|
|
Posted by Dave on 08/15/07 18:29
On 15 Aug, 13:21, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Dave wrote:
> > On 15 Aug, 11:35, Rik <luiheidsgoe...@hotmail.com> wrote:
> >> On Wed, 15 Aug 2007 12:26:42 +0200, Dave
>
> >> <david.greenh...@praybourne.co.uk> wrote:
> >>> On 15 Aug, 11:06, Rik <luiheidsgoe...@hotmail.com> wrote:
> >>>> On Wed, 15 Aug 2007 11:59:25 +0200, Dave
> >>>> <david.greenh...@praybourne.co.uk> wrote:
> >>>>> I have just set up a duplicate server running:
> >>>>> apache 2.54, mysql 5.04 and php 5.04
> >>>>> This is the same setup as as the server we are using now, apart from
> >>>>> the hardware inside. I have copied across the database and website,
> >>>>> with exact same permissions as the first server.
> >>>>> The problem is that part of the php code is executing but others
> >>>>> arent:
> >>>>> example:
> >>>>> ------------------------
> >>>>> <?php
> >>>>> die(mysql_error());
> >>>>> echo "Connected to MySQL<br />";
> >>>>> mysql_select_db("sales") or die(mysql_error());
> >>>>> echo "Connected to Database<br />";
> >>>>> $query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
> >>>>> ='P191")
> >>>> Shouldn't that be `code` = 'P191'" (notice the ending single quote).
> >>>>> or die(mysql_error());
> >>>>> But when i change it to:
> >>>>> -----------------
> >>>>> <?php
> >>>>> // Make the connection
> >>>>> mysql_connect("localhost", "user", "pass") or die(mysql_error());
> >>>>> echo "Connected to MySQL<br />";
> >>>>> mysql_select_db("sales") or die(mysql_error());
> >>>>> echo "Connected to Database<br />";
> >>>>> $query = mysql_query("SELECT product_name FROM `code_tbl` WHERE `code`
> >>>>> ='$code")
> >>>> Again, the missing ending single quote in the SQL statement. Where does
> >>>> $code com form BTW? You're not relying on register_globals are you? Not
> >>>> a
> >>>> good thing. So, use $code = mysql_real_escape_string($_GET['code']);
> >>>> first.
> >>>>> $result = mysql_fetch_array($query);
> >>>> var_dump($result);
> >>> The missing ' was a mistype in the post. I have tried adding the code
> >>> you suggested along with others.
> >>> 1. adding the line $code = mysql_real_escape_string($_GET['code']);
> >>> outputs absolutely nothing, not even "connected to database"
> >> Have you enabled display_errors? It should be done just after connecting
> >> to the database.
>
> >>> 2. Removing the single quotes around $code
> >> You shouldn't do that.
>
> >>> 3. Removing the last single quote from around $code (so becomes
> >>> '$code ) like mistype above.
> >> Shouldn't do that either.
>
> >>> 4. When single quotes are put back in and adding the line
> >>> var_dump($result);
> >>> outputs: array(2) { [0]=> string(0) "" ["product_name"]=> string(0)
> >>> "" }
> >>> 5. When manually adding the code P191 in to the php code instead of
> >>> $code, the ouput of var_dump is:
> >>> array(2) { [0]=> string(28) "Pulsar Classic Bomber
> >>> Jacket" ["product_name"]=> string(28) "Pulsar Classic Bomber Jacket" }
> >> Well, echo the query that gets send before actually using it, and examine
> >> where it differs.
>
> >> --
> >> Rik Wasmus- Hide quoted text -
>
> >> - Show quoted text -
>
> > Hi Rik,
>
> > I echoed the $code to the page, and it didnt show. However i have
> > noticed that on our internal server, register globals is on. So to
> > test, i turned it on our external server, and everything seems to
> > work.
> > So i guess when you asked before whether i was using register globals,
> > in actual fact, we was on our internal server, but i only looked at
> > the new server.
>
> > So now i found the problem, any pointers how to fix this, I am not too
> > clued up on register globals, although i am searching now...
>
> > thanks for the help
> > Dave.
>
> Rik wins again :-)
>
> Yes, there is a reason it's now off by default. It's a security
> exposure. You really need to change your code to not use it.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================- Hide quoted text -
>
> - Show quoted text -
Hi again,
just a brief question, as I am unsure of the consequences.
The new webserver that has register_globals turned off, every page is
only accessible after logging in using cookies against the mysql
database.
This part seems to be working as normal, i have tried to access many
pages beneath this, and get redirected to the login page if not logged
in. It seems only after login, that passing variables across to other
pages is not working.
My question is, is it safe to turn globals on, for the period of time
while i am recoding all the pages to work with globals turned off, so
that our staff can use the database. I have approx, 100 pages to go
through, and am unsure how long this will take.
thanks
Dave.
Navigation:
[Reply to this message]
|