Page 1 of 1

mysql query problem

Posted: Tue Dec 16, 2003 11:35 am
by farfromrest
what is wrong with this??

if($_GET[order]){$order=$_GET[order];}else{$order="username";}
$search="$_POST[search]";
if($_POST[sex] == "male"){
$sex="AND where sex = '$_POST[sex]'";
}
elseif($_POST[sex] == "female"){
$sex="AND where sex = '$_POST[sex]'";
}
else{
$sex="";
}
$result=mysql_query("select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]");
print "select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]";

when i add that $sex in there, thats when i get...

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/httpd/vhosts/killcore.com/httpdocs/new/members.php on line 285

please help

Posted: Tue Dec 16, 2003 11:37 am
by dull1554
can you thick it in the php and /php syntax highlighter, its alot easier to read and you'll prolly get a answer quicker

Posted: Tue Dec 16, 2003 11:52 am
by Draco_03
Again no change only made it readable :)

Code: Select all

<?php
if($_GET[order]){$order=$_GET[order];}else{$order="username";}
$search="$_POST[search]";
if($_POST[sex] == "male"){
$sex="AND where sex = '$_POST[sex]'";
}
elseif($_POST[sex] == "female"){
$sex="AND where sex = '$_POST[sex]'";
}
else{
$sex="";
}
$result=mysql_query("select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]");
print "select * from members where $_POST[search_by] LIKE '%$search%' $sex order by $order $_GET[desc]";
?>

Posted: Tue Dec 16, 2003 11:54 am
by igoy
First of all, Please use PHP syntax highlighter for posting PHP code.
also please post what error you recieve when execute this code.

So i'm not sure whether it's a problem with quoting variables in SQL query or not. but this is what i've modified in your code... Please try and post again.

Code: Select all

<?php

if (!empty($_GET['order'])) {
	$order = $_GET['order'];
} else {
	$order = "username";
} 

$search= $_POST'[search'];

if ($_POST['sex'] == "male") { 
	$sex = "AND where sex = ".$_POST['sex']; 
} elseif($_POST['sex'] == "female") { 
	$sex = "AND where sex = ".$_POST['sex']; 
} else { 
	$sex = ""; 
} 

//we will create all Vars used in Query like this

$search_by = $_POST['search_by'];
$order_dir = $_GET['desc'];

$result = mysql_query("SELECT * FROM members WHERE '$search_by' LIKE '%$search%' ORDER BY $order $order_dir"); 
print "SELECT * FROM members WHERE '$search_by' LIKE '%$search%' ORDER BY $order $order_dir";

?>

Posted: Tue Dec 16, 2003 11:54 am
by farfromrest
wow, thanks for highlighting that for me :D

Posted: Tue Dec 16, 2003 12:32 pm
by m3mn0n
Why are both GET and POST variable types being checked for within the same script? Is that a mistake or am I trippin' on something...You should change both to REQUEST.

And you shoud not directly feed incoming variables into a MySQL query. That is a major security risk. You should parse the incoming variable outside of the query and then insert it as a regular variable, not a POST or GET one.