Hi Chris,
On Dec 14, 2009, at 8:09 PM, Chris wrote:
Problem 1 is sql injection. Wrap each variable in a
mysql_real_escape_string call:
insert into table (...) values ('" . mysql_real_escape_string
($username) . "' ....
At one point I did have the mysql_real_escape_string() and it worked
the same as without as far as populating the database.
But when I would view results, it didnt read anything from the database.
also quoting 'NULL' means it will add 'NULL' as the id - not what
you want. You can leave out the column to use the default from the
database.
Actually it works fine with 'NULL' for some reason. UserID is an auto
Incrament and if I take $UserID out as well as its VALUE, I get an
error for number of fields not matching.
Any errors from mysql?
Add:
echo mysql_error();
after your insert call.
Again you need to escape all your data (except $min, $max_results -
just make sure they are always integers).
Those are so I can control the number of items shown per page.
I'm assuming there are no errors reported by mysql.
To debug this, I'd simplify the query and work out which bit isn't
matching what you want (it could be $fieldOne isn't quite what you
expect, or it could be $fieldEleven or $fieldEighteen or ..).
Start off with one field, then add another and go from there.
Basically the result page would not show anything in the database
unless it was inserted in the database using the $_POST method.
Not sure why, but I have since redone the result page utilizing a
different method of retrieval and it looks to be working.
Thank you all for your responses. very quick I might add. :)
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Karl DeSaulniers
Design Drumm
http://designdrumm.com
