[PHP] Possible query problem
Yestery day I got help from several of you on my function. I tried to get complicated today and so here it is. I am working on a peice of code where if a condition of a database entery is 0 then it will take you to one page if it is one it will take you to another page. Here is the function: $payment1 = $_POST[payment]; function payment(){ global $payment1; if ($payment1 == 0){ header ('Location: http://ftudor/test/test_page.html'); } elseif ($payment1 == 1) { header ('Location: http://ftudor/test/test_page2.html'); } } payment(); It works (thanks to many) but I have another problem. Basically the user will have to supply a username and password, then the sql statement will go through something like this: $query=SELECT payment FROM payment WHERE dln='.$_POST[dln].' = payment.dln='.$_POST[dln].' and users.password='.$_POST[password].'; then it should return a 0 or a 1 and that will go into the function and route a user to the right page. Since I don't have a payment processing tool in place I have to hfake a condition. The page just cycles into itself and keeps promting for username and password over and over. Do you think it's my sql? Frank __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Possible query problem
On Tuesday, October 28, 2003 8:50 AM Frank Tudor wrote: $query=SELECT payment FROM payment WHERE dln='.$_POST[dln].' = payment.dln='.$_POST[dln].' and users.password='.$_POST[password].'; Okay, there seem to be a few problems here. The first issue is: users.password Using this means you are referencing a table which you've identified as users, however there is no such table in your query. If the password field is part of the payment table, then you would reference it as payment.password. However if the password field is part of a users table, then you need to perform a join here, as you will be attempting to get the data from two tables. The second issue is here: WHERE dln='.$_POST[dln].' = payment.dln='.$_POST[dln] You're first comparind dln to $_POST['dln'], and then to payment.dln and then to $_POST['dln'] again. What fields is it you're trying to compare? Each where clause in sql must be joined with an and, or, like, etc. So perhaps you were trying for something like this: WHERE dln = '.$_POST[dln].' and payment.dln = '.$_POST[dln] However, if this were the case you're essentially asking the same thing twice. So, based on your query, I suspect you're trying for something like this: $query = 'select payment from payment where dln = \''.$_POST['dln'].'\' and password = \''.$_POST['password'].'\''; However, this again assumes that the password and dln fields are in the same table. If they're in separate tables then you'll need to perform a join. Hope this helps. Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Possible query problem
[snip] $query=SELECT payment FROM payment WHERE dln='.$_POST[dln].' = payment.dln='.$_POST[dln].' and users.password='.$_POST[password].'; [/snip] Breaking the above apart ... $query= SELECT payment FROM payment WHERE dln='.$_POST[dln].' = payment.dln='.$_POST[dln].' and users.password='.$_POST[password].'; It appears that you have one too many dln='.$_POST[dln].' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Possible query problem
I didn't look into your problem, but I want to mention one thing that stands out to me. --- Frank Tudor [EMAIL PROTECTED] wrote: $query=SELECT payment FROM payment WHERE dln='.$_POST[dln].' = payment.dln='.$_POST[dln].' and users.password='.$_POST[password].'; Never, ever build an SQL query using data directly from the client. You place yourself at the mercy of every user of your site and their creative potential. This code constitutes a security vulnerability. Filter all data, assign it to another variable (so you know it has been filtered), and then build your query using the filtered data: $clean['dln'] = ''; if ($_POST['dln'] looks like a valid value) { $clean['dln'] = $_POST['dln']; } $sql = ... {$clean['dln']} ...; Something similar to that anyway. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php