PHP script help

Ramster · 2005-02-24, 10:34 AM

A friend of mine needs help with a PHP script. Maybe someone could help me fix this for him.

Here's the problem:
Trying to have some control over who signs on

Typical Signon MEMBER (form), then list members name/address etc.
The second PHP does not work...
<?include("DB_Connect.php");
$result = mysql_query("Select * FROM members where Lastname = 'HLName' and Firstname = 'HFName' ");
print ('Personal Information'); ... blah blah

He then says:
Seems no matter what I put in HLNAME line it ends up with a not found condition or PHP syntax error.
So looking for a way to pass the variable LastName to the next PHP document or SQL
I've turned on register_global but it only seems to be for the one screen and does not get set on the next screen.

Anyone?

Thanks

absix · 2005-02-24, 11:18 AM

My progammer said there's not enough information and he's doesn't understand the issue

cd34 · 2005-02-24, 11:40 AM

Not sure exactly what you're running into.

Is it possible that you don't have short tags turned on and need to use <?php

to pass information, there are a number of ways. If it is a form submission, i.e. <form action="2ndpage.php" method="post">

You can do something like:

$result = mysql_query("Select * FROM members where Lastname = '".$_REQUEST['HLName']."' and Firstname = 'HFName' ");

or, if the quotes give you a headache:
$HLName = $_REQUEST['HLName'];
$result = mysql_query("Select * FROM members where Lastname = '$HLName' and Firstname = 'HFName' ");

if it is a mysql error that you are getting, after the result line, try:

print mysql_error(); // this will tell you what the interpreter is returning.

If you are using a header("Location: /2ndpage.php");

You can use sessions and pass the data. If you use sessions, you probably want to turn transsid on. This creates a wacky url with the hash just in case the cookie is not accepted by the surfer. The very first line of each page do:

session_start();

Then, you can set values like:
$_SESSION['HLName'] = 'birdicus';
$_SESSION['FLName'] = 'fasticus';

and read those values on the next page as:
$_SESSION['HLName'];

You can also use $_COOKIE['HLName'] if you set the cookie on the prior page with setcookie.

However, not really enough information to see what is going on based on what you posted. Maybe if you can post the error you are getting or a little more of the script.

Barron · 2005-02-24, 12:35 PM

try this:

assumes:
<form method=POST action=info.php>

EDIT: Shit, I read your question wrong. The below script was changed to get the info you want.

<?
session_start();
$con=mysql_pconnect("localhost", "db_username", "db_password");
if($_POST[firstname] and $_POST[lastname])
{
foreach($HTTP_POST_VARS as $key=>$value)
{
$_POST[$key]=trim($value);
}
$info=mysql_query("SELECT * FROM `members` WHERE `firstname`='$_POST[firstname]' AND `lastname`='$_POST[lastname]' LIMIT 1", $con) or die(mysql_error());
$info_numrows=mysql_num_rows($info);
if($info_numrows > 0)
{
// found info
$info_array=mysql_fetch_array($info);
$_SESSION[firstname]=$_POST[firstname];
$_SESSION[lastname]=$_POST[lastname];
echo "First name: $info_array[firstname]<br>\n";
echo "Last Name: $info_array[lastname]<br>\n";
echo "Address: $info_array[address]<br>\n";
}
else
{
// info not found
echo "you are not in our database<br>\n";
include('get_info.php');
}
}
else
{
// No first or last name provided
include(get_info.php);
}
?>

cd34 · 2005-02-24, 12:44 PM

However, note that in both of our cases, you could enter a username of

johnny'/* and any password and get in

Halfdeck · 2005-02-24, 12:48 PM

Barron's code looks like it should work.

When php/mysql code craps out, I usually:

1) print out the query using an echo statement, preferrably using mysql_error(); Sometimes what you think you're sending to MYSQL is not what's actually getting sent.

2) If I'm really stuck, I use phpadmin or some other mysql interface and play around with different queries to come up with a query that actually returns what I want. Then its just a matter of putting that query into the php script.

Barron · 2005-02-24, 01:04 PM

He wasnt trying to log anyone in. I changed the code to fetch the info for the user.

Ramster, there isnt any error checking, you must put that in. Malformed input from a webpage can really screw things up : )

Ramster · 2005-02-24, 01:49 PM

Sorry for the delay in replying. I had to go for a couple of hours.

First off, thanks for the replys!!

As I mentioned it is not my code so I'm going to pass this info along to my friend and see if it helps. He has a regular job so I most likely won't hear back from him until tonight or tomorrow. If it does not work then I'll get more of the code from him.

codemonkey · 2005-02-24, 01:50 PM

Yup anytime you have a database query that can be changed by the user - when using $_GET $_POST $_REQUEST $_COOKIE etc always check the input..

Use the mysql_real_escape_string function in php to clean the input before you put it into the database. This will help to prevent SQL injection attacks by quoting out special characters.

so when inserting selecting etc always do this..

PHP Code:


			
$query = "SELECT * FROM table WHERE user='". mysql_real_escape_string($user) ."'";

i got fed up of typing that so i made a little function to make less typing - what can i say i'm a lazy coder

PHP Code:


			
//Escape the string for the database and add single quotes



function quote($value){

    $value = "'" .mysql_real_escape_string($value) ."'";

    return $value

}

So your code is now...

PHP Code:


			
$query = "SELECT * FROM table WHERE user=". quote($user);

Hope this helps someone out

Barron · 2005-02-24, 02:23 PM

I've got this really thick book on Web Database Applications and nowhere does it mention "mysql_real_escape_string"!

This will help me, thanks

cd34 · 2005-02-24, 02:28 PM

remember that using that actually breaks certain things if you are expecting graphics data.

Ideally, you'll turn off magic_quotes so that the behavior is completely predictable, and you can properly escape data when working with mysql.

However, most hosting companies randomly choose whether to leave magic_quotes on or off.

Barron · 2005-02-24, 03:07 PM

Yeah, I assumed it would only be used on text.

What I have never figured out is how to check for white space:

<?
function alphaNumeric($entered)
{
if(ereg("^[a-zA-Z0-9]*$", $entered))
{
return true;
}
}
$firstname="Jose";
$lastname="de la Cruz";
if($output=alphaNumeric($firstname) or $output=alphaNumeric($lastname)
{
echo "true";
}
?>

as a work around:

$lastname="de la Cruz";
$explode_lastname=explode(" ", $lastname);
$new_lastname=implode("", $explode_lastname);
if($output=alphaNumeric($new_lastname))
{
echo "true";
}

cd34 · 2005-02-24, 03:13 PM

for regexp, if you wanted the first character to be alphanumeric, non-space

^[a-zA-Z0-9][a-zA-Z0-9 ]+$

of course, that will allow an ending space character, which could eliminate with something like:

^[a-zA-Z0-9][a-zA-Z0-9 ]+[a-zA-Z0-9]$

however, that still allows multi-space runs in the middle.

One thing I always tell my guys -- validate input, don't try and fix it. Running search and replace to destroy invalid string or url encoding, etc can be avoided with a decent regexp.

2005-02-24, 10:34 AM	#1
Ramster Life is good Join Date: Apr 2003 Location: Ottawa, Canada Posts: 11,862	PHP script help A friend of mine needs help with a PHP script. Maybe someone could help me fix this for him. Here's the problem: Trying to have some control over who signs on Typical Signon MEMBER (form), then list members name/address etc. The second PHP does not work... <?include("DB_Connect.php"); $result = mysql_query("Select * FROM members where Lastname = 'HLName' and Firstname = 'HFName' "); print ('Personal Information'); ... blah blah He then says: Seems no matter what I put in HLNAME line it ends up with a not found condition or PHP syntax error. So looking for a way to pass the variable LastName to the next PHP document or SQL I've turned on register_global but it only seems to be for the one screen and does not get set on the next screen. Anyone? Thanks __________________ Pornstar Legends \| Live Cam Model Shows \| Hungarian Girls Skype: robmurray999

2005-02-24, 11:18 AM	#2
absix Operator! Give me the number for 911! Join Date: Aug 2003 Posts: 135	My progammer said there's not enough information and he's doesn't understand the issue __________________ ICQ: ICQ59115623 ab at absix dot net

2005-02-24, 11:40 AM	#3
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Not sure exactly what you're running into. Is it possible that you don't have short tags turned on and need to use <?php to pass information, there are a number of ways. If it is a form submission, i.e. <form action="2ndpage.php" method="post"> You can do something like: $result = mysql_query("Select * FROM members where Lastname = '".$_REQUEST['HLName']."' and Firstname = 'HFName' "); or, if the quotes give you a headache: $HLName = $_REQUEST['HLName']; $result = mysql_query("Select * FROM members where Lastname = '$HLName' and Firstname = 'HFName' "); if it is a mysql error that you are getting, after the result line, try: print mysql_error(); // this will tell you what the interpreter is returning. If you are using a header("Location: /2ndpage.php"); You can use sessions and pass the data. If you use sessions, you probably want to turn transsid on. This creates a wacky url with the hash just in case the cookie is not accepted by the surfer. The very first line of each page do: session_start(); Then, you can set values like: $_SESSION['HLName'] = 'birdicus'; $_SESSION['FLName'] = 'fasticus'; and read those values on the next page as: $_SESSION['HLName']; You can also use $_COOKIE['HLName'] if you set the cookie on the prior page with setcookie. However, not really enough information to see what is going on based on what you posted. Maybe if you can post the error you are getting or a little more of the script. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2005-02-24, 12:35 PM	#4
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	try this: assumes: <form method=POST action=info.php> EDIT: Shit, I read your question wrong. The below script was changed to get the info you want. <? session_start(); $con=mysql_pconnect("localhost", "db_username", "db_password"); if($_POST[firstname] and $_POST[lastname]) { foreach($HTTP_POST_VARS as $key=>$value) { $_POST[$key]=trim($value); } $info=mysql_query("SELECT * FROM `members` WHERE `firstname`='$_POST[firstname]' AND `lastname`='$_POST[lastname]' LIMIT 1", $con) or die(mysql_error()); $info_numrows=mysql_num_rows($info); if($info_numrows > 0) { // found info $info_array=mysql_fetch_array($info); $_SESSION[firstname]=$_POST[firstname]; $_SESSION[lastname]=$_POST[lastname]; echo "First name: $info_array[firstname]<br>\n"; echo "Last Name: $info_array[lastname]<br>\n"; echo "Address: $info_array[address]<br>\n"; } else { // info not found echo "you are not in our database<br>\n"; include('get_info.php'); } } else { // No first or last name provided include(get_info.php); } ?> Last edited by Barron; 2005-02-24 at 01:19 PM..

2005-02-24, 12:44 PM	#5
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	However, note that in both of our cases, you could enter a username of johnny'/* and any password and get in __________________ SnapReplay.com a different way to share photos - iPhone & Android

2005-02-24, 12:48 PM	#6
Halfdeck You can now put whatever you want in this space :) Join Date: Oct 2004 Location: New Haven, CT Posts: 985	Barron's code looks like it should work. When php/mysql code craps out, I usually: 1) print out the query using an echo statement, preferrably using mysql_error(); Sometimes what you think you're sending to MYSQL is not what's actually getting sent. 2) If I'm really stuck, I use phpadmin or some other mysql interface and play around with different queries to come up with a query that actually returns what I want. Then its just a matter of putting that query into the php script.

2005-02-24, 01:04 PM	#7
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	He wasnt trying to log anyone in. I changed the code to fetch the info for the user. Ramster, there isnt any error checking, you must put that in. Malformed input from a webpage can really screw things up : )

2005-02-24, 01:49 PM	#8
Ramster Life is good Join Date: Apr 2003 Location: Ottawa, Canada Posts: 11,862	Sorry for the delay in replying. I had to go for a couple of hours. First off, thanks for the replys!! As I mentioned it is not my code so I'm going to pass this info along to my friend and see if it helps. He has a regular job so I most likely won't hear back from him until tonight or tomorrow. If it does not work then I'll get more of the code from him. __________________ Pornstar Legends \| Live Cam Model Shows \| Hungarian Girls Skype: robmurray999

2005-02-24, 01:50 PM	#9
codemonkey WHO IS FONZY!?! Don't they teach you anything at school? Join Date: Oct 2004 Posts: 44	Yup anytime you have a database query that can be changed by the user - when using $_GET $_POST $_REQUEST $_COOKIE etc always check the input.. Use the mysql_real_escape_string function in php to clean the input before you put it into the database. This will help to prevent SQL injection attacks by quoting out special characters. so when inserting selecting etc always do this.. PHP Code: `$query = "SELECT * FROM table WHERE user='". mysql_real_escape_string($user) ."'";` i got fed up of typing that so i made a little function to make less typing - what can i say i'm a lazy coder PHP Code: `//Escape the string for the database and add single quotes function quote($value){ $value = "'" .mysql_real_escape_string($value) ."'"; return $value }` So your code is now... PHP Code: `$query = "SELECT * FROM table WHERE user=". quote($user);` Hope this helps someone out __________________ BBW modelling competitions

2005-02-24, 02:23 PM	#10
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	I've got this really thick book on Web Database Applications and nowhere does it mention "mysql_real_escape_string"! This will help me, thanks

2005-02-24, 02:28 PM	#11
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	remember that using that actually breaks certain things if you are expecting graphics data. Ideally, you'll turn off magic_quotes so that the behavior is completely predictable, and you can properly escape data when working with mysql. However, most hosting companies randomly choose whether to leave magic_quotes on or off. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2005-02-24, 03:07 PM	#12
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	Yeah, I assumed it would only be used on text. What I have never figured out is how to check for white space: <? function alphaNumeric($entered) { if(ereg("^[a-zA-Z0-9]*$", $entered)) { return true; } } $firstname="Jose"; $lastname="de la Cruz"; if($output=alphaNumeric($firstname) or $output=alphaNumeric($lastname) { echo "true"; } ?> as a work around: $lastname="de la Cruz"; $explode_lastname=explode(" ", $lastname); $new_lastname=implode("", $explode_lastname); if($output=alphaNumeric($new_lastname)) { echo "true"; }

2005-02-24, 03:13 PM	#13
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	for regexp, if you wanted the first character to be alphanumeric, non-space ^[a-zA-Z0-9][a-zA-Z0-9 ]+$ of course, that will allow an ending space character, which could eliminate with something like: ^[a-zA-Z0-9][a-zA-Z0-9 ]+[a-zA-Z0-9]$ however, that still allows multi-space runs in the middle. One thing I always tell my guys -- validate input, don't try and fix it. Running search and replace to destroy invalid string or url encoding, etc can be avoided with a decent regexp. __________________ SnapReplay.com a different way to share photos - iPhone & Android