Page 1 of 1
query problem
Posted: Thu Sep 09, 2004 10:23 pm
by g3ckO
what wrong in the code below:
Code: Select all
<?php
session_start();
include("database.php");
$name = $_GET['value'];
function extract_user()
{
$query="SELECT * FROM employee WHERE username ='$name'";
$result=mysql_query($query);
$row_array=mysql_fetch_array($result);
return $row_array;
}
$row_array=extract_user();
$Des=$row_array['EmpDes'];
$Sno=$row_array['StaffNo'];
echo"$name";
echo"$Des";
echo"$Sno";
?>
I get the output for
$name but not for
$Des and
$Sno
Posted: Thu Sep 09, 2004 11:10 pm
by McGruff
Try:
Code: Select all
echo '<pre>';
print_r($row_array);
echo '</pre>';
..to check what's being returned.
PS: you should escape strings obtained from user input before using them in a query.
Posted: Thu Sep 09, 2004 11:15 pm
by Breckenridge
feyd | Please use Code: Select all
tags when posting code. Read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
Try declaring your database variable as a global before selecting from database, this should work:
Code: Select all
<?php
session_start();
include("database.php");
$name = $_GET['value'];
function extract_user()
{
global $db; // <<<<<< use your database variable name
$query="SELECT * FROM employee WHERE username ='$name'";
$result=mysql_query($query);
$row_array=mysql_fetch_array($result);
return $row_array;
}
$row_array=extract_user();
$Des=$row_array['EmpDes'];
$Sno=$row_array['StaffNo'];
echo"$name";
echo"$Des";
echo"$Sno";
?>
feyd | Please use Code: Select all
tags when posting code. Read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
Posted: Thu Sep 09, 2004 11:35 pm
by g3ckO
for :
Code: Select all
<?php
echo '<pre>';
print_r($row_array);
echo '</pre>';
?>
nothing happened.
the second suggestion also doesn't work.
Posted: Fri Sep 10, 2004 12:34 am
by feyd
uhm.. $name isn't a variable inside the function.
Posted: Fri Sep 10, 2004 12:35 am
by ol4pr0
hit me if i am wrong
->$name = $_GET['value'];
shouldnt u just use the global $_GET inside ure function ?
Code: Select all
function extract_user()
{
global $db; // <<<<<< use your database variable name
$query="SELECT * FROM employee WHERE username ='".$_GET['name']."'";
$result=mysql_query($query);
$row_array=mysql_fetch_array($result);
return $row_array;
}
Posted: Mon Sep 13, 2004 8:54 pm
by g3ckO
This is where the value for
$_GET['value'] come from:
Code: Select all
<?php
echo "<a href="leave_detail.php?value=$nama">$nama</a>";?>
And the following code return a blank page.
Code: Select all
<?php
session_start();
include("database.php");
function extract_user()
{
global $conn;
$query="SELECT * FROM employee WHERE username ='".$_GET['value']."'";
$result=mysql_query($query);
$row_array=mysql_fetch_array($result);
return $row_array;
}
$row_array=extract_user();
$Des=$row_array['EmpDes'];
$Sno=$row_array['StaffNo'];
echo"$Des";
echo"$Sno";
?>
Posted: Mon Sep 13, 2004 9:03 pm
by feyd
first off, it's real real dangerous using $_GET right off like that. Second, make sure the query is running okay with some error checking and debug echo's. Make sure error_reporting is E_ALL and display_errors is on (in php.ini or through htaccess, do not trust in-page setting 100% of the time)
Posted: Mon Sep 13, 2004 9:53 pm
by g3ckO
Hmm.. Ok.. I think I have found the way to solve it..
But can you explain more about this:
feyd wrote:first off, it's real real dangerous using $_GET right off like that.
Why??
Posted: Mon Sep 13, 2004 11:15 pm
by feyd
Google: [google]sql injection[/google]