Re: [PHP] select statement — PHP — IT news, forums, messages

You are here: Re: [PHP] select statement « PHP « IT news, forums, messages

Posted by Andy Pieters on 10/19/70 11:15

On Thursday 05 May 2005 10:10, Anasta wrote:
> Why doesnt this work, it shows the username but not the balance of the
> users money.here is the mysql table:
>
> <?php session_start();
> include("connect.php");
> $uname=$_SESSION['username'];
> $user_balance=mysql_query($sql);
> $sql = "Select FROM users ,user_balance WHERE user_id =$uname";
> $result = mysql_query();
>
> ?>
> <?php echo $uname;?><br>
> <?php echo $user_balance;?>

Hi Anasta

In your code, when you issue the mysql_query command the first time, the
variable $sql is still empty.

You should rewrite your script like this:
<?php
session_start();
require('connect.php');
$uname=mysql_escape_string($_SESSION['username'];
$sql= "SELECT *
FROM `users`, `user_balance`
WHERE `user_id`='$uname';";
$result=mysql_query($sql) or die('Database Error');
if(is_resource($result))
if(mysql_num_rows($result>0))
{
$data=mysql_fetch_assoc($result);
mysql_free_result($result);
$user_balance=$data['user_balance'];
$found=true;
}
if(!(isset($found))
echo "Sorry, I could not find a record for user id $uname";
else
{
echo "User: $uname<br>
Balance: $user_balance<br>";
}
?>

Notes:
* just because it comes from SESSION doesn't mean that it cannot be spoofed.
That's why you should escape uname before including it in a query.
* in mysql commands, it is better to explicitally specify the resource link
identifier you obtained when you opened the connection
($link=mysql_connect(...))
* if you include a critical script, better use 'require' because it will cause
php to stop parsing the page if it cannot find the script.

With kind regards

Andy
--
Registered Linux User Number 379093
-- --BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/O/>E$ d-(---)>+ s:(+)>: a--(-)>? C++++$(+++) UL++++>++++$ P-(+)>++
L+++>++++$ E---(-)@ W+++>+++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++)
PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+)
e>++++$@ h++(*) r-->++ y--()>++++
-- ---END GEEK CODE BLOCK------
--
Check out these few php utilities that I released
under the GPL2 and that are meant for use with a
php cli binary:

http://www.vlaamse-kern.com/sas/
--

--

Navigation:

Next in forum: Re: [PHP] Sending htm as it's being generated
Prev in forum: Re: [PHP] Re: Bug, erreurs ou non documenté
Thread view: Re: [PHP] select statement

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация