Page 1 of 1
mysql query problem
Posted: Tue Dec 16, 2003 11:35 am
by farfromrest
what is wrong with this??
if($_GET[order]){$order=$_GET[order];}else{$order="username";}
$search="$_POST[search]";
if($_POST[sex] == "male"){
$sex="AND where sex = '$_POST[sex]'";
}
elseif($_POST[sex] == "female"){
$sex="AND where sex = '$_POST[sex]'";
}
else{
$sex="";
}
$result=mysql_query("select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]");
print "select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]";
when i add that $sex in there, thats when i get...
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/httpd/vhosts/killcore.com/httpdocs/new/members.php on line 285
please help
Posted: Tue Dec 16, 2003 11:37 am
by dull1554
can you thick it in the php and /php syntax highlighter, its alot easier to read and you'll prolly get a answer quicker
Posted: Tue Dec 16, 2003 11:52 am
by Draco_03
Again no change only made it readable
Code: Select all
<?php
if($_GET[order]){$order=$_GET[order];}else{$order="username";}
$search="$_POST[search]";
if($_POST[sex] == "male"){
$sex="AND where sex = '$_POST[sex]'";
}
elseif($_POST[sex] == "female"){
$sex="AND where sex = '$_POST[sex]'";
}
else{
$sex="";
}
$result=mysql_query("select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]");
print "select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]";
?>
Posted: Tue Dec 16, 2003 11:54 am
by igoy
First of all, Please use PHP syntax highlighter for posting PHP code.
also please post what error you recieve when execute this code.
So i'm not sure whether it's a problem with quoting variables in SQL query or not. but this is what i've modified in your code... Please try and post again.
Code: Select all
<?php
if (!empty($_GET['order'])) {
$order = $_GET['order'];
} else {
$order = "username";
}
$search= $_POST'[search'];
if ($_POST['sex'] == "male") {
$sex = "AND where sex = ".$_POST['sex'];
} elseif($_POST['sex'] == "female") {
$sex = "AND where sex = ".$_POST['sex'];
} else {
$sex = "";
}
//we will create all Vars used in Query like this
$search_by = $_POST['search_by'];
$order_dir = $_GET['desc'];
$result = mysql_query("SELECT * FROM members WHERE '$search_by' LIKE '%$search%' ORDER BY $order $order_dir");
print "SELECT * FROM members WHERE '$search_by' LIKE '%$search%' ORDER BY $order $order_dir";
?>
Posted: Tue Dec 16, 2003 11:54 am
by farfromrest
wow, thanks for highlighting that for me

Posted: Tue Dec 16, 2003 12:32 pm
by m3mn0n
Why are both GET and POST variable types being checked for within the same script? Is that a mistake or am I trippin' on something...You should change both to REQUEST.
And you shoud not directly feed incoming variables into a MySQL query. That is a major security risk. You should parse the incoming variable outside of the query and then insert it as a regular variable, not a POST or GET one.