By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,359 Members | 2,160 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,359 IT Pros & Developers. It's quick & easy.

strange problem with php

P: n/a
Hi guys,

I have just set up a duplicate server running:
apache 2.54, mysql 5.04 and php 5.04

This is the same setup as as the server we are using now, apart from
the hardware inside. I have copied across the database and website,
with exact same permissions as the first server.

The problem is that part of the php code is executing but others
arent:

example:
------------------------
<?php
// Make the connection
mysql_connect("localhost", "dailyuser", "hidupituindah") or
die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";

$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='P191")
or die(mysql_error());

$result = mysql_fetch_array($query);
echo "The name of the product is " .$result['product_name']. " ";
?>
-----------------

This will work with no problems

But when i change it to:
-----------------
<?php
// Make the connection
mysql_connect("localhost", "user", "pass") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";

$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='$code")
or die(mysql_error());

$result = mysql_fetch_array($query);
echo "The name of the product is " .$result['product_name']. " ";
?>
-----------------
and select the page with /test.php?code=P191

It connects to the database, but the result is empty, leaving the
line:
The name of the product is

I am completely lost with this!!
Not sure if its apache, php or sql... i am assuming this is php,
although i know one shouldnt assume anything.
Any help would be much appreciated, before i have no hair left to pull

Dave.

Aug 15 '07 #1
Share this Question
Share on Google+
9 Replies


P: n/a
Rik
On Wed, 15 Aug 2007 11:59:25 +0200, Dave
<da*************@praybourne.co.ukwrote:
Hi guys,

I have just set up a duplicate server running:
apache 2.54, mysql 5.04 and php 5.04

This is the same setup as as the server we are using now, apart from
the hardware inside. I have copied across the database and website,
with exact same permissions as the first server.

The problem is that part of the php code is executing but others
arent:

example:
------------------------
<?php
// Make the connection
mysql_connect("localhost", "********", "**********") or
Hmmm, seemed like a real user/pass combo to me...

die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";

$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='P191")
Shouldn't that be `code` = 'P191'" (notice the ending single quote).
or die(mysql_error());

$result = mysql_fetch_array($query);
echo "The name of the product is " .$result['product_name']. " ";
?>
-----------------

This will work with no problems

But when i change it to:
-----------------
<?php
// Make the connection
mysql_connect("localhost", "user", "pass") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";

$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='$code")
Again, the missing ending single quote in the SQL statement. Where does
$code com form BTW? You're not relying on register_globals are you? Not a
good thing. So, use $code = mysql_real_escape_string($_GET['code']); first.
$result = mysql_fetch_array($query);
var_dump($result);
--
Rik Wasmus
Aug 15 '07 #2

P: n/a
Dave escribió:
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='P191")
or die(mysql_error());

$result = mysql_fetch_array($query);
echo "The name of the product is " .$result['product_name']. " ";
?>
-----------------

This will work with no problems
Weird... The query contains an unmatched quote.


$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='$code")
or die(mysql_error());

$result = mysql_fetch_array($query);
echo "The name of the product is " .$result['product_name']. " ";
?>
-----------------
and select the page with /test.php?code=P191
Your code relies on the register_globals directive, which is disabled by
default. There're good reasons for it. You should access your query
params through the $_GET array. E.G.:

$query = "SELECT product_name FROM `code_tbl` WHERE `code` >='" .
mysql_real_escape_string($_GET['code']) . "'";

--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor austrohúngaro: http://www.demogracia.com
--
Aug 15 '07 #3

P: n/a
On 15 Aug, 11:06, Rik <luiheidsgoe...@hotmail.comwrote:
On Wed, 15 Aug 2007 11:59:25 +0200, Dave

<david.greenh...@praybourne.co.ukwrote:
Hi guys,
I have just set up a duplicate server running:
apache 2.54, mysql 5.04 and php 5.04
This is the same setup as as the server we are using now, apart from
the hardware inside. I have copied across the database and website,
with exact same permissions as the first server.
The problem is that part of the php code is executing but others
arent:
example:
------------------------
<?php
// Make the connection
mysql_connect("localhost", "********", "**********") or

Hmmm, seemed like a real user/pass combo to me...
die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='P191")

Shouldn't that be `code` = 'P191'" (notice the ending single quote).


or die(mysql_error());
$result = mysql_fetch_array($query);
echo "The name of the product is " .$result['product_name']. " ";
?>
-----------------
This will work with no problems
But when i change it to:
-----------------
<?php
// Make the connection
mysql_connect("localhost", "user", "pass") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='$code")

Again, the missing ending single quote in the SQL statement. Where does
$code com form BTW? You're not relying on register_globals are you? Not a
good thing. So, use $code = mysql_real_escape_string($_GET['code']); first.
$result = mysql_fetch_array($query);

var_dump($result);
--
Rik Wasmus- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -
Hi Rik, thanks for the prompt reply

The missing ' was a mistype in the post. I have tried adding the code
you suggested along with others.

1. adding the line $code = mysql_real_escape_string($_GET['code']);
outputs absolutely nothing, not even "connected to database"

2. Removing the single quotes around $code
outputs: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '' at line 1

3. Removing the last single quote from around $code (so becomes
'$code ) like mistype above.
outputs: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''' at line 1

4. When single quotes are put back in and adding the line
var_dump($result);
outputs: array(2) { [0]=string(0) "" ["product_name"]=string(0)
"" }

5. When manually adding the code P191 in to the php code instead of
$code, the ouput of var_dump is:
array(2) { [0]=string(28) "Pulsar Classic Bomber
Jacket" ["product_name"]=string(28) "Pulsar Classic Bomber Jacket" }

Dave.

Also, register globals is off.

Aug 15 '07 #4

P: n/a
Rik
On Wed, 15 Aug 2007 12:26:42 +0200, Dave
<da*************@praybourne.co.ukwrote:
On 15 Aug, 11:06, Rik <luiheidsgoe...@hotmail.comwrote:
>On Wed, 15 Aug 2007 11:59:25 +0200, Dave
<david.greenh...@praybourne.co.ukwrote:
I have just set up a duplicate server running:
apache 2.54, mysql 5.04 and php 5.04
This is the same setup as as the server we are using now, apart from
the hardware inside. I have copied across the database and website,
with exact same permissions as the first server.
The problem is that part of the php code is executing but others
arent:
example:
------------------------
<?php
die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='P191")

Shouldn't that be `code` = 'P191'" (notice the ending single quote)..
or die(mysql_error());
But when i change it to:
-----------------
<?php
// Make the connection
mysql_connect("localhost", "user", "pass") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='$code")

Again, the missing ending single quote in the SQL statement. Where does
$code com form BTW? You're not relying on register_globals are you? Not
a
good thing. So, use $code = mysql_real_escape_string($_GET['code']);
first.
$result = mysql_fetch_array($query);

var_dump($result);

The missing ' was a mistype in the post. I have tried adding the code
you suggested along with others.

1. adding the line $code = mysql_real_escape_string($_GET['code']);
outputs absolutely nothing, not even "connected to database"
Have you enabled display_errors? It should be done just after connecting
to the database.
2. Removing the single quotes around $code
You shouldn't do that.
3. Removing the last single quote from around $code (so becomes
'$code ) like mistype above.
Shouldn't do that either.
4. When single quotes are put back in and adding the line
var_dump($result);
outputs: array(2) { [0]=string(0) "" ["product_name"]=string(0)
"" }

5. When manually adding the code P191 in to the php code instead of
$code, the ouput of var_dump is:
array(2) { [0]=string(28) "Pulsar Classic Bomber
Jacket" ["product_name"]=string(28) "Pulsar Classic Bomber Jacket"}
Well, echo the query that gets send before actually using it, and examine
where it differs.

--
Rik Wasmus
Aug 15 '07 #5

P: n/a
On 15 Aug, 11:35, Rik <luiheidsgoe...@hotmail.comwrote:
On Wed, 15 Aug 2007 12:26:42 +0200, Dave

<david.greenh...@praybourne.co.ukwrote:
On 15 Aug, 11:06, Rik <luiheidsgoe...@hotmail.comwrote:
On Wed, 15 Aug 2007 11:59:25 +0200, Dave
<david.greenh...@praybourne.co.ukwrote:
I have just set up a duplicate server running:
apache 2.54, mysql 5.04 and php 5.04
This is the same setup as as the server we are using now, apart from
the hardware inside. I have copied across the database and website,
with exact same permissions as the first server.
The problem is that part of the php code is executing but others
arent:
example:
------------------------
<?php
die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='P191")
Shouldn't that be `code` = 'P191'" (notice the ending single quote).
or die(mysql_error());
But when i change it to:
-----------------
<?php
// Make the connection
mysql_connect("localhost", "user", "pass") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='$code")
Again, the missing ending single quote in the SQL statement. Where does
$code com form BTW? You're not relying on register_globals are you? Not
a
good thing. So, use $code = mysql_real_escape_string($_GET['code']);
first.
$result = mysql_fetch_array($query);
var_dump($result);
The missing ' was a mistype in the post. I have tried adding the code
you suggested along with others.
1. adding the line $code = mysql_real_escape_string($_GET['code']);
outputs absolutely nothing, not even "connected to database"

Have you enabled display_errors? It should be done just after connecting
to the database.
2. Removing the single quotes around $code

You shouldn't do that.
3. Removing the last single quote from around $code (so becomes
'$code ) like mistype above.

Shouldn't do that either.
4. When single quotes are put back in and adding the line
var_dump($result);
outputs: array(2) { [0]=string(0) "" ["product_name"]=string(0)
"" }
5. When manually adding the code P191 in to the php code instead of
$code, the ouput of var_dump is:
array(2) { [0]=string(28) "Pulsar Classic Bomber
Jacket" ["product_name"]=string(28) "Pulsar Classic Bomber Jacket" }

Well, echo the query that gets send before actually using it, and examine
where it differs.

--
Rik Wasmus- Hide quoted text -

- Show quoted text -

Hi Rik,

I echoed the $code to the page, and it didnt show. However i have
noticed that on our internal server, register globals is on. So to
test, i turned it on our external server, and everything seems to
work.
So i guess when you asked before whether i was using register globals,
in actual fact, we was on our internal server, but i only looked at
the new server.

So now i found the problem, any pointers how to fix this, I am not too
clued up on register globals, although i am searching now...

thanks for the help
Dave.

Aug 15 '07 #6

P: n/a
Dave wrote:
On 15 Aug, 11:35, Rik <luiheidsgoe...@hotmail.comwrote:
>On Wed, 15 Aug 2007 12:26:42 +0200, Dave

<david.greenh...@praybourne.co.ukwrote:
>>On 15 Aug, 11:06, Rik <luiheidsgoe...@hotmail.comwrote:
On Wed, 15 Aug 2007 11:59:25 +0200, Dave
<david.greenh...@praybourne.co.ukwrote:
I have just set up a duplicate server running:
apache 2.54, mysql 5.04 and php 5.04
This is the same setup as as the server we are using now, apart from
the hardware inside. I have copied across the database and website,
with exact same permissions as the first server.
The problem is that part of the php code is executing but others
arent:
example:
------------------------
<?php
die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='P191")
Shouldn't that be `code` = 'P191'" (notice the ending single quote).
or die(mysql_error());
But when i change it to:
-----------------
<?php
// Make the connection
mysql_connect("localhost", "user", "pass") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='$code")
Again, the missing ending single quote in the SQL statement. Where does
$code com form BTW? You're not relying on register_globals are you? Not
a
good thing. So, use $code = mysql_real_escape_string($_GET['code']);
first.
$result = mysql_fetch_array($query);
var_dump($result);
The missing ' was a mistype in the post. I have tried adding the code
you suggested along with others.
1. adding the line $code = mysql_real_escape_string($_GET['code']);
outputs absolutely nothing, not even "connected to database"
Have you enabled display_errors? It should be done just after connecting
to the database.
>>2. Removing the single quotes around $code
You shouldn't do that.
>>3. Removing the last single quote from around $code (so becomes
'$code ) like mistype above.
Shouldn't do that either.
>>4. When single quotes are put back in and adding the line
var_dump($result);
outputs: array(2) { [0]=string(0) "" ["product_name"]=string(0)
"" }
5. When manually adding the code P191 in to the php code instead of
$code, the ouput of var_dump is:
array(2) { [0]=string(28) "Pulsar Classic Bomber
Jacket" ["product_name"]=string(28) "Pulsar Classic Bomber Jacket" }
Well, echo the query that gets send before actually using it, and examine
where it differs.

--
Rik Wasmus- Hide quoted text -

- Show quoted text -


Hi Rik,

I echoed the $code to the page, and it didnt show. However i have
noticed that on our internal server, register globals is on. So to
test, i turned it on our external server, and everything seems to
work.
So i guess when you asked before whether i was using register globals,
in actual fact, we was on our internal server, but i only looked at
the new server.

So now i found the problem, any pointers how to fix this, I am not too
clued up on register globals, although i am searching now...

thanks for the help
Dave.
Rik wins again :-)

Yes, there is a reason it's now off by default. It's a security
exposure. You really need to change your code to not use it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Aug 15 '07 #7

P: n/a
On 15 Aug, 13:21, Jerry Stuckle <jstuck...@attglobal.netwrote:
Dave wrote:
On 15 Aug, 11:35, Rik <luiheidsgoe...@hotmail.comwrote:
On Wed, 15 Aug 2007 12:26:42 +0200, Dave
<david.greenh...@praybourne.co.ukwrote:
On 15 Aug, 11:06, Rik <luiheidsgoe...@hotmail.comwrote:
On Wed, 15 Aug 2007 11:59:25 +0200, Dave
<david.greenh...@praybourne.co.ukwrote:
I have just set up a duplicate server running:
apache 2.54, mysql 5.04 and php 5.04
This is the same setup as as the server we are using now, apart from
the hardware inside. I have copied across the database and website,
with exact same permissions as the first server.
The problem is that part of the php code is executing but others
arent:
example:
------------------------
<?php
die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='P191")
Shouldn't that be `code` = 'P191'" (notice the ending single quote).
or die(mysql_error());
But when i change it to:
-----------------
<?php
// Make the connection
mysql_connect("localhost", "user", "pass") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("sales") or die(mysql_error());
echo "Connected to Database<br />";
$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
='$code")
Again, the missing ending single quote in the SQL statement. Where does
$code com form BTW? You're not relying on register_globals are you? Not
a
good thing. So, use $code = mysql_real_escape_string($_GET['code']);
first.
$result = mysql_fetch_array($query);
var_dump($result);
The missing ' was a mistype in the post. I have tried adding the code
you suggested along with others.
1. adding the line $code = mysql_real_escape_string($_GET['code']);
outputs absolutely nothing, not even "connected to database"
Have you enabled display_errors? It should be done just after connecting
to the database.
>2. Removing the single quotes around $code
You shouldn't do that.
>3. Removing the last single quote from around $code (so becomes
'$code ) like mistype above.
Shouldn't do that either.
>4. When single quotes are put back in and adding the line
var_dump($result);
outputs: array(2) { [0]=string(0) "" ["product_name"]=string(0)
"" }
5. When manually adding the code P191 in to the php code instead of
$code, the ouput of var_dump is:
array(2) { [0]=string(28) "Pulsar Classic Bomber
Jacket" ["product_name"]=string(28) "Pulsar Classic Bomber Jacket" }
Well, echo the query that gets send before actually using it, and examine
where it differs.
--
Rik Wasmus- Hide quoted text -
- Show quoted text -
Hi Rik,
I echoed the $code to the page, and it didnt show. However i have
noticed that on our internal server, register globals is on. So to
test, i turned it on our external server, and everything seems to
work.
So i guess when you asked before whether i was using register globals,
in actual fact, we was on our internal server, but i only looked at
the new server.
So now i found the problem, any pointers how to fix this, I am not too
clued up on register globals, although i am searching now...
thanks for the help
Dave.

Rik wins again :-)

Yes, there is a reason it's now off by default. It's a security
exposure. You really need to change your code to not use it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================- Hide quoted text -

- Show quoted text -
Hi again,

just a brief question, as I am unsure of the consequences.

The new webserver that has register_globals turned off, every page is
only accessible after logging in using cookies against the mysql
database.

This part seems to be working as normal, i have tried to access many
pages beneath this, and get redirected to the login page if not logged
in. It seems only after login, that passing variables across to other
pages is not working.

My question is, is it safe to turn globals on, for the period of time
while i am recoding all the pages to work with globals turned off, so
that our staff can use the database. I have approx, 100 pages to go
through, and am unsure how long this will take.

thanks
Dave.

Aug 15 '07 #8

P: n/a
Dave wrote:
On 15 Aug, 13:21, Jerry Stuckle <jstuck...@attglobal.netwrote:
>Dave wrote:
>>On 15 Aug, 11:35, Rik <luiheidsgoe...@hotmail.comwrote:
On Wed, 15 Aug 2007 12:26:42 +0200, Dave
<david.greenh...@praybourne.co.ukwrote:
On 15 Aug, 11:06, Rik <luiheidsgoe...@hotmail.comwrote:
>On Wed, 15 Aug 2007 11:59:25 +0200, Dave
><david.greenh...@praybourne.co.ukwrote:
>>I have just set up a duplicate server running:
>>apache 2.54, mysql 5.04 and php 5.04
>>This is the same setup as as the server we are using now, apart from
>>the hardware inside. I have copied across the database and website,
>>with exact same permissions as the first server.
>>The problem is that part of the php code is executing but others
>>arent:
>>example:
>>------------------------
>><?php
>>die(mysql_error());
>>echo "Connected to MySQL<br />";
>>mysql_select_db("sales") or die(mysql_error());
>>echo "Connected to Database<br />";
>>$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
>>='P191")
>Shouldn't that be `code` = 'P191'" (notice the ending single quote).
>>or die(mysql_error());
>>But when i change it to:
>>-----------------
>><?php
>>// Make the connection
>>mysql_connect("localhost", "user", "pass") or die(mysql_error());
>>echo "Connected to MySQL<br />";
>>mysql_select_db("sales") or die(mysql_error());
>>echo "Connected to Database<br />";
>>$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
>>='$code")
>Again, the missing ending single quote in the SQL statement. Where does
>$code com form BTW? You're not relying on register_globals are you? Not
>a
>good thing. So, use $code = mysql_real_escape_string($_GET['code']);
>first.
>>$result = mysql_fetch_array($query);
>var_dump($result);
The missing ' was a mistype in the post. I have tried adding the code
you suggested along with others.
1. adding the line $code = mysql_real_escape_string($_GET['code']);
outputs absolutely nothing, not even "connected to database"
Have you enabled display_errors? It should be done just after connecting
to the database.
2. Removing the single quotes around $code
You shouldn't do that.
3. Removing the last single quote from around $code (so becomes
'$code ) like mistype above.
Shouldn't do that either.
4. When single quotes are put back in and adding the line
var_dump($result);
outputs: array(2) { [0]=string(0) "" ["product_name"]=string(0)
"" }
5. When manually adding the code P191 in to the php code instead of
$code, the ouput of var_dump is:
array(2) { [0]=string(28) "Pulsar Classic Bomber
Jacket" ["product_name"]=string(28) "Pulsar Classic Bomber Jacket" }
Well, echo the query that gets send before actually using it, and examine
where it differs.
--
Rik Wasmus- Hide quoted text -
- Show quoted text -
Hi Rik,
I echoed the $code to the page, and it didnt show. However i have
noticed that on our internal server, register globals is on. So to
test, i turned it on our external server, and everything seems to
work.
So i guess when you asked before whether i was using register globals,
in actual fact, we was on our internal server, but i only looked at
the new server.
So now i found the problem, any pointers how to fix this, I am not too
clued up on register globals, although i am searching now...
thanks for the help
Dave.
Rik wins again :-)

Yes, there is a reason it's now off by default. It's a security
exposure. You really need to change your code to not use it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================- Hide quoted text -

- Show quoted text -

Hi again,

just a brief question, as I am unsure of the consequences.

The new webserver that has register_globals turned off, every page is
only accessible after logging in using cookies against the mysql
database.

This part seems to be working as normal, i have tried to access many
pages beneath this, and get redirected to the login page if not logged
in. It seems only after login, that passing variables across to other
pages is not working.

My question is, is it safe to turn globals on, for the period of time
while i am recoding all the pages to work with globals turned off, so
that our staff can use the database. I have approx, 100 pages to go
through, and am unsure how long this will take.

thanks
Dave.
No, it's not safe, which is why it was turned off in the first place.

However, since you seem to have been running with register_globals on
before, it's no less safe than it was previously.

Are you sure that is the problem? And BTW - sessions are much safer for
login tracking than cookies. It's too easy to fudge up a cookie.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Aug 15 '07 #9

P: n/a
On 15 Aug, 22:02, Jerry Stuckle <jstuck...@attglobal.netwrote:
Dave wrote:
On 15 Aug, 13:21, Jerry Stuckle <jstuck...@attglobal.netwrote:
Dave wrote:
On 15 Aug, 11:35, Rik <luiheidsgoe...@hotmail.comwrote:
On Wed, 15 Aug 2007 12:26:42 +0200, Dave
<david.greenh...@praybourne.co.ukwrote:
On 15 Aug, 11:06, Rik <luiheidsgoe...@hotmail.comwrote:
On Wed, 15 Aug 2007 11:59:25 +0200, Dave
<david.greenh...@praybourne.co.ukwrote:
>I have just set up a duplicate server running:
>apache 2.54, mysql 5.04 and php 5.04
>This is the same setup as as the server we are using now, apart from
>the hardware inside. I have copied across the database and website,
>with exact same permissions as the first server.
>The problem is that part of the php code is executing but others
>arent:
>example:
>------------------------
><?php
>die(mysql_error());
>echo "Connected to MySQL<br />";
>mysql_select_db("sales") or die(mysql_error());
>echo "Connected to Database<br />";
>$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
>='P191")
Shouldn't that be `code` = 'P191'" (notice the ending single quote).
>or die(mysql_error());
>But when i change it to:
>-----------------
><?php
>// Make the connection
>mysql_connect("localhost", "user", "pass") or die(mysql_error());
>echo "Connected to MySQL<br />";
>mysql_select_db("sales") or die(mysql_error());
>echo "Connected to Database<br />";
>$query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
>='$code")
Again, the missing ending single quote in the SQL statement. Where does
$code com form BTW? You're not relying on register_globals are you? Not
a
good thing. So, use $code = mysql_real_escape_string($_GET['code']);
first.
>$result = mysql_fetch_array($query);
var_dump($result);
The missing ' was a mistype in the post. I have tried adding the code
you suggested along with others.
1. adding the line $code = mysql_real_escape_string($_GET['code']);
outputs absolutely nothing, not even "connected to database"
Have you enabled display_errors? It should be done just after connecting
to the database.
2. Removing the single quotes around $code
You shouldn't do that.
3. Removing the last single quote from around $code (so becomes
'$code ) like mistype above.
Shouldn't do that either.
4. When single quotes are put back in and adding the line
var_dump($result);
outputs: array(2) { [0]=string(0) "" ["product_name"]=string(0)
"" }
5. When manually adding the code P191 in to the php code instead of
$code, the ouput of var_dump is:
array(2) { [0]=string(28) "Pulsar Classic Bomber
Jacket" ["product_name"]=string(28) "Pulsar Classic Bomber Jacket" }
Well, echo the query that gets send before actually using it, and examine
where it differs.
--
Rik Wasmus- Hide quoted text -
- Show quoted text -
Hi Rik,
I echoed the $code to the page, and it didnt show. However i have
noticed that on our internal server, register globals is on. So to
test, i turned it on our external server, and everything seems to
work.
So i guess when you asked before whether i was using register globals,
in actual fact, we was on our internal server, but i only looked at
the new server.
So now i found the problem, any pointers how to fix this, I am not too
clued up on register globals, although i am searching now...
thanks for the help
Dave.
Rik wins again :-)
Yes, there is a reason it's now off by default. It's a security
exposure. You really need to change your code to not use it.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================- Hide quoted text -
- Show quoted text -
Hi again,
just a brief question, as I am unsure of the consequences.
The new webserver that has register_globals turned off, every page is
only accessible after logging in using cookies against the mysql
database.
This part seems to be working as normal, i have tried to access many
pages beneath this, and get redirected to the login page if not logged
in. It seems only after login, that passing variables across to other
pages is not working.
My question is, is it safe to turn globals on, for the period of time
while i am recoding all the pages to work with globals turned off, so
that our staff can use the database. I have approx, 100 pages to go
through, and am unsure how long this will take.
thanks
Dave.

No, it's not safe, which is why it was turned off in the first place.

However, since you seem to have been running with register_globals on
before, it's no less safe than it was previously.

Are you sure that is the problem? And BTW - sessions are much safer for
login tracking than cookies. It's too easy to fudge up a cookie.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================- Hide quoted text -

- Show quoted text -
The other server it was running on is internal to the company, so only
people who are inside the company firewall have access. The new server
will be directly on the internet.

I am not positive that register_globals is the problem but it seems
likely as when i turned globals on to try it, everything worked as it
does on our internal server. Plus when some of the pages load, by
default it holds information from the database, but then using if
statements throughout depending on what they click, depends on which
if statement to run, and its these that are not working (presumably
because its not passing the variables across)

But I suppose, better to be safe than sorry. I shall keep it that way
until i have changed all the pages.

Thanks again for the advice
Dave.

Aug 16 '07 #10

This discussion thread is closed

Replies have been disabled for this discussion.