mysql query problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
farfromrest
Forum Newbie
Posts: 11
Joined: Sun Jul 20, 2003 7:09 pm

mysql query problem

Post by farfromrest »

what is wrong with this??

if($_GET[order]){$order=$_GET[order];}else{$order="username";}
$search="$_POST[search]";
if($_POST[sex] == "male"){
$sex="AND where sex = '$_POST[sex]'";
}
elseif($_POST[sex] == "female"){
$sex="AND where sex = '$_POST[sex]'";
}
else{
$sex="";
}
$result=mysql_query("select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]");
print "select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]";

when i add that $sex in there, thats when i get...

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/httpd/vhosts/killcore.com/httpdocs/new/members.php on line 285

please help
User avatar
dull1554
Forum Regular
Posts: 680
Joined: Sat Nov 22, 2003 11:26 am
Location: 42:21:35.359N, 76:02:20.688W

Post by dull1554 »

can you thick it in the php and /php syntax highlighter, its alot easier to read and you'll prolly get a answer quicker
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

Again no change only made it readable :)

Code: Select all

<?php
if($_GET[order]){$order=$_GET[order];}else{$order="username";}
$search="$_POST[search]";
if($_POST[sex] == "male"){
$sex="AND where sex = '$_POST[sex]'";
}
elseif($_POST[sex] == "female"){
$sex="AND where sex = '$_POST[sex]'";
}
else{
$sex="";
}
$result=mysql_query("select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]");
print "select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]";
?>
User avatar
igoy
Forum Contributor
Posts: 203
Joined: Fri May 02, 2003 11:57 pm
Location: India
Contact:

Post by igoy »

First of all, Please use PHP syntax highlighter for posting PHP code.
also please post what error you recieve when execute this code.

So i'm not sure whether it's a problem with quoting variables in SQL query or not. but this is what i've modified in your code... Please try and post again.

Code: Select all

<?php

if (!empty($_GET['order'])) {
	$order = $_GET['order'];
} else {
	$order = "username";
} 

$search= $_POST'[search'];

if ($_POST['sex'] == "male") { 
	$sex = "AND where sex = ".$_POST['sex']; 
} elseif($_POST['sex'] == "female") { 
	$sex = "AND where sex = ".$_POST['sex']; 
} else { 
	$sex = ""; 
} 

//we will create all Vars used in Query like this

$search_by = $_POST['search_by'];
$order_dir = $_GET['desc'];

$result = mysql_query("SELECT * FROM members WHERE '$search_by' LIKE '%$search%' ORDER BY $order $order_dir"); 
print "SELECT * FROM members WHERE '$search_by' LIKE '%$search%' ORDER BY $order $order_dir";

?>
Last edited by igoy on Tue Dec 16, 2003 11:57 am, edited 1 time in total.
farfromrest
Forum Newbie
Posts: 11
Joined: Sun Jul 20, 2003 7:09 pm

Post by farfromrest »

wow, thanks for highlighting that for me :D
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Why are both GET and POST variable types being checked for within the same script? Is that a mistake or am I trippin' on something...You should change both to REQUEST.

And you shoud not directly feed incoming variables into a MySQL query. That is a major security risk. You should parse the incoming variable outside of the query and then insert it as a regular variable, not a POST or GET one.
Post Reply