Page 2 of 3
Posted: Mon Aug 14, 2006 11:15 am
by reecec
i have changed it to this but the thing is it gives no errors so the query works i have added mysql_error
this is what it gives
mysql_query("SELECT * FROM `table` WHERE `username` = 'xc' AND `profile` = 'c' ")
but when i try to do fetch rows it doesnt like this
Posted: Mon Aug 14, 2006 11:34 am
by feyd
If mysql_query() is returning a result resource, the query executed correctly. Check mysql_num_rows() to see if it found any records. If it says zero, and you are expecting more than that, then you have a logical error in your query, not a syntactical one.
Posted: Mon Aug 14, 2006 11:47 am
by reecec
I have just reailsed though but when echo the query it outputs it which doesnt happen normaly i have tried it on a standerd query and it echos
Resource id #3
but my while loop query echos the full query code
here is my code
Code: Select all
$table=$_REQUEST['table'];
$i=0;
$field=array();
$result = mysql_query("select * from $table");
while ($i < mysql_num_fields($result)) {
$meta = mysql_fetch_field($result, $i);
if (!$meta) {
echo "No information available<br />\n";
}
$name=$meta->name;
$field[$i]=$_POST[$name];
$i++;
}
$searchquery='mysql_query("SELECT * FROM `$table` WHERE ';
$i=0;
while ($i < mysql_num_fields($result)) {
$meta = mysql_fetch_field($result, $i);
$name=$meta->name;
$con = ( $field[$i]=='' ) ? '"' : "`$name` = '$field[$i]'";
$finish = ( $i == 1) ? ' ")' : ' AND ';
$searchquery .= "$con$finish";
$i++;
}
echo $searchquery;
if (!$searchquery) {
die('Query failed: ' . mysql_error());
}
if ($searchquery) {
echo "Searched $table";
} else {
echo "Error Searching $table";
}
echo '<table border="1" cellspacing="0" cellpadding="0">';
while ($field=mysql_fetch_field($result)) {
echo "<th>";
echo "$field->name";
echo "</th>";
}
while ($row = mysql_fetch_row($searchquery)) {
echo "<tr>";
for ($i=0; $i<mysql_num_fields($searchquery); $i++) {
echo "<td>";
echo "$row[$i]";
echo "</td>";
}}
echo "</tr>\n";
echo "</table>";
mysql_close();
Thanks for all your help
Posted: Mon Aug 14, 2006 1:01 pm
by reecec
I think this is where the problem is
Code: Select all
$searchquery='mysql_query("SELECT * FROM `bullets` WHERE ';
$i=0;
while ($i < mysql_num_fields($result)) {
$meta = mysql_fetch_field($result, $i);
$name=$meta->name;
$con = ( $field[$i]=='' ) ? '"' : "`$name` = '$field[$i]'";
$finish = ( $i == 1) ? ' ")' : ' AND ';
$searchquery .= "$con$finish";
$i++;
}
echo $searchquery;
it is treating $searchquery as words and not a Query because its in (') apostrophe
thanks reece
Posted: Mon Aug 14, 2006 1:07 pm
by feyd
I already posted about that problem.. in this thread!
viewtopic.php?p=294528#294528
Posted: Mon Aug 14, 2006 1:48 pm
by reecec
oh yes i rember you saying sorry
so i am right its just text not a query
so how can i get this into a sql query
sorry to be a pain
thanks reece
Posted: Mon Aug 14, 2006 2:38 pm
by Ollie Saunders
$table is assigned from user input
Code: Select all
$result = mysql_query("select * from $table");
and then used directly in query without being backticked or escaped. This is an
SQL injection vulnerability.
Between these two lines escape $table with mysql_real_escape_string() to overt this vulnerability. That goes for any other variables appearing in queries.
Posted: Mon Aug 14, 2006 4:20 pm
by reecec
Thanks
how can i fit this in my code sorry
thanks reece
Posted: Mon Aug 14, 2006 5:04 pm
by Ollie Saunders
Couldn't be easier.
Code: Select all
$table = mysql_real_escape_string($table);
$result = mysql_query("select * from $table");
Posted: Mon Aug 14, 2006 8:57 pm
by RobertGonzalez
You're going to need to run a query that returns whether the table exists or not. Otherwise, even with escaping, someone could wonk your script by throwing a table into it that does not exist. Then your queries won't run. Are you sure you want the user telling your script which tables to use? Can your script decide programmatically?
Posted: Tue Aug 15, 2006 6:15 am
by reecec
the request gets it from the URL which is sent by the script before so its like
phpfile.php?table=anytable
yes they chose the table but the script adds it to the url i need the user to choose which table but it will show there fields and they type there search term in the text boxes that relate to the table
thanks reece
Posted: Tue Aug 15, 2006 6:33 am
by bmcewan
would it not be a better idea to send that as a post request, that URL could be modified by the user and whatever is input will be put into your sql query.
Posted: Tue Aug 15, 2006 6:35 am
by reecec
yes it could but it will always do the same thing i will do that when the script is created for use but for development i have made it like this so i can change the table
thanks reece
Posted: Tue Aug 15, 2006 6:41 am
by reecec
ole wrote:Couldn't be easier.
$table = mysql_real_escape_string($table);
$result = mysql_query("select * from $table");
Thanks ole but thats not where i have the problem is i need it on the loop
my code loops round to add the values of text boxes say i Have a table and it has these fields in (eg. name, address, num)
it would loop round and do this
WHERE name = anyname
then it will loop back round adding the word AND as there is more to search
AND address= anyaddress
ect
You problably all got that from the code but my problem is this how do i change this into a sql query as at the moment it echos as text
This is the code where i have the problem
Code: Select all
$searchquery='mysql_query("SELECT * FROM `$table` WHERE ';
$i=0;
while ($i < mysql_num_fields($result)) {
$meta = mysql_fetch_field($result, $i);
$name=$meta->name;
$con = ( $field[$i]=='' ) ? '"' : "`$name` = '$field[$i]'";
$finish = ( $i == 1) ? ' ")' : ' AND ';
$searchquery .= "$con$finish";
$i++;
}
echo $searchquery;
if (!$searchquery) {
die('Query failed: ' . mysql_error());
}
Thanks all for your help
Posted: Tue Aug 15, 2006 9:46 am
by Ollie Saunders
OK lets get back to basics here:
Code: Select all
mysql_query(); // is a function
$variable // is a variable
= // means we are assigning something to the variable
'mysql_query("SELECT `field` FROM `table`")'; // this is not a function call, it is the name of a function with parameter stored as a string
// as a result:
echo $variable; // will echo 'mysql_query("SELECT `x` FROM `table`")'
echo mysql_query("SELECT `field` FROM `table`"); // will call the function and output the return value from the function.
// A good way to do it
$q = 'SELECT `field` FROM `table`';
echo mysql_query($q); // will use 'SELECT `field` FROM `table`' as a database query
// this will probably output nothing of use because mysql_query only returns a result resource. See the manual http://www.php.net/mysql_query/
In your case you have a problem with this line:
Code: Select all
$searchquery='mysql_query("SELECT * FROM `$table` WHERE ';