Re: [PHP] simple question abt convert to integer

2011-05-25 Thread Negin Nickparsa 
i got it tnx Balint

Re: [PHP] simple question abt convert to integer

2011-05-25 Thread Bálint Horváth 
The problem is that if you set the post directly to the query it's available
to be an attach code in the field... (eg. DROP DATABASE;) it's called to
"SQL injection"...

what I mean on filtering:
always check the values in query eg.: $id = $_POST['id'];
if(is_numeric($id)){...}else{bad post}
and at other fields u can use eg. strstr() etc...

On Wed, May 25, 2011 at 4:38 PM, Negin Nickparsa wrote:

> Tnx to all:D
> Paul you are absolutly right:D
> it was a bad mistake from me
> there was no need 2 convert it
> Balint helped me n with mysql_error i found that
> my code hasn't any mistake
> i just forgot the BIG thing!
> selecting db:D
> i totally forgot it because i had array keys with if statement n in there i
> selected it
> but in the last one of them i forgot 2 set the selection of DB
> Ashley what is OP? and filtering i didn't understand
> Andre why u r telling me
> Note: you *didn't* execute the query by calling mysql_query on it.
> if it doesn't execute the query then what's it doing?
> Reply
> Vitalli believe me that i tried it n i can send the string without  error i
> tried it:
> $query1="select * from patient where id=".$_POST['txt'];
> it works! after i found my error i tried it 2 n it was right!!!
>

Re: [PHP] simple question abt convert to integer

2011-05-25 Thread Negin Nickparsa 
Tnx to all:D
Paul you are absolutly right:D
it was a bad mistake from me
there was no need 2 convert it
Balint helped me n with mysql_error i found that
my code hasn't any mistake
i just forgot the BIG thing!
selecting db:D
i totally forgot it because i had array keys with if statement n in there i
selected it
but in the last one of them i forgot 2 set the selection of DB
Ashley what is OP? and filtering i didn't understand
Andre why u r telling me
Note: you *didn't* execute the query by calling mysql_query on it.
if it doesn't execute the query then what's it doing?
Reply
Vitalli believe me that i tried it n i can send the string without  error i
tried it:
$query1="select * from patient where id=".$_POST['txt'];
it works! after i found my error i tried it 2 n it was right!!!

Re: [PHP] simple question abt convert to integer

2011-05-25 Thread Andre Polykanine 
Hello Negin,
$query1="select * from patient where id=".$_POST['txt'];
$result1=mysql_query($query1);
$rows=mysql_num_rows($result1);
Note: you *didn't* execute the query by calling mysql_query on it.

-- 
With best regards from Ukraine,
Andre
Skype: Francophile
My blog: http://oire.org/menelion (mostly in Russian)
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion

 Original message 
From: Negin Nickparsa 
To: php-general@lists.php.net
Date created: , 7:05:18 AM
Subject: [PHP] simple question abt convert to integer


  my code is this:
$query1="select * from patient where id=".$_POST['txt'];
it works but
i think because i have error in next line:
*Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean
given

$num2=Mysql_num_rows($result1);

i echoed $ query1 and the result was this=>select * from patient where id=1
maybe  it can't convert $_POST['txt'] from String to integer and then it
can't get my $num
it is int in my mysql
how can i correct $query1?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] simple question abt convert to integer

2011-05-25 Thread Ashley Sheridan 
"Vitalii Demianets"  wrote:

>On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
>> my code is this:
>> $query1="select * from patient where id=".$_POST['txt'];
>> it works but
>
>Holy Jesus!
>Can't wait to send to your server POST request with txt="1;DROP
>DATABASE; --"
>
>Of course, if you'll  switch to prepare statement instead of string
>embedding
>there will be no much fun.
>
>--
>Vitalii
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

Prepared statements aren't the only solution, a decent bit of filtering would 
work too. In the OPs example he only needed an int, so something like:

$val = intval($_POST['txt']);

Would do the trick. It just means that the value is safe (or at least in an 
expected range) for use elsewhere in the code, it may not necessarily only be 
restricted to a DB query.


Thanks
Ash
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] simple question abt convert to integer

2011-05-25 Thread Bálint Horváth 
Of course have to use filters and etc...

Bálint Horváth
On 25 May 2011 09:53, "Vitalii Demianets"  wrote:
> On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
>> my code is this:
>> $query1="select * from patient where id=".$_POST['txt'];
>> it works but
>
> Holy Jesus!
> Can't wait to send to your server POST request with txt="1;DROP DATABASE;
--"
>
> Of course, if you'll switch to prepare statement instead of string
embedding
> there will be no much fun.
>
> --
> Vitalii
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Re: [PHP] simple question abt convert to integer

2011-05-25 Thread Vitalii Demianets 
On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
> my code is this:
> $query1="select * from patient where id=".$_POST['txt'];
> it works but

Holy Jesus!
Can't wait to send to your server POST request with txt="1;DROP DATABASE; --"

Of course, if you'll  switch to prepare statement instead of string embedding 
there will be no much fun.

-- 
Vitalii

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] simple question abt convert to integer

2011-05-24 Thread Bálint Horváth 
Problem solved succesfully after changed the query integer apostrofyless..
and printed the mysql_errno() and mysql_error()...

Remember:
-In the script languages as php the apostrofy ' or " or sg. like these means
the string marker...
-While ure developing show all error codes and messages...
-If ur query contains errors u'll not get the resource id to use just a
false boolean...
-..and always check u don't have empty variables... :D

Let's ride PHP!

Bálint Horváth
(Valentine)
On 25 May 2011 06:57, "Negin Nickparsa"  wrote:
> :D
> tnx very much
> *Notice*: Undefined variable: query in *D:\phpweb\Doctor.php* on line *45*
> 1065:Query was empty

Re: [PHP] simple question abt convert to integer

2011-05-24 Thread Paul M Foster 
On Wed, May 25, 2011 at 08:57:18AM +0430, Negin Nickparsa wrote:

> $id=(int)$_POST['txt'];
> $query1="select * from patient where id=".$id."";

You're not *thinking* about what you're doing. The above is silly. Think
about it: you're sending a string to MySQL. If $_POST['txt'] returns a
string which looks like the number 1, then

$query1 = "select * from patient where id = $_POST[txt]";

should suffice. If you like, test $_POST['txt'] first by echoing it.


> echo $query1;
> $result1=mysql_query($query1);

Ideally, you should be calling this function with an added "connection"
parameter. Like this:

$link = mysql_connect($connection_stuff);
$result1 = mysql_query($query1, $link);

It's not *necessary*, but advisable.

mysql_query() returns a "resource" object, unless there is a problem. If
there is a problem, then it returns FALSE. You can check what it returns
this way:

if (is_resource($result1))
print "It's a resource!";
elseif ($result1 === FALSE)
print "It's false!";
else
print "I don't know what the heck it is!";

> 
> echo $result1;

I don't know what you'll get from this "echo" if $result1 truly is a
resource. But if it's false, you won't get much. $result1 should be a
"resource" object, which means it's opaque. You can't know what's in it
unless you use a "helper" function like mysql_num_rows(), etc.

> $num2=Mysql_num_rows($result1);
> $num3=Mysql_num_fields($result1);
> 
> still it has previous error
> 
> Here is my output:select * from patient where id=1
> *Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean
> given in
> 
> *Warning*: mysql_num_fields() expects parameter 1 to be resource, boolean
> given in **

Your error messages clearly mean that 1) you're not getting a proper
resource object back from mysql_query(), or 2) you're somehow changing
$result1 into a boolean before passing it to these other functions. But
I suspect it's #1 above.

Please see the documentation for these functions at php.net. It may
even be available in your native language.

Paul

-- 
Paul M. Foster
http://noferblatz.com
http://quillandmouse.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] simple question abt convert to integer

2011-05-24 Thread Negin Nickparsa 
i recieve nothing not a resource id and nore false

Re: [PHP] simple question abt convert to integer

2011-05-24 Thread Bálint Horváth 
If the query is incorrect u get boolean: false, if its correct u get a
resource id...

Bálint Horváth
On 25 May 2011 06:28, "Negin Nickparsa"  wrote:

Re: [PHP] simple question abt convert to integer

2011-05-24 Thread Negin Nickparsa 
$result1=mysql_query($query1);

echo $result1;

it can't echo $result1
i don't know why?

Re: [PHP] simple question abt convert to integer

2011-05-24 Thread Negin Nickparsa 
Bálint Horváth,
the second post of me is using your idea
your idea is working but why i have error still?

Re: [PHP] simple question abt convert to integer

2011-05-24 Thread Negin Nickparsa 
$id=(int)$_POST['txt'];
$query1="select * from patient where id=".$id."";
echo $query1;
$result1=mysql_query($query1);

echo $result1;
$num2=Mysql_num_rows($result1);
$num3=Mysql_num_fields($result1);

still it has previous error

Here is my output:select * from patient where id=1
*Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean
given in

*Warning*: mysql_num_fields() expects parameter 1 to be resource, boolean
given in **

Re: [PHP] simple question abt convert to integer

2011-05-24 Thread Bálint Horváth 
Hi,
I've a simply idea...
If you have integer in your mysql, don't use " at that field in the query...
Try this:
$query="select * from patient where id=".$id."";
There isn't apostrofy in the mysql query...

Bálint Horváth
On 25 May 2011 06:06, "Negin Nickparsa"  wrote:
> my code is this:
> $query1="select * from patient where id=".$_POST['txt'];
> it works but
> i think because i have error in next line:
> *Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean
> given
>
> $num2=Mysql_num_rows($result1);
>
> i echoed $ query1 and the result was this=>select * from patient where
id=1
> maybe it can't convert $_POST['txt'] from String to integer and then it
> can't get my $num
> it is int in my mysql
> how can i correct $query1?

[PHP] simple question abt convert to integer

2011-05-24 Thread Negin Nickparsa 
my code is this:
$query1="select * from patient where id=".$_POST['txt'];
it works but
i think because i have error in next line:
*Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean
given

$num2=Mysql_num_rows($result1);

i echoed $ query1 and the result was this=>select * from patient where id=1
maybe  it can't convert $_POST['txt'] from String to integer and then it
can't get my $num
it is int in my mysql
how can i correct $query1?