/    Sign up×
Community /Pin to ProfileBookmark

Help required!

Copy linkTweet thisAlerts:
Jan 21.2008

Following is my insert.php file to which my form post the data

[QUOTE]

<?php
$fname = $_POST[“fname”];
$lname = $_POST[“lname”];
$age = $_POST[“age”];
$con = mysql_connect(“localhost”,”giftme@1″,”mypass”);
if (!$con)
{
die(‘Could not connect: ‘ . mysql_error());
}mysql_select_db(“giftme@1-airtime”, $con);
$sql = “SELECT * FROM PERSON WHERE(first_name=’$fname’ AND last_name=’$lname’ AND age=’$age’)”;
$result = MySQL_query($sql, $con);
$already_there = (MySQL_num_rows($result) > 0);

if ($already_there) {
$array = MySQL_fetch_array($result);
$id = $array[‘id’];
$entries = $array[‘entries’] + 1;
$sql = “UPDATE person SET entries=$entries WHERE id=$id”;
}
else {
$sql = “INSERT INTO person VALUES(”, ‘$fname’, ‘$lname’, 1)”;
}
MySQL_query($sql, $con);
MySQL_close($con);

/*redirect – this must be the first output of the script
*not even an empty line can come before the initial <?php tag
*/
header(‘location: http://yahoo.com/‘);
?>

[/QUOTE]

I dont know what’s gone wrong with the program not running giving following error:

[QUOTE]

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /data/apache/users/kilu.de/giftme/www/form/insert.php on line 14

Warning: Cannot modify header information – headers already sent by (output started at /data/apache/users/kilu.de/giftme/www/form/insert.php:14) in /data/apache/users/kilu.de/giftme/www/form/insert.php on line 31
?>

[/QUOTE]

[B]Line 14:[/B] $already_there = (MySQL_num_rows($result) > 0);
[B]Line 31:[/B] header(‘location: http://yahoo.com/‘);

Could any1 help ?

to post a comment
PHP

8 Comments(s)

Copy linkTweet thisAlerts:
@tiliJan 23.2008 — try this

<?php

$fname = $_POST["fname"];

$lname = $_POST["lname"];

$age = $_POST["age"];

$con = mysql_connect("localhost","giftme@1","mypass");

if (!$con) {

die('Could not connect: ' . mysql_error());

}

mysql_select_db("giftme@1-airtime", $con);

$sql = "SELECT * FROM PERSON WHERE first_name='$fname' AND last_name='$lname' AND age='$age'";

$result = mysql_query($sql, $con);


if (mysql_num_rows($result > 0) {

$array = mysql_fetch_array($result);

$id = $array['id'];

$entries = $array['entries'] + 1;

$sql = "UPDATE person SET entries=$entries WHERE id=$id";

}

else {

$sql = "INSERT INTO person VALUES('', '$fname', '$lname', 1)";

}

mysql_query($sql, $con);

mysql_close($con);

/*redirect - this must be the first output of the script

*not even an empty line can come before the initial <?php tag

*/

header('location: http://yahoo.com/');


?>
Copy linkTweet thisAlerts:
@MrCoderJan 23.2008 — The above is open to sql injection, google it.. ([B]mysql_real_escape_string()[/B])

Use "[B]echo mysql_error()[/B]" to debug your code.
Copy linkTweet thisAlerts:
@taqi786authorJan 23.2008 — [B]if (mysql_num_rows($result > 0) {[/QUOTE][/B]
Still giving

Parse error: syntax error, unexpected '{' in /data/apache/users/kilu.de/giftme/www/lea/insert.php on line 16
Copy linkTweet thisAlerts:
@MrCoderJan 23.2008 — if (mysql_num_rows($result > 0)[B])[/B] {
Copy linkTweet thisAlerts:
@tiliJan 24.2008 — thnax MrCoder for ur reply. ya sure i'm pleased if you could educate me these things
Copy linkTweet thisAlerts:
@tiliJan 24.2008 — sorry,

if (mysql_num_rows($result > 0) {

should like this

if (mysql_num_rows($result > 0)) {
Copy linkTweet thisAlerts:
@MrCoderJan 24.2008 — SQL Injection 101..

[B][SIZE="4"]

Typecasting..[/SIZE][/B]

Always make sure values that you are placing in your SQL query such as $_GET or $_POST values are typecasted correctly.

This means if the $_GET value is always a number then typecast it as an (int).

[code=php]
mysql_query("SELECT * FROM users WHERE id = ".$_POST["id"]);
[/code]
That is open to SQL injection since somebody could pass the following to your SQL query.
[CODE]
1; DROP TABLE users
[/CODE]

This is how it should be done..
[code=php]
mysql_query("SELECT * FROM users WHERE id = ".(int)$_POST["id"]);
[/code]

Now no matter what the users populates the $_POST value with it will always be a number and so it is no longer open to SQL injection.

[B][SIZE="4"]

mysql_real_escape_string()..[/SIZE][/B]

Take the following SQL query..
[code=php]
mysql_query("SELECT * FROM users WHERE username = '".$_POST["username"]."'");
[/code]

Somebody could insert the following in to the $_POST["username"] value..
[CODE]
frank' OR 1=1--
[/CODE]

This would turn your SQL query in to the following..
[code=php]
SELECT * FROM users WHERE username = 'frank' OR 1=1--'
[/code]

Since "--" is like a PHP comment "//" it tells mysql to ignore the last ' in the line and turns the above in to a valid SQL query.

To avoid this use the following..
[code=php]
mysql_query("SELECT * FROM users WHERE username = '".mysql_real_escape_string($_POST["username"])."'");
[/code]

Look up more info on mysql_real_escape_string()

Look up more info on typecasting
Copy linkTweet thisAlerts:
@taqi786authorJan 24.2008 — Thanks I shall try these thank u MR CODER n Tili
×

Success!

Help @taqi786 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...