By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,852 Members | 2,116 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,852 IT Pros & Developers. It's quick & easy.

Forms...and WHERE in mysql

P: n/a
Hi guys,
I found this script:
http://hvassing.com/2007/simple-php-...#comment-31549

but if I try to recall, in a page I created, the variable "username"
that a user fill in the login page, it does not work.
How could I retrieve the "username", in other pages, using sessions?

I think that the answer is in the last 8 lines of code of
"manage-check.php" but I do not know how....

For example if I fill this code in "members-only.php":

---------------------------------------
<?
$db=mysql_connect('XXXX.YYYYYYYYYYYY.ZZZ','user',' 123456') or
die(mysql_error());

mysql_select_db("XXXX",$db);

$result=mysql_query("SELECT * FROM members
WHERE username="$_POST[username]"");
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
while ($record = mysql_fetch_row($result)){
echo "id: ".$record[0]."<br />";
echo "NOME: ".$record[1]."<br />";
echo "<br />";
}
---------------------------------------

it does not work!!!
How could I retrieve "username" using "WHERE username="?????????" ???

TNX in advance!
Dec 28 '07 #1
Share this Question
Share on Google+
9 Replies


P: n/a
On Dec 28, 12:13*pm, lukk3tt0 <lu...@ghjghjhg.llwrote:
Hi guys,
I found this script:http://hvassing.com/2007/simple-php-...session-and-my...

but if I try to recall, in a page *I created, the variable "username"
that a user fill in the login page, it does not work.
How could I retrieve the "username", in other pages, using sessions?
hmmm cannot quite follow, but a common thing (which even I made when
using sessions first time :-|) is to forget to user start_session()
every time. It does not start the sesstion, just gives you access to
it.
$result=mysql_query("SELECT * FROM members
WHERE username="$_POST[username]"");
Gee... I have been wondering whether the post can be in there, but
*just in case* I have always used it like this

$result=mysql_query("SELECT * FROM members WHERE username=\"".
$_POST["username"]."\"");
or
$result=mysql_query("SELECT * FROM members WHERE username=\"".
$_SESSTION["username"]."\"");

say
if(isset($_SESSTION["username"]))
$result=mysql_query("SELECT * FROM members WHERE username=\"".
$_SESSTION["username"]."\"");
else
$result=mysql_query("SELECT * FROM members WHERE username=\"".
$_POST["username"]."\"");

WBR
Sonnich
Dec 28 '07 #2

P: n/a
On Dec 28, 6:13 pm, lukk3tt0 <lu...@ghjghjhg.llwrote:
Hi guys,
I found this script:http://hvassing.com/2007/simple-php-...session-and-my...

but if I try to recall, in a page I created, the variable "username"
that a user fill in the login page, it does not work.
How could I retrieve the "username", in other pages, using sessions?

I think that the answer is in the last 8 lines of code of
"manage-check.php" but I do not know how....

For example if I fill this code in "members-only.php":

---------------------------------------
<?
$db=mysql_connect('XXXX.YYYYYYYYYYYY.ZZZ','user',' 123456') or
die(mysql_error());

mysql_select_db("XXXX",$db);

$result=mysql_query("SELECT * FROM members
WHERE username="$_POST[username]"");
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
while ($record = mysql_fetch_row($result)){
echo "id: ".$record[0]."<br />";
echo "NOME: ".$record[1]."<br />";
echo "<br />";}

---------------------------------------

it does not work!!!
How could I retrieve "username" using "WHERE username="?????????" ???

TNX in advance!
The MySQL Select should be like
SELECT `field`, `field` FROM `table` WHERE `field`='value';

you need the '' unless the field is kinda int
Dec 28 '07 #3

P: n/a
lukk3tt0 wrote:
Hi guys,
I found this script:
http://hvassing.com/2007/simple-php-...#comment-31549

but if I try to recall, in a page I created, the variable "username"
that a user fill in the login page, it does not work.
How could I retrieve the "username", in other pages, using sessions?

I think that the answer is in the last 8 lines of code of
"manage-check.php" but I do not know how....

For example if I fill this code in "members-only.php":

---------------------------------------
<?
$db=mysql_connect('XXXX.YYYYYYYYYYYY.ZZZ','user',' 123456') or
die(mysql_error());

mysql_select_db("XXXX",$db);

$result=mysql_query("SELECT * FROM members
WHERE username="$_POST[username]"");
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
while ($record = mysql_fetch_row($result)){
echo "id: ".$record[0]."<br />";
echo "NOME: ".$record[1]."<br />";
echo "<br />";
}
---------------------------------------

it does not work!!!
How could I retrieve "username" using "WHERE username="?????????" ???

TNX in advance!
Enable display_errors and see what you get for messages.

Also, please cross-post; do not multi-post!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Dec 28 '07 #4

P: n/a
..oO(jodleren)
>Gee... I have been wondering whether the post can be in there, but
*just in case* I have always used it like this

$result=mysql_query("SELECT * FROM members WHERE username=\"".
$_POST["username"]."\"");
or
$result=mysql_query("SELECT * FROM members WHERE username=\"".
$_SESSTION["username"]."\"");
Strings in SQL are delimited with single quotes. And you _never_ want to
use a user-submitted value directly in a query without any validation.
Read about SQL injection.

Micha
Dec 28 '07 #5

P: n/a
On Dec 28, 2:13 am, lukk3tt0 <lu...@ghjghjhg.llwrote:
Hi guys,
I found this script:http://hvassing.com/2007/simple-php-...session-and-my...

but if I try to recall, in a page I created, the variable "username"
that a user fill in the login page, it does not work.
How could I retrieve the "username", in other pages, using sessions?

I think that the answer is in the last 8 lines of code of
"manage-check.php" but I do not know how....

For example if I fill this code in "members-only.php":

---------------------------------------
<?
$db=mysql_connect('XXXX.YYYYYYYYYYYY.ZZZ','user',' 123456') or
die(mysql_error());

mysql_select_db("XXXX",$db);

$result=mysql_query("SELECT * FROM members
WHERE username="$_POST[username]"");
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
while ($record = mysql_fetch_row($result)){
echo "id: ".$record[0]."<br />";
echo "NOME: ".$record[1]."<br />";
echo "<br />";}

---------------------------------------

it does not work!!!
How could I retrieve "username" using "WHERE username="?????????" ???

TNX in advance!

$result=mysql_query("SELECT * FROM members
WHERE username="$_POST[username]"");

Your quotes are messed up, doing what sskaje said should fix your
problem.

$result = mysql_query("SELECT * FROM members WHERE username=`
$_POST['username']`");

That should fix your problem.
Dec 28 '07 #6

P: n/a
..oO(jp****@gmail.com)
>$result=mysql_query("SELECT * FROM members
WHERE username="$_POST[username]"");

Your quotes are messed up, doing what sskaje said should fix your
problem.

$result = mysql_query("SELECT * FROM members WHERE username=`
$_POST['username']`");

That should fix your problem.
Nope. It will cause a parse error because of the single-quoted array
index inside of a double-quoted string. Additionally it will cause an
SQL error because a backtick (`) is not a valid string delimiter.

Correct:

$result = mysql_query("
SELECT *
FROM members
WHERE username = '$_POST[username]'
");

or

$result = mysql_query("
SELECT *
FROM members
WHERE username = '{$_POST['username']}'
");

Of course this won't fix the SQL injection problem ...

Micha
Dec 29 '07 #7

P: n/a
Michael Fesser wrote:
Read about SQL injection.
Well, I prefer to laught at it:

http://xkcd.com/327/
--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Now listening to: Lamb - The K&D Sessions? (1998) - [10] Trans Fatty Acid
(K&D Session) (8:31) (97.000000%)
Dec 29 '07 #8

P: n/a
On Sat, 29 Dec 2007 01:33:01 +0100, Michael Fesser <ne*****@gmx.dewrote:
.oO(jp****@gmail.com)
>$result=mysql_query("SELECT * FROM members
WHERE username="$_POST[username]"");

Your quotes are messed up, doing what sskaje said should fix your
problem.

$result = mysql_query("SELECT * FROM members WHERE username=`
$_POST['username']`");

That should fix your problem.

Nope. It will cause a parse error because of the single-quoted array
index inside of a double-quoted string. Additionally it will cause an
SQL error because a backtick (`) is not a valid string delimiter.

Correct:

$result = mysql_query("
SELECT *
FROM members
WHERE username = '$_POST[username]'
");
Which will probably give a notice the constant 'username' is not defined..
or

$result = mysql_query("
SELECT *
FROM members
WHERE username = '{$_POST['username']}'
");
That's the one.
Of course this won't fix the SQL injection problem ...
Very true. And a 'SELECT * ' should never be used in production, only for
testing purposes. Naming the fields you should have will both ease the
load on the server and cause a transparant failure instead of an obscure
one on a table alteration.
--
Rik Wasmus
Dec 31 '07 #9

P: n/a
..oO(Rik Wasmus)
>On Sat, 29 Dec 2007 01:33:01 +0100, Michael Fesser <ne*****@gmx.dewrote:
>$result = mysql_query("
SELECT *
FROM members
WHERE username = '$_POST[username]'
");

Which will probably give a notice the constant 'username' is not defined.
Nope, not in this case. Constants are not resolved in a double-quoted
string (unless you use curly syntax like in the second example).
Whether this syntax is recommended or not is another question, though.

Micha
Dec 31 '07 #10

This discussion thread is closed

Replies have been disabled for this discussion.