what is wrong with this??
if($_GET[order]){$order=$_GET[order];}else{$order="username";}
$search="$_POST[search]";
if($_POST[sex] == "male"){
$sex="AND where sex = '$_POST[sex]'";
}
elseif($_POST[sex] == "female"){
$sex="AND where sex = '$_POST[sex]'";
}
else{
$sex="";
}
$result=mysql_query("select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]");
print "select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]";
when i add that $sex in there, thats when i get...
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/httpd/vhosts/killcore.com/httpdocs/new/members.php on line 285
please help
mysql query problem
Moderator: General Moderators
Again no change only made it readable
Code: Select all
<?php
if($_GET[order]){$order=$_GET[order];}else{$order="username";}
$search="$_POST[search]";
if($_POST[sex] == "male"){
$sex="AND where sex = '$_POST[sex]'";
}
elseif($_POST[sex] == "female"){
$sex="AND where sex = '$_POST[sex]'";
}
else{
$sex="";
}
$result=mysql_query("select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]");
print "select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]";
?>First of all, Please use PHP syntax highlighter for posting PHP code.
also please post what error you recieve when execute this code.
So i'm not sure whether it's a problem with quoting variables in SQL query or not. but this is what i've modified in your code... Please try and post again.
also please post what error you recieve when execute this code.
So i'm not sure whether it's a problem with quoting variables in SQL query or not. but this is what i've modified in your code... Please try and post again.
Code: Select all
<?php
if (!empty($_GET['order'])) {
$order = $_GET['order'];
} else {
$order = "username";
}
$search= $_POST'[search'];
if ($_POST['sex'] == "male") {
$sex = "AND where sex = ".$_POST['sex'];
} elseif($_POST['sex'] == "female") {
$sex = "AND where sex = ".$_POST['sex'];
} else {
$sex = "";
}
//we will create all Vars used in Query like this
$search_by = $_POST['search_by'];
$order_dir = $_GET['desc'];
$result = mysql_query("SELECT * FROM members WHERE '$search_by' LIKE '%$search%' ORDER BY $order $order_dir");
print "SELECT * FROM members WHERE '$search_by' LIKE '%$search%' ORDER BY $order $order_dir";
?>
Last edited by igoy on Tue Dec 16, 2003 11:57 am, edited 1 time in total.
-
farfromrest
- Forum Newbie
- Posts: 11
- Joined: Sun Jul 20, 2003 7:09 pm
Why are both GET and POST variable types being checked for within the same script? Is that a mistake or am I trippin' on something...You should change both to REQUEST.
And you shoud not directly feed incoming variables into a MySQL query. That is a major security risk. You should parse the incoming variable outside of the query and then insert it as a regular variable, not a POST or GET one.
And you shoud not directly feed incoming variables into a MySQL query. That is a major security risk. You should parse the incoming variable outside of the query and then insert it as a regular variable, not a POST or GET one.