Re: [PHP] select statement

Sun, 08 May 2005 15:18:36 -0700 

On Thursday 05 May 2005 10:10, Anasta wrote:
> Why doesnt this work, it shows the username but not the balance of the
> users money.here is the mysql table:
>
> <?php session_start();
> include("connect.php");
> $uname=$_SESSION['username'];
> $user_balance=mysql_query($sql);
> $sql = "Select  FROM users ,user_balance WHERE user_id =$uname";
> $result = mysql_query();
>
> ?>
> <?php echo $uname;?><br>
> <?php echo $user_balance;?>


Hi Anasta

In your code, when you issue the mysql_query command the first time, the 
variable $sql is still empty.

You should rewrite your script like this:
<?php
session_start();
require('connect.php'); 
$uname=mysql_escape_string($_SESSION['username'];
$sql=   "SELECT *
        FROM `users`, `user_balance`
        WHERE `user_id`='$uname';";
$result=mysql_query($sql) or die('Database Error'); 
if(is_resource($result))
        if(mysql_num_rows($result>0))
        {
                $data=mysql_fetch_assoc($result);
                mysql_free_result($result);
                $user_balance=$data['user_balance'];
                $found=true;
        }
if(!(isset($found))
        echo "Sorry, I could not find a record for user id $uname";
else
        {
                echo "User:     $uname<br>
                         Balance:       $user_balance<br>";
        }
?>

Notes: 
* just because it comes from SESSION doesn't mean that it cannot be spoofed.  
That's why you should escape uname before including it in a query.
* in mysql commands, it is better to explicitally specify the resource link 
identifier you obtained when you opened the connection 
($link=mysql_connect(...))
* if you include a critical script, better use 'require' because it will cause 
php to stop parsing the page if it cannot find the script.


With kind regards

Andy
-- 
Registered Linux User Number 379093
-- --BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/O/>E$ d-(---)>+ s:(+)>: a--(-)>? C++++$(+++) UL++++>++++$ P-(+)>++
L+++>++++$ E---(-)@ W+++>+++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++)
PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+)
e>++++$@ h++(*) r-->++ y--()>++++
-- ---END GEEK CODE BLOCK------
--
Check out these few php utilities that I released
 under the GPL2 and that are meant for use with a 
 php cli binary:
 
 http://www.vlaamse-kern.com/sas/
--

--

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to