Re: select statement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thursday 05 May 2005 10:10, Anasta wrote:
> Why doesnt this work, it shows the username but not the balance of the
> users money.here is the mysql table:
>
> <?php session_start();
> include("connect.php");
> $uname=$_SESSION['username'];
> $user_balance=mysql_query($sql);
> $sql = "Select  FROM users ,user_balance WHERE user_id =$uname";
> $result = mysql_query();
>
> ?>
> <?php echo $uname;?><br>
> <?php echo $user_balance;?>


Hi Anasta

In your code, when you issue the mysql_query command the first time, the 
variable $sql is still empty.

You should rewrite your script like this:
<?php
session_start();
require('connect.php'); 
$uname=mysql_escape_string($_SESSION['username'];
$sql=	"SELECT *
	FROM `users`, `user_balance`
	WHERE `user_id`='$uname';";
$result=mysql_query($sql) or die('Database Error'); 
if(is_resource($result))
 	if(mysql_num_rows($result>0))
	{
		$data=mysql_fetch_assoc($result);
		mysql_free_result($result);
		$user_balance=$data['user_balance'];
		$found=true;
	}
if(!(isset($found))
	echo "Sorry, I could not find a record for user id $uname";
else
	{
		echo "User:	$uname<br>
			 Balance: 	$user_balance<br>";
	}
?>

Notes: 
* just because it comes from SESSION doesn't mean that it cannot be spoofed.  
That's why you should escape uname before including it in a query.
* in mysql commands, it is better to explicitally specify the resource link 
identifier you obtained when you opened the connection 
($link=mysql_connect(...))
* if you include a critical script, better use 'require' because it will cause 
php to stop parsing the page if it cannot find the script.


With kind regards

Andy
-- 
Registered Linux User Number 379093
-- --BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/O/>E$ d-(---)>+ s:(+)>: a--(-)>? C++++$(+++) UL++++>++++$ P-(+)>++
L+++>++++$ E---(-)@ W+++>+++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++)
PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+)
e>++++$@ h++(*) r-->++ y--()>++++
-- ---END GEEK CODE BLOCK------
--
Check out these few php utilities that I released
 under the GPL2 and that are meant for use with a 
 php cli binary:
 
 http://www.vlaamse-kern.com/sas/
--

--

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux