Page 1 of 1

Problem with query!!!! GET data .

Posted: Fri Aug 08, 2003 3:37 pm
by maceved23
Need some help getting values of my valiables in my DB.

I have a php page who has a form to search a user from my table by email.

The problem is I'm passing values from this code to a file to verify in this code if my value of the varriable I'm passing from my form exists in my DB.

I use GET in my form, and this code to compaire if teh email I querry exists in my DB.

CODE

$i=0;
$req = "SELECT email FROM $dbtable WHERE email_busca='$email'";
$res = mysql_query($req);
$username = mysql_result($res,$i,"username");

email_busca: is the name of the variable in my form.
email: is the name of the variable in my DB.

Could I have some help ???????????


Posted: Fri Aug 08, 2003 5:19 pm
by skateis2s
if the $email part is your problem, I had the same
problem, I had to register it as a session and call it like so


WHERE email_busca='".$email."'";



register a session


session_register("email");


than put start_session(); at the very top of the page on both pages, if thats your problem, thats what happen to me...

Posted: Fri Aug 08, 2003 7:05 pm
by McGruff
First off, has $email been declared? This might be a register globals problem (see sticky thread): if register globals is off - as it should be - $email is a value in the superglobal $_GET array: $_GET['email'] (exists in any scope).

If you have already declared $email = $_GET['email'], the next thing is that you did not retrieve the username column in the mysql query - the string defined in $req only gets the email column. Also, the WHERE clause needs to specify a db column - not a form field name.

Try this:

Code: Select all

<?php

$req = "SELECT username FROM $dbtable WHERE email='$email'";

?>
One other point: it's better to use POST as the form action rather than GET since this makes it a little bit harder for hackers who have to go to the trouble of forging a form rather than just typing in some GET vars in a browser url bar.

Whichever method you use, it is still possible to bombard your script with any variable and any value - if your form also passes a value for a table name, ie the $dbtable var, you should check this against an array of allowed values before performing the db query.

I solve my problem Thanks !!!!!

Posted: Fri Aug 08, 2003 7:38 pm
by maceved23
Really thanks with your help I solve my problem.
:D :D :D