'] 	. "<br />" . 
  		"Project Info:   " 			. $row['project'] 		. "<br />" . 
  		"Project City:   " 			. $row['projectcity'] 	. "<br />" . 
  		"Project State:  " 			. $row['projectstate']	. "<br />" . 
  		"Other:          " 			. $row['other']	 		. "<br />" . 
  		"Due Date:       " 			. $row['duedate'] 		. "<br />" . 
  		"Comments:       " 			. $row['comments'] 		. "<br /></p></body></html>";
	$headers = "From: " . $from . "\r\nContent-type: text/html\r\n";
	
	mail($to,$subject,$body,$headers);
}

 

[DHDdirect]

Try

SELECT * FROM xxxxx

 

[MarkR]

Ensure $_GET['Email'] is not empty/null.

Also beware that you are not sanitising your input and vulnerable to SQL injection!

 

[Reed92]

Hmm, it works much better with the *, haha.

I checked for errors at every step...and it all came down to the missing *...It was pulling the id, but nothing else.

And I am very much aware that the input is not sanitized. I'm not going to bother, since this is a back-end page. If an attacker somehow finds the page and takes the site down with it...well...so be it. It's not MY server.