Page 1 of 1

syntax error in blog get posts script

Posted: Wed Jun 27, 2007 2:42 pm
by suthie
I am making a blog type thing and I am trying to get the posts. I user this code:

Code: Select all

<?php

include 'session.php';
include 'dbconnect_silent.php';

$username = $user;


$sql = MYSQL_QUERY("SELECT * from dailyvibe WHERE userlink='$username' ORDER BY postid DESC")
   or die ("You have not made any Dig posts yet.");


$result = mysql_query($sql) or print ("Can't select entry from table php_blog.<br />" . $sql . "<br />" . mysql_error());

while($row = mysql_fetch_array($result)) {

    $date = date("l F d Y", $row['timestamp']);
    $title = stripslashes($row['title']);
    $entry = stripslashes($row['entry']);

    ?>

    <p><strong><?php echo $title; ?></strong><br /><br />
    <?php echo $entry; ?><br /><br />
    Posted on <?php echo $date; ?>
    </p>

    <?php
}

?>
and I get this error message:
Can't select entry from table php_blog.
Resource id #5
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Resource id #5' at line 1
where have I gone wrong?

Posted: Wed Jun 27, 2007 3:00 pm
by suthie
sorry for the double post. this code works now:

Code: Select all

<?php

include 'session.php';
include 'dbconnect_silent.php';

$username = $user;


$sql = "SELECT * from dailyvibe WHERE userlink='$username' ORDER BY postid DESC";


$result = mysql_query($sql) or print ("Can't select entry from table php_blog.<br />" . $sql . "<br />" . mysql_error());

while($row = mysql_fetch_array($result)) {

    $date = 'today';
    $title = stripslashes($row['title']);
    $entry = stripslashes($row['entry']);

    ?>

    <p><strong><?php echo $title; ?></strong><br /><br />
    <?php echo $entry; ?><br /><br />
    Posted on <?php echo $date; ?>
    </p>

    <?php
}

?>

Posted: Wed Jun 27, 2007 6:07 pm
by aaronhall
It's important that you run $username through mysql_real_escape_string() before the query if it's coming from a GET or POST value. Google "sql injection" for the why