it works thx Micah (and Matt) I have no knowledge (YET) of how to prevent sql injection attacks with php. For this project I'm not too concerned as it is in a password protected area and only 2 or 3 people have access to it. I hope this works with the rest of the issues... :-) -- gil > -----Original Message----- > From: Micah Stevens [mailto:micah@xxxxxxxxxxxxxxxxxx] > Sent: Wednesday, January 21, 2004 4:01 PM > To: php-db@xxxxxxxxxxxxx > Subject: Re: using query_strings in sql > > > > You may have register Globals turned off in php.ini. > > Try adding: > > extract($_GET) > > in the code before the function gets called. That's not a very > secure method, > but it will prove whether or not that's the problem. > > -Micah > > > On Wed January 21 2004 12:43 pm, mayo wrote: > > oops. I guess I was too loose with my words --- > > > > something does happen, just not what I want! :-) > > > > The page displays. The sql works, the "or die" doesn't return anything. > > > > I'm able to change the sql by changing the default values. > > > > WHAT DOESN'T HAPPEN is that the query_string values DO NOT trump the > > default variables. > > > > so query_string = ?class=X§ion=Y&order=ASC > > > > I can't input these variables : $class,$section,$order into the SQL > > statement > > > > SELECT * > > FROM classes > > WHERE section=$section > > ORDER BY $class $order > > > > -- gil > > > > thx for all your patience > > > > > -----Original Message----- > > > From: Micah Stevens [mailto:micah@xxxxxxxxxxxxxxxxxx] > > > Sent: Wednesday, January 21, 2004 3:12 PM > > > To: php-db@xxxxxxxxxxxxx > > > Subject: Re: using query_strings in sql > > > > > > > > > > > > Here goes: > > > > > > 1) That should work fine. Be sure and enclose the SQL in double > > > quotes or the > > > variable will not get translated into its value. > > > > > > 2) That's fine too, nothing wrong there. > > > > > > 3) this is wrong, but it looks like you just ommited the SQL > > > statement. Be > > > sure and use the or die statement as it will forward any SQL > > > errors to the > > > screen. > > > > > > $selection = mysql_query("SELECT * > > > FROM whatever > > > WHERE someField = '$queryString_variable'") or die(mysql_error()); > > > while ($row = mysql_fetch_array($selection)){ > > > > > > if (query_variable is "X"){ > > > > > > echo $row["classID"]; > > > }else{ > > > echo "<b>" . $row["classID"] . "</b>"; > > > } > > > > > > There isn't anything obviously wrong with the code, it > should be doing > > > something, at least printing out the html heading information. > > > Try looking at > > > the page source for errors as well. Change the query to > include the or > > > die(mysql_error()); code because the script might be dying with > > > a SQL error > > > and you just aren't seeing it printed out. > > > > > > -Micah > > > > > > On Wed January 21 2004 11:49 am, mayo wrote: > > > > good point Micah !! :-) > > > > > > > > I don't get an error msg. Nothing happens. > > > > > > > > included is the file > > > > > > > > Below are the three issues I have with query_strings and sql. The > > > > formatting is of the .php page is awful. I'm not certain > it's legible. > > > > > > > > > > > > 1. Main issue -- be able to use a query_string variable in a > > > > > > sql statement > > > > > > > SELECT * > > > > FROM whatever > > > > WHERE someField = '$queryString_variable' > > > > > > > > 2. Be able to set defaults in case variable doesn't exist. > > > > > > > > if(!isset($category)){$category="Shop";} > > > > > > > > 3. be able to modify results from a sql query with a > > > > > > query_string variable > > > > > > > $selection = mysql_query(" > > > > while ($row = mysql_fetch_array($selection)){ > > > > > > > > if (query_variable is "X"){ > > > > > > > > echo $row["classID"]; > > > > }else{ > > > > echo "<b>" . $row["classID"] . "</b>"; > > > > } > > > > > > > > > > > > thanks all, this is driving me crazy. My bad for taking this > > > > > > project. Easy > > > > > > > for me in Cold Fusion, driving me nuts in PHP. > > > > > > > > <?php > > > > > > > > > > > > function getClasses(){ > > > > > > > > $username=""; > > > > $password=""; > > > > $database="XXX"; > > > > $hostname="localhost"; > > > > > > > > global $category; > > > > global $Section; > > > > global $reorder; > > > > global $order; > > > > global $location; > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
