PHP script help

Barron · 2005-02-24, 12:35 PM

try this:

assumes:
<form method=POST action=info.php>

EDIT: Shit, I read your question wrong. The below script was changed to get the info you want.

<?
session_start();
$con=mysql_pconnect("localhost", "db_username", "db_password");
if($_POST[firstname] and $_POST[lastname])
{
foreach($HTTP_POST_VARS as $key=>$value)
{
$_POST[$key]=trim($value);
}
$info=mysql_query("SELECT * FROM `members` WHERE `firstname`='$_POST[firstname]' AND `lastname`='$_POST[lastname]' LIMIT 1", $con) or die(mysql_error());
$info_numrows=mysql_num_rows($info);
if($info_numrows > 0)
{
// found info
$info_array=mysql_fetch_array($info);
$_SESSION[firstname]=$_POST[firstname];
$_SESSION[lastname]=$_POST[lastname];
echo "First name: $info_array[firstname]<br>\n";
echo "Last Name: $info_array[lastname]<br>\n";
echo "Address: $info_array[address]<br>\n";
}
else
{
// info not found
echo "you are not in our database<br>\n";
include('get_info.php');
}
}
else
{
// No first or last name provided
include(get_info.php);
}
?>

Halfdeck · 2005-02-24, 12:48 PM

Barron's code looks like it should work.

When php/mysql code craps out, I usually:

1) print out the query using an echo statement, preferrably using mysql_error(); Sometimes what you think you're sending to MYSQL is not what's actually getting sent.

2) If I'm really stuck, I use phpadmin or some other mysql interface and play around with different queries to come up with a query that actually returns what I want. Then its just a matter of putting that query into the php script.

Barron · 2005-02-24, 01:04 PM

He wasnt trying to log anyone in. I changed the code to fetch the info for the user.

Ramster, there isnt any error checking, you must put that in. Malformed input from a webpage can really screw things up : )

codemonkey · 2005-02-24, 01:50 PM

Yup anytime you have a database query that can be changed by the user - when using $_GET $_POST $_REQUEST $_COOKIE etc always check the input..

Use the mysql_real_escape_string function in php to clean the input before you put it into the database. This will help to prevent SQL injection attacks by quoting out special characters.

so when inserting selecting etc always do this..

PHP Code:


			
$query = "SELECT * FROM table WHERE user='". mysql_real_escape_string($user) ."'";

i got fed up of typing that so i made a little function to make less typing - what can i say i'm a lazy coder

PHP Code:


			
//Escape the string for the database and add single quotes



function quote($value){

    $value = "'" .mysql_real_escape_string($value) ."'";

    return $value

}

So your code is now...

PHP Code:


			
$query = "SELECT * FROM table WHERE user=". quote($user);

Hope this helps someone out

2005-02-24, 12:35 PM	#1
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	try this: assumes: <form method=POST action=info.php> EDIT: Shit, I read your question wrong. The below script was changed to get the info you want. <? session_start(); $con=mysql_pconnect("localhost", "db_username", "db_password"); if($_POST[firstname] and $_POST[lastname]) { foreach($HTTP_POST_VARS as $key=>$value) { $_POST[$key]=trim($value); } $info=mysql_query("SELECT * FROM `members` WHERE `firstname`='$_POST[firstname]' AND `lastname`='$_POST[lastname]' LIMIT 1", $con) or die(mysql_error()); $info_numrows=mysql_num_rows($info); if($info_numrows > 0) { // found info $info_array=mysql_fetch_array($info); $_SESSION[firstname]=$_POST[firstname]; $_SESSION[lastname]=$_POST[lastname]; echo "First name: $info_array[firstname]<br>\n"; echo "Last Name: $info_array[lastname]<br>\n"; echo "Address: $info_array[address]<br>\n"; } else { // info not found echo "you are not in our database<br>\n"; include('get_info.php'); } } else { // No first or last name provided include(get_info.php); } ?> Last edited by Barron; 2005-02-24 at 01:19 PM..

2005-02-24, 01:50 PM	#4
codemonkey WHO IS FONZY!?! Don't they teach you anything at school? Join Date: Oct 2004 Posts: 44	Yup anytime you have a database query that can be changed by the user - when using $_GET $_POST $_REQUEST $_COOKIE etc always check the input.. Use the mysql_real_escape_string function in php to clean the input before you put it into the database. This will help to prevent SQL injection attacks by quoting out special characters. so when inserting selecting etc always do this.. PHP Code: `$query = "SELECT * FROM table WHERE user='". mysql_real_escape_string($user) ."'";` i got fed up of typing that so i made a little function to make less typing - what can i say i'm a lazy coder PHP Code: `//Escape the string for the database and add single quotes function quote($value){ $value = "'" .mysql_real_escape_string($value) ."'"; return $value }` So your code is now... PHP Code: `$query = "SELECT * FROM table WHERE user=". quote($user);` Hope this helps someone out __________________ BBW modelling competitions

2005-02-24, 12:48 PM	#2
Halfdeck You can now put whatever you want in this space :) Join Date: Oct 2004 Location: New Haven, CT Posts: 985	Barron's code looks like it should work. When php/mysql code craps out, I usually: 1) print out the query using an echo statement, preferrably using mysql_error(); Sometimes what you think you're sending to MYSQL is not what's actually getting sent. 2) If I'm really stuck, I use phpadmin or some other mysql interface and play around with different queries to come up with a query that actually returns what I want. Then its just a matter of putting that query into the php script.

2005-02-24, 01:04 PM	#3
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	He wasnt trying to log anyone in. I changed the code to fetch the info for the user. Ramster, there isnt any error checking, you must put that in. Malformed input from a webpage can really screw things up : )