Need some help getting values of my valiables in my DB.
I have a php page who has a form to search a user from my table by email.
The problem is I'm passing values from this code to a file to verify in this code if my value of the varriable I'm passing from my form exists in my DB.
I use GET in my form, and this code to compaire if teh email I querry exists in my DB.
CODE
$i=0;
$req = "SELECT email FROM $dbtable WHERE email_busca='$email'";
$res = mysql_query($req);
$username = mysql_result($res,$i,"username");
email_busca: is the name of the variable in my form.
email: is the name of the variable in my DB.
Could I have some help ???????????
Problem with query!!!! GET data .
Moderator: General Moderators
if the $email part is your problem, I had the same
problem, I had to register it as a session and call it like so
WHERE email_busca='".$email."'";
register a session
session_register("email");
than put start_session(); at the very top of the page on both pages, if thats your problem, thats what happen to me...
problem, I had to register it as a session and call it like so
WHERE email_busca='".$email."'";
register a session
session_register("email");
than put start_session(); at the very top of the page on both pages, if thats your problem, thats what happen to me...
First off, has $email been declared? This might be a register globals problem (see sticky thread): if register globals is off - as it should be - $email is a value in the superglobal $_GET array: $_GET['email'] (exists in any scope).
If you have already declared $email = $_GET['email'], the next thing is that you did not retrieve the username column in the mysql query - the string defined in $req only gets the email column. Also, the WHERE clause needs to specify a db column - not a form field name.
Try this:
One other point: it's better to use POST as the form action rather than GET since this makes it a little bit harder for hackers who have to go to the trouble of forging a form rather than just typing in some GET vars in a browser url bar.
Whichever method you use, it is still possible to bombard your script with any variable and any value - if your form also passes a value for a table name, ie the $dbtable var, you should check this against an array of allowed values before performing the db query.
If you have already declared $email = $_GET['email'], the next thing is that you did not retrieve the username column in the mysql query - the string defined in $req only gets the email column. Also, the WHERE clause needs to specify a db column - not a form field name.
Try this:
Code: Select all
<?php
$req = "SELECT username FROM $dbtable WHERE email='$email'";
?>Whichever method you use, it is still possible to bombard your script with any variable and any value - if your form also passes a value for a table name, ie the $dbtable var, you should check this against an array of allowed values before performing the db query.
Last edited by McGruff on Wed Aug 10, 2005 11:15 pm, edited 1 time in total.
I solve my problem Thanks !!!!!
Really thanks with your help I solve my problem.
