Page 1 of 1

query problem

Posted: Thu Sep 09, 2004 10:23 pm
by g3ckO
what wrong in the code below:

Code: Select all

<?php

session_start(); 
include("database.php");

$name =  $_GET['value'];

function extract_user() 
{  
   $query="SELECT * FROM employee WHERE username ='$name'"; 
   $result=mysql_query($query); 
   $row_array=mysql_fetch_array($result); 
   return $row_array; 
} 

   $row_array=extract_user(); 

   $Des=$row_array['EmpDes'];
   $Sno=$row_array['StaffNo'];

echo"$name";
echo"$Des";
echo"$Sno";
?>
I get the output for $name but not for $Des and $Sno

Posted: Thu Sep 09, 2004 11:10 pm
by McGruff
Try:

Code: Select all

echo '<pre>';
print_r($row_array);
echo '</pre>';
..to check what's being returned.

PS: you should escape strings obtained from user input before using them in a query.

Posted: Thu Sep 09, 2004 11:15 pm
by Breckenridge
feyd | Please use

Code: Select all

tags when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


Try declaring your database variable as a global before selecting from database, this should work:

Code: Select all

<?php

session_start(); 
include("database.php");

$name =  $_GET['value'];

function extract_user() 
{  
   global $db; // <<<<<< use your database variable name

   $query="SELECT * FROM employee WHERE username ='$name'"; 
   $result=mysql_query($query); 
   $row_array=mysql_fetch_array($result); 
   return $row_array; 
} 

   $row_array=extract_user(); 

   $Des=$row_array['EmpDes'];
   $Sno=$row_array['StaffNo'];

echo"$name";
echo"$Des";
echo"$Sno";
?>

feyd | Please use

Code: Select all

tags when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Posted: Thu Sep 09, 2004 11:35 pm
by g3ckO
for :

Code: Select all

<?php
echo '<pre>';
print_r($row_array);
echo '</pre>';
?>
nothing happened.

the second suggestion also doesn't work.

Posted: Fri Sep 10, 2004 12:34 am
by feyd
uhm.. $name isn't a variable inside the function.

Posted: Fri Sep 10, 2004 12:35 am
by ol4pr0
hit me if i am wrong
->$name = $_GET['value'];
shouldnt u just use the global $_GET inside ure function ?

Code: Select all

function extract_user() 
{  
   global $db; // <<<<<< use your database variable name

   $query="SELECT * FROM employee WHERE username ='".$_GET['name']."'"; 
   $result=mysql_query($query); 
   $row_array=mysql_fetch_array($result); 
   return $row_array; 
}

Posted: Mon Sep 13, 2004 8:54 pm
by g3ckO
This is where the value for $_GET['value'] come from:

Code: Select all

<?php
echo "<a href="leave_detail.php?value=$nama">$nama</a>";?>
And the following code return a blank page.

Code: Select all

<?php

session_start(); 
include("database.php");

function extract_user() 
{ 
global $conn;
$query="SELECT * FROM employee WHERE username ='".$_GET['value']."'";
$result=mysql_query($query);    
$row_array=mysql_fetch_array($result);    
return $row_array; 
}
    
$row_array=extract_user();    
$Des=$row_array['EmpDes'];   
$Sno=$row_array['StaffNo'];
 
echo"$Des"; 
echo"$Sno"; 
?>

Posted: Mon Sep 13, 2004 9:03 pm
by feyd
first off, it's real real dangerous using $_GET right off like that. Second, make sure the query is running okay with some error checking and debug echo's. Make sure error_reporting is E_ALL and display_errors is on (in php.ini or through htaccess, do not trust in-page setting 100% of the time)

Posted: Mon Sep 13, 2004 9:53 pm
by g3ckO
Hmm.. Ok.. I think I have found the way to solve it..

But can you explain more about this:
feyd wrote:first off, it's real real dangerous using $_GET right off like that.
Why??

Posted: Mon Sep 13, 2004 11:15 pm
by feyd
Google: [google]sql injection[/google]