Posted by Hilarion on 10/13/08 11:31

> I have the following script to move forward or backward to
> one record.
> Every thing work well. Only with the forward button and
> when the field NOM have one apostrophe ' inside, the skip
> process stop.
>
> Regards
>
> Otto
>
> Part of the Script
> ******************
> ..
> If (isset($_GET['avant_x'])) {
> // Action sur le bouton suivant
> $mes = "Suivant";
> $query = " SELECT ID, NOM
> FROM adresse
> WHERE (nom > '$last_nom') OR (nom =
> '$last_nom' AND id > $last_id)
> ORDER BY nom ASC, id ASC LIMIT 1";
>
> extract(mysql_fetch_array(mysql_query($query)));
> }
>
> elseif (isset($_GET['arriere_x'])) {
> // Action sur le bouton précédent
> $mes = "Précédent";
> $query = " SELECT ID, NOM
> FROM adresse
> WHERE (nom < '$last_nom') OR (nom =
> '$last_nom' AND id > $last_id)
> ORDER BY nom DESC, id DESC LIMIT 1";
>
> extract(mysql_fetch_array(mysql_query($query)));
> }


Those scripts above do not do any escaping of the
variables put into the SQL query which may be
the cause of the problem and which will make your
site vulnerable to SQL injection attacks.
You also do not check for errors. If you did, you
would probably get the description of the cause.

My version would be something like that:

<?php
error_reporting( E_ALL );

// Some preprocessing here which probably is also
// getting $last_nom from database or from $_GET.
// If $last_id is from $_GET then you should
// do this:

$last_id = intval( $_GET[ 'last_id' ] );

// before using it in any query.
// If $last_nom is also from $_GET, then you should
// do this:

if (get_magic_quotes_gpc())
$last_nom = stripslashes( $_GET[ 'last_nom' ] );

// If it's from database, then you should do this:

if (get_magic_quotes_runtime())
$last_nom = stripslashes( $last_nom );

// And before using $last_nom in any query you should
// do this:

$last_nom = mysql_real_escape_string( $last_nom );

// Your code follows:

if (isset($_GET['avant_x']))
{
$mes = 'Suivant';
$query =
"SELECT ID, NOM\n" .
"FROM adresse\n" .
"WHERE (nom > '$last_nom')\n" .
" OR (nom = '$last_nom' AND id > $last_id)\n" .
"ORDER BY nom ASC, id ASC LIMIT 1\n"
;
}
elseif (isset($_GET['arriere_x']))
{
$mes = 'Précédent';
$query =
"SELECT ID, NOM\n" .
"FROM adresse\n" .
"WHERE (nom < '$last_nom')\n" .
" OR (nom = '$last_nom' AND id > $last_id)\n" .
"ORDER BY nom DESC, id DESC LIMIT 1\n"
;
}
else
{
die( 'Unknown situation.' );
}
if ($res = mysql_query( $query ))
{
if ($res = mysql_fetch_array( $res ))
{
extract( $res );
}
else
{
echo 'Error fetching data: ' . mysql_error();
}
}
else
{
echo 'Error performing query operation: ' . mysql_error() . "<br />\n";
echo "In query: <pre>\n" . htmlspecialchars( $query ) . "\n</pre>\n";
}


Hilarion

PS.: The script is for diagnostic purposes. For production you should
not use E_ALL as error_reporting mode and you should not
echo mysql_error nor the SQL query contents (you could log
it to PHP error log file or mail it to your mailbox).

• Next in forum: Re: MySQL/ PHP handbook
• Prev in forum: Re: writing files to a choosen directory
• Thread view: Re: PHP & MySQL skip problem

[Reply to this message]