How come posting to PHP causes error in IE, but not in other browsers?

Question

I have some PHP code that calls MySQL that works in Firefox and other browsers, but IE doesn't seem to handle it.

<?php include "casti/mysql_connect.php"; 
$result = mysql_query("SELECT * FROM ".$_POST['table']." WHERE id='".$_POST['id']."'");
$row = mysql_fetch_array( $result ); // Line 60 !

echo $row['title'];

?>

And here is what shows up in IE...

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /httpd/html/prohuntingcz/www/cms.php on line 60

Thanks for any help.

Answer 1

PHP and MySQL are completely separate from the browser. Most likely there's something in your HTML or JavaScript that sends the table and id variables correctly from Firefox etc., but wrong from IE. Please show us that code instead.

Answer 2

PHP is processed at the server side so it has nothing to do with the browser. What can be causing your problem could be some javascript that processes the form fields before submitting them to the server - that's the part that is browser dependent.

Answer 3

that code is very hackable.

Try changing the

$result = mysql_query("SELECT * FROM ".$_POST['table']." WHERE id='".$_POST['id']."'");

to

$result = mysql_query("SELECT * FROM " . mysql_real_escape_string($_POST['table']) ." WHERE id='" . mysql_real_escape_string($_POST['id']) . "'");

Also in your HTML make sure your form elements have name="table" for the table element and name="id" for the id element. If you you already have id="table" and id="id" then just add name="table" and name="id" also

Answer 4

Try echoing the query back to the browser to see the results of the variable substitutions - you should see pretty quickly what has gone wrong.

<?php include "casti/mysql_connect.php"; 
$query = "SELECT * FROM ".$_POST['table']." WHERE id='".$_POST['id']."'";
echo "<div>The query is: " . htmlentities($query). "</div>";
$result = mysql_query($query);
$row = mysql_fetch_array( $result ); // Line 60 !

echo $row['title'];
?>

Answer 5

Most likely IE is caching the page from a previous version of the script when you had that error, to stop browsers from caching the results of your php code add

header("Cache-Control: no-store, no-cache, must-revalidate");

to the beginning of every php script which you're displaying the results of. Also, do not allow the posted variable to be used directly in an sql query as this just opens you up to attack, instead you must sanitize it first using something like

$user_table = $_POST['table'];
$user_id = $_POST['id'];

$user_table = mysql_real_escape_string($user_table);
$user_id = mysql_real_escape_string($user_id)

$query = "SELECT * FROM ".$user_table." WHERE id='".$_user_id."'";
echo "<div>The query is: " . htmlentities($query). "</div>";