Re: [PHP] select statement with variables ???
On 12/21/05, Anasta [EMAIL PROTECTED] wrote: Can someone tell me why this select is wrong please---ive tried everything. the $cat is the tablename . You've tried *everything* ? Why do you think it's wrong? Did you get an error message of some kind? What do you see if you echo $query? Are the values of $cat and $id what you expected? -robin
RE: [PHP] select statement with variables ???
Can someone tell me why this select is wrong please---ive tried everything. the $cat is the tablename . $query= SELECT title FROM $cat WHERE id='$id'; Apparently, either $cat or $id is not the value you think it is. First, I would try changing $result=mysql_query($query); to read: $result=mysql_query($query) or die(mysql_error()); This will, no doubt, lend some insight into where your error is. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] select statement with variables ???
[snip]
$query= SELECT title FROM $cat WHERE id='$id';
[/snip]
echo $query; // does it look right to you?
Alway throw an error when in question
if(!($result = mysql_query($query, $connection))){
echo mysql_error() . br\n;
exit();
}
My bet is that you need to concatenate
$query = SELECT title FROM . $cat . WHERE id = '. $id .' ;
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] select statement with variables ???
side-question
Jay how come you though concating would give
a different result to interpolation?
/side-question
Jay Blanchard wrote:
[snip]
$query= SELECT title FROM $cat WHERE id='$id';
[/snip]
echo $query; // does it look right to you?
Alway throw an error when in question
if(!($result = mysql_query($query, $connection))){
echo mysql_error() . br\n;
exit();
}
up to here I agree with Jay 100%, especially the 'echo' part (also get
familiar with var_dump() and print_r() functions to help debug your problems...
My bet is that you need to concatenate
$query = SELECT title FROM . $cat . WHERE id = '. $id .' ;
now unless either $cat or $id is actually an object with a 'magic'
__toString() method defined and the engine has been changed to fully/properly
support 'magic' object2string casting I don't agree that concat'ing will help
(even all of what I sAid was true I don't think it would help either),
the reaosn being that AFAICT the following 2 statements leave you with the same
string:
$cat = mytable;
$id = 1234;
$one = SELECT title FROM $cat WHERE id='$id';
$two = SELECT title FROM .$cat. WHERE id = '.$id.';
var_dump( ($one === $two) ); // -- will show you that this equates to TRUE.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] select statement with variables ???
[snip] side-question Jay how come you though concating would give a different result to interpolation? /side-question [/snip] It is not really a different result, it is just something that I am in the habit of doing. The concat or not to concat question has fueled many a holy war. I concat, others do not. I am used to seeing it and looking for it in code. Others think that it adds too much junk. [snip] My bet is that you need to concatenate ...I don't agree that concat'ing will help... [/snip] I probably shouldn't have used bet...I just should have suggested it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] select statement with variables ???
Jay Blanchard wrote: [snip] side-question Jay how come you though concating would give a different result to interpolation? /side-question [/snip] It is not really a different result, it is just something that I am in the habit of doing. The concat or not to concat question has fueled many a holy war. I concat, others do not. I am used to seeing it and looking for it in code. Others think that it adds too much junk. I see - personally I don't give a about this holy war; I use both pretty interchangably - depends on the context what I think looks neater. tangent it is my believe the technically this: echo $a, $b, $c; is (should be) faster than: echo $a . $b . $c; can anyone confirm this to be true? /tangent [snip] My bet is that you need to concatenate ...I don't agree that concat'ing will help... [/snip] I probably shouldn't have used bet...I just should have suggested it. I still stand by the fact that whether you bet or suggest the OP would end up with the same broken query string. now the hint about using ECHO .. that you could have written in 40 foot high letters :-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] select statement
On Thursday 05 May 2005 10:10, Anasta wrote:
Why doesnt this work, it shows the username but not the balance of the
users money.here is the mysql table:
?php session_start();
include(connect.php);
$uname=$_SESSION['username'];
$user_balance=mysql_query($sql);
$sql = Select FROM users ,user_balance WHERE user_id =$uname;
$result = mysql_query();
?
?php echo $uname;?br
?php echo $user_balance;?
Hi Anasta
In your code, when you issue the mysql_query command the first time, the
variable $sql is still empty.
You should rewrite your script like this:
?php
session_start();
require('connect.php');
$uname=mysql_escape_string($_SESSION['username'];
$sql= SELECT *
FROM `users`, `user_balance`
WHERE `user_id`='$uname';;
$result=mysql_query($sql) or die('Database Error');
if(is_resource($result))
if(mysql_num_rows($result0))
{
$data=mysql_fetch_assoc($result);
mysql_free_result($result);
$user_balance=$data['user_balance'];
$found=true;
}
if(!(isset($found))
echo Sorry, I could not find a record for user id $uname;
else
{
echo User: $unamebr
Balance: $user_balancebr;
}
?
Notes:
* just because it comes from SESSION doesn't mean that it cannot be spoofed.
That's why you should escape uname before including it in a query.
* in mysql commands, it is better to explicitally specify the resource link
identifier you obtained when you opened the connection
($link=mysql_connect(...))
* if you include a critical script, better use 'require' because it will cause
php to stop parsing the page if it cannot find the script.
With kind regards
Andy
--
Registered Linux User Number 379093
-- --BEGIN GEEK CODE BLOCK-
Version: 3.1
GAT/O/E$ d-(---)+ s:(+): a--(-)? C$(+++) UL$ P-(+)++
L+++$ E---(-)@ W++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++)
PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+)
e$@ h++(*) r--++ y--()
-- ---END GEEK CODE BLOCK--
--
Check out these few php utilities that I released
under the GPL2 and that are meant for use with a
php cli binary:
http://www.vlaamse-kern.com/sas/
--
--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] select statement
On , 2005-05-08 at 23:16 +0200, Andy Pieters wrote: Notes: * just because it comes from SESSION doesn't mean that it cannot be spoofed. That's why you should escape uname before including it in a query. Is there something I do not know ? :). As far as I know, it can be spoofed only if you have access to session data, which is held on the server-side, so only someone with server access can spoof. Any other way of doing it ? Josip Dzolonga http://josip.dotgeek.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] select statement
On Sun, May 8, 2005 3:20 pm, Josip Dzolonga said: On нед, 2005-05-08 at 23:16 +0200, Andy Pieters wrote: Notes: * just because it comes from SESSION doesn't mean that it cannot be spoofed. That's why you should escape uname before including it in a query. Is there something I do not know ? :). As far as I know, it can be spoofed only if you have access to session data, which is held on the server-side, so only someone with server access can spoof. Any other way of doing it ? Are you on a shared server? Then your session data is open to the other 199 clients on that server... If you are *NOT* on a shared server, and if you are 100% confident that nobody will ever compromise your server, and make your $_SESSION data a priority to hack, well then, you're safe... How much effort does it take to scrub your $_SESSION data, though? What are you storing in there? How Bad will it be if a Bad Guy breaks in and snarfs it? Only you can answer these for a dedicated server/application. Not scrubbing $_SESSION on a shared server... That's just wrong, IMHO. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] select statement
On 5/5/05, Anasta [EMAIL PROTECTED] wrote: Why doesnt this work, it shows the username but not the balance of the users money.here is the mysql table: CREATE TABLE `users` ( `user_id` int(11) NOT NULL auto_increment, `username` varchar(15) NOT NULL default '', `password` varchar(15) NOT NULL default '', `status` varchar(10) NOT NULL default '', `user_balance` bigint(5) NOT NULL default '0', PRIMARY KEY (`user_id`) ) TYPE=MyISAM AUTO_INCREMENT=3 ; / ?php session_start(); include(connect.php); $uname=$_SESSION['username']; $user_balance=mysql_query($sql); $sql = Select FROM users ,user_balance WHERE user_id =$uname; you should write $sql = Select user_balance FROM users WHERE user_id =$uname; $result = mysql_query(); ? ?php echo $uname;?br ?php echo $user_balance;? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- bala balachandar muruganantham blog lynx http://chandar.blogspot.com web http://www.chennaishopping.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] select statement
Maybe the query should be select user_balance FROM users WHERE user_id=$uname; Prathap -- Original Message --- From: Anasta [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thu, 5 May 2005 16:10:35 +0800 Subject: [PHP] select statement Why doesnt this work, it shows the username but not the balance of the users money.here is the mysql table: CREATE TABLE `users` ( `user_id` int(11) NOT NULL auto_increment, `username` varchar(15) NOT NULL default '', `password` varchar(15) NOT NULL default '', `status` varchar(10) NOT NULL default '', `user_balance` bigint(5) NOT NULL default '0', PRIMARY KEY (`user_id`) ) TYPE=MyISAM AUTO_INCREMENT=3 ; / ?php session_start(); include(connect.php); $uname=$_SESSION['username']; $user_balance=mysql_query($sql); $sql = Select FROM users ,user_balance WHERE user_id =$uname; $result = mysql_query(); ? ?php echo $uname;?br ?php echo $user_balance;? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- End of Original Message --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] select statement
Nothing to do with PHP... SELECT * FROM myTable WHERE ID IN (1,3,7,9); If you're using MySQL, read the manual: http://www.mysql.com/documentation/mysql/bychapter/ ---John Holmes... -Original Message- From: Wilbert Enserink [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 7:20 AM To: [EMAIL PROTECTED] Subject: [PHP] select statement Hi all, I want to select some records with e.g. ID's 1,3,7 and 8 How can this be done best? is it: SELECT * FROM myTable WHERE ID=1,3,7,8 ?? thx. Wilbert - Pas de Deux Van Mierisstraat 25 2526 NM Den Haag tel 070 4450855 fax 070 4450852 http://www.pdd.nl [EMAIL PROTECTED] - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] select statement
On Thursday 16 May 2002 19:19, Wilbert Enserink wrote: Hi all, I want to select some records with e.g. ID's 1,3,7 and 8 How can this be done best? is it: SELECT * FROM myTable WHERE ID=1,3,7,8 ?? Is this a PHP question? -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SELECT statement
Yeah, sure you can: $sql="SELECT id, email FROM table WHERE user='$user' and pass='$pass'"; Sincerely, Maxim Maletsky Founder, Chief Developer PHPBeginner.com (Where PHP Begins) [EMAIL PROTECTED] www.phpbeginner.com -Original Message- From: Peter Houchin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 13, 2001 2:30 PM To: PHP MAIL GROUP Subject: [PHP] SELECT statement Hi, Can you have a SELECT statement (using mysql) that goes something like $sql="SELECT id email FROM table WHERE user='$user' and pass='$pass'"; and if you can't is there a away around this? Thanks Peter -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] SELECT statement
I've tried this but mysql_error() doesn't give me any errors, i tried my sql
line at the command line with success here is my code if some one could have
a look at it and give some suggestions as to how i can get the email ...
Thanks again
Peter
?
session_start();
if ($REQUEST_METHOD=='POST')
{
header('Expires: ' . gmdate("D, d M Y H:i:s", time()+1000) . ' GMT');
header('Cache-Control: Private');
}
session_register('user');
session_register('pass');
session_register('email');
$session = session_id();
$userid = '$user';
?
html
head
titleeRentals/title
/head
body
?
// connect to data base
$open = mysql_connect("localhost", "root", "password")
or die ("font face=\"Helvetica, sans-serif\" size=\"3\"
color=\"#006699\"Unable to connect to server./font");
mysql_select_db("rentdb")
or die ("font face=\"Helvetica, sans-serif\" size=\"3\"
color=\"#006699\"Unable to select database./font");
// select id email from table matching the user name and password
inputted
$sql = "SELECT id, email FROM users WHERE user='$user' and pass='$pass'";
$result = mysql_query($sql)
or die (print mysql_error());
// if unsuccessfull do this
$num = mysql_numrows($result)
or die ("
font face=\"Helvetica, sans-serif\" size=\"3\" color=\"#006699\"You're
not authorized to be here. If you feel you have recieved thisBR
message in error, please contact the a
href=\"mailto:[EMAIL PROTECTED]\"webmaster/a/font
");
// if successful then do this
if ($num == 1) {
include "quote2.php"; //has a hidden field referencing the user the email
address .. user shows up but again email does not
}
?
/body
/html
-Original Message-
From: Philip Olson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 13, 2001 4:59 PM
To: Peter Houchin
Cc: PHP MAIL GROUP
Subject: RE: [PHP] SELECT statement
A possible way to find out :
$result = mysql_query($sql) or die(mysql_error());
Does it say anything? mysql_error() is your friend, it can be printed
anywhere within the script and will print the last mysql error. So
perhaps :
print mysql_error();
Right before the query or ...
Regards,
Philip
On Tue, 13 Feb 2001, Peter Houchin wrote:
ok I've changed my code to
$sql = "SELECT id, email FROM users WHERE user='$user' and pass='$pass'";
but still no joy can any one suggest why?
( Yes email is a field in the table)
Peter
Hi,
Can you have a SELECT statement (using mysql) that goes something like
$sql="SELECT id email FROM table WHERE user='$user' and
pass='$pass'";
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] SELECT statement
Try or print mysql_error () rather than or die ( print mysql_error () )?
Peter Houchin wrote:
I've tried this but mysql_error() doesn't give me any errors, i tried my sql
line at the command line with success here is my code if some one could have
a look at it and give some suggestions as to how i can get the email ...
Thanks again
Peter
?
session_start();
if ($REQUEST_METHOD=='POST')
{
header('Expires: ' . gmdate("D, d M Y H:i:s", time()+1000) . ' GMT');
header('Cache-Control: Private');
}
session_register('user');
session_register('pass');
session_register('email');
$session = session_id();
$userid = '$user';
?
html
head
titleeRentals/title
/head
body
?
// connect to data base
$open = mysql_connect("localhost", "root", "password")
or die ("font face=\"Helvetica, sans-serif\" size=\"3\"
color=\"#006699\"Unable to connect to server./font");
mysql_select_db("rentdb")
or die ("font face=\"Helvetica, sans-serif\" size=\"3\"
color=\"#006699\"Unable to select database./font");
// select id email from table matching the user name and password
inputted
$sql = "SELECT id, email FROM users WHERE user='$user' and pass='$pass'";
$result = mysql_query($sql)
or die (print mysql_error());
// if unsuccessfull do this
$num = mysql_numrows($result)
or die ("
font face=\"Helvetica, sans-serif\" size=\"3\" color=\"#006699\"You're
not authorized to be here. If you feel you have recieved thisBR
message in error, please contact the a
href=\"mailto:[EMAIL PROTECTED]\"webmaster/a/font
");
// if successful then do this
if ($num == 1) {
include "quote2.php"; //has a hidden field referencing the user the email
address .. user shows up but again email does not
}
?
/body
/html
-Original Message-
From: Philip Olson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 13, 2001 4:59 PM
To: Peter Houchin
Cc: PHP MAIL GROUP
Subject: RE: [PHP] SELECT statement
A possible way to find out :
$result = mysql_query($sql) or die(mysql_error());
Does it say anything? mysql_error() is your friend, it can be printed
anywhere within the script and will print the last mysql error. So
perhaps :
print mysql_error();
Right before the query or ...
Regards,
Philip
On Tue, 13 Feb 2001, Peter Houchin wrote:
ok I've changed my code to
$sql = "SELECT id, email FROM users WHERE user='$user' and pass='$pass'";
but still no joy can any one suggest why?
( Yes email is a field in the table)
Peter
Hi,
Can you have a SELECT statement (using mysql) that goes something like
$sql="SELECT id email FROM table WHERE user='$user' and
pass='$pass'";
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] SELECT statement
Assuming you want to select both id and email from table, use commas : SELECT id,email FROM ... Also, check out this basic SQL tutorial : http://www.sqlcourse.com/ It's fairly useful. regards, Philip On Tue, 13 Feb 2001, Peter Houchin wrote: Hi, Can you have a SELECT statement (using mysql) that goes something like $sql="SELECT id email FROM table WHERE user='$user' and pass='$pass'"; and if you can't is there a away around this? Thanks Peter -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] SELECT statement
On Tue, 13 Feb 2001 16:00, Peter Houchin wrote: Hi, Can you have a SELECT statement (using mysql) that goes something like $sql="SELECT id email FROM table WHERE user='$user' and pass='$pass'"; and if you can't is there a away around this? Thanks Peter In SQL queries, you normally separate the required fields with a comma, so $sql="SELECT id, email FROM table WHERE user='$user' and pass='$pass'"; would work, assuming id and email are fields in the table 'table'. -- David Robley| WEBMASTER Mail List Admin RESEARCH CENTRE FOR INJURY STUDIES | http://www.nisu.flinders.edu.au/ AusEinet| http://auseinet.flinders.edu.au/ Flinders University, ADELAIDE, SOUTH AUSTRALIA -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] SELECT statement
ok I've changed my code to $sql = "SELECT id, email FROM users WHERE user='$user' and pass='$pass'"; but still no joy can any one suggest why? ( Yes email is a field in the table) Peter Hi, Can you have a SELECT statement (using mysql) that goes something like $sql="SELECT id email FROM table WHERE user='$user' and pass='$pass'"; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] SELECT statement
A possible way to find out : $result = mysql_query($sql) or die(mysql_error()); Does it say anything? mysql_error() is your friend, it can be printed anywhere within the script and will print the last mysql error. So perhaps : print mysql_error(); Right before the query or ... Regards, Philip On Tue, 13 Feb 2001, Peter Houchin wrote: ok I've changed my code to $sql = "SELECT id, email FROM users WHERE user='$user' and pass='$pass'"; but still no joy can any one suggest why? ( Yes email is a field in the table) Peter Hi, Can you have a SELECT statement (using mysql) that goes something like $sql="SELECT id email FROM table WHERE user='$user' and pass='$pass'"; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
