Re: [PHP] simple question abt convert to integer
i got it tnx Balint
Re: [PHP] simple question abt convert to integer
The problem is that if you set the post directly to the query it's available to be an attach code in the field... (eg. DROP DATABASE;) it's called to "SQL injection"... what I mean on filtering: always check the values in query eg.: $id = $_POST['id']; if(is_numeric($id)){...}else{bad post} and at other fields u can use eg. strstr() etc... On Wed, May 25, 2011 at 4:38 PM, Negin Nickparsa wrote: > Tnx to all:D > Paul you are absolutly right:D > it was a bad mistake from me > there was no need 2 convert it > Balint helped me n with mysql_error i found that > my code hasn't any mistake > i just forgot the BIG thing! > selecting db:D > i totally forgot it because i had array keys with if statement n in there i > selected it > but in the last one of them i forgot 2 set the selection of DB > Ashley what is OP? and filtering i didn't understand > Andre why u r telling me > Note: you *didn't* execute the query by calling mysql_query on it. > if it doesn't execute the query then what's it doing? > Reply > Vitalli believe me that i tried it n i can send the string without error i > tried it: > $query1="select * from patient where id=".$_POST['txt']; > it works! after i found my error i tried it 2 n it was right!!! >
Re: [PHP] simple question abt convert to integer
Tnx to all:D Paul you are absolutly right:D it was a bad mistake from me there was no need 2 convert it Balint helped me n with mysql_error i found that my code hasn't any mistake i just forgot the BIG thing! selecting db:D i totally forgot it because i had array keys with if statement n in there i selected it but in the last one of them i forgot 2 set the selection of DB Ashley what is OP? and filtering i didn't understand Andre why u r telling me Note: you *didn't* execute the query by calling mysql_query on it. if it doesn't execute the query then what's it doing? Reply Vitalli believe me that i tried it n i can send the string without error i tried it: $query1="select * from patient where id=".$_POST['txt']; it works! after i found my error i tried it 2 n it was right!!!
Re: [PHP] simple question abt convert to integer
Hello Negin, $query1="select * from patient where id=".$_POST['txt']; $result1=mysql_query($query1); $rows=mysql_num_rows($result1); Note: you *didn't* execute the query by calling mysql_query on it. -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Negin Nickparsa To: php-general@lists.php.net Date created: , 7:05:18 AM Subject: [PHP] simple question abt convert to integer my code is this: $query1="select * from patient where id=".$_POST['txt']; it works but i think because i have error in next line: *Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean given $num2=Mysql_num_rows($result1); i echoed $ query1 and the result was this=>select * from patient where id=1 maybe it can't convert $_POST['txt'] from String to integer and then it can't get my $num it is int in my mysql how can i correct $query1? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] simple question abt convert to integer
"Vitalii Demianets" wrote: >On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote: >> my code is this: >> $query1="select * from patient where id=".$_POST['txt']; >> it works but > >Holy Jesus! >Can't wait to send to your server POST request with txt="1;DROP >DATABASE; --" > >Of course, if you'll switch to prepare statement instead of string >embedding >there will be no much fun. > >-- >Vitalii > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php Prepared statements aren't the only solution, a decent bit of filtering would work too. In the OPs example he only needed an int, so something like: $val = intval($_POST['txt']); Would do the trick. It just means that the value is safe (or at least in an expected range) for use elsewhere in the code, it may not necessarily only be restricted to a DB query. Thanks Ash -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] simple question abt convert to integer
Of course have to use filters and etc... Bálint Horváth On 25 May 2011 09:53, "Vitalii Demianets" wrote: > On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote: >> my code is this: >> $query1="select * from patient where id=".$_POST['txt']; >> it works but > > Holy Jesus! > Can't wait to send to your server POST request with txt="1;DROP DATABASE; --" > > Of course, if you'll switch to prepare statement instead of string embedding > there will be no much fun. > > -- > Vitalii > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
Re: [PHP] simple question abt convert to integer
On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote: > my code is this: > $query1="select * from patient where id=".$_POST['txt']; > it works but Holy Jesus! Can't wait to send to your server POST request with txt="1;DROP DATABASE; --" Of course, if you'll switch to prepare statement instead of string embedding there will be no much fun. -- Vitalii -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] simple question abt convert to integer
Problem solved succesfully after changed the query integer apostrofyless.. and printed the mysql_errno() and mysql_error()... Remember: -In the script languages as php the apostrofy ' or " or sg. like these means the string marker... -While ure developing show all error codes and messages... -If ur query contains errors u'll not get the resource id to use just a false boolean... -..and always check u don't have empty variables... :D Let's ride PHP! Bálint Horváth (Valentine) On 25 May 2011 06:57, "Negin Nickparsa" wrote: > :D > tnx very much > *Notice*: Undefined variable: query in *D:\phpweb\Doctor.php* on line *45* > 1065:Query was empty
Re: [PHP] simple question abt convert to integer
On Wed, May 25, 2011 at 08:57:18AM +0430, Negin Nickparsa wrote: > $id=(int)$_POST['txt']; > $query1="select * from patient where id=".$id.""; You're not *thinking* about what you're doing. The above is silly. Think about it: you're sending a string to MySQL. If $_POST['txt'] returns a string which looks like the number 1, then $query1 = "select * from patient where id = $_POST[txt]"; should suffice. If you like, test $_POST['txt'] first by echoing it. > echo $query1; > $result1=mysql_query($query1); Ideally, you should be calling this function with an added "connection" parameter. Like this: $link = mysql_connect($connection_stuff); $result1 = mysql_query($query1, $link); It's not *necessary*, but advisable. mysql_query() returns a "resource" object, unless there is a problem. If there is a problem, then it returns FALSE. You can check what it returns this way: if (is_resource($result1)) print "It's a resource!"; elseif ($result1 === FALSE) print "It's false!"; else print "I don't know what the heck it is!"; > > echo $result1; I don't know what you'll get from this "echo" if $result1 truly is a resource. But if it's false, you won't get much. $result1 should be a "resource" object, which means it's opaque. You can't know what's in it unless you use a "helper" function like mysql_num_rows(), etc. > $num2=Mysql_num_rows($result1); > $num3=Mysql_num_fields($result1); > > still it has previous error > > Here is my output:select * from patient where id=1 > *Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean > given in > > *Warning*: mysql_num_fields() expects parameter 1 to be resource, boolean > given in ** Your error messages clearly mean that 1) you're not getting a proper resource object back from mysql_query(), or 2) you're somehow changing $result1 into a boolean before passing it to these other functions. But I suspect it's #1 above. Please see the documentation for these functions at php.net. It may even be available in your native language. Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] simple question abt convert to integer
i recieve nothing not a resource id and nore false
Re: [PHP] simple question abt convert to integer
If the query is incorrect u get boolean: false, if its correct u get a resource id... Bálint Horváth On 25 May 2011 06:28, "Negin Nickparsa" wrote:
Re: [PHP] simple question abt convert to integer
$result1=mysql_query($query1); echo $result1; it can't echo $result1 i don't know why?
Re: [PHP] simple question abt convert to integer
Bálint Horváth, the second post of me is using your idea your idea is working but why i have error still?
Re: [PHP] simple question abt convert to integer
$id=(int)$_POST['txt']; $query1="select * from patient where id=".$id.""; echo $query1; $result1=mysql_query($query1); echo $result1; $num2=Mysql_num_rows($result1); $num3=Mysql_num_fields($result1); still it has previous error Here is my output:select * from patient where id=1 *Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean given in *Warning*: mysql_num_fields() expects parameter 1 to be resource, boolean given in **
Re: [PHP] simple question abt convert to integer
Hi, I've a simply idea... If you have integer in your mysql, don't use " at that field in the query... Try this: $query="select * from patient where id=".$id.""; There isn't apostrofy in the mysql query... Bálint Horváth On 25 May 2011 06:06, "Negin Nickparsa" wrote: > my code is this: > $query1="select * from patient where id=".$_POST['txt']; > it works but > i think because i have error in next line: > *Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean > given > > $num2=Mysql_num_rows($result1); > > i echoed $ query1 and the result was this=>select * from patient where id=1 > maybe it can't convert $_POST['txt'] from String to integer and then it > can't get my $num > it is int in my mysql > how can i correct $query1?
[PHP] simple question abt convert to integer
my code is this: $query1="select * from patient where id=".$_POST['txt']; it works but i think because i have error in next line: *Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean given $num2=Mysql_num_rows($result1); i echoed $ query1 and the result was this=>select * from patient where id=1 maybe it can't convert $_POST['txt'] from String to integer and then it can't get my $num it is int in my mysql how can i correct $query1?