ansaurus

Question

Answer 1

+2 A:

before the echo '<table class="table">';, add:

echo '<br>$_SESSION[\'LFLightRadio\']="'.$_SESSION['LFLightRadio'].'"<br>';

to make sure you actually have a value to compare to flight.Id in the query. The way you are doing this is a huge SQL injection attack waiting to happen! See this question: http://stackoverflow.com/questions/2122522/mysql-real-escape-string-for-session-variables-necessary

EDIT

add this before the echo '<table class="table">';:

echo '<br>$request="'.$request.'"<br>';

run that query on the database, are any rows returned?

KM 2010-05-07 17:31:58

Doesn't matter - it's not a public site - and I already made sure that LFlightRadio exists, because I checked it repeatedly in statements that I cut.

DeadMG 2010-05-07 17:38:22

when you do code a public site you will fall back into this habit.

KM 2010-05-07 17:42:15

Well, that was revealing. $_SESSION['LFlightRadio'] is 8. But the constructed $request doesn't actually contain this value.

DeadMG 2010-05-07 17:46:07

Better to use parametrized queries for sure, but session variables should be safe as long as you're not putting user input in them.

Marcus Adams 2010-05-07 17:52:09

@DeadMG: defensive coding practices shouldn't be abandoned just because you think it doesn't matter. Guess from where MOST security break ins occur.. Internal applications by current employees.

Chris Lively 2010-05-07 18:00:38

The database is full of junk for demonstration purposes, and the exactitudes of my SQL communication are not the subject of the demo.

DeadMG 2010-05-07 18:12:37

I don't like your attitude, son.

Adam Backstrom 2010-05-08 20:13:21

Answer 2

A:

    $var = $_SESSION['LFlightRadio'];
    $request = "SELECT * FROM flight WHERE Id = '$var'";
    $data = mysql_fetch_array(mysql_query($request, $SQL));

This works! For some reason, when I concatenated it straight, it didn't actually add the variable into the string. But when I've done that, it got put in and I got the expected.

DeadMG 2010-05-07 17:47:26

Concatenation should have worked. It's most likely a typo. Notice the case difference between `'LFlightRadio'` and `'LFLightRadio'`.

Marcus Adams 2010-05-07 17:49:55

You see what you want to see, rather than what's there, I guess.

DeadMG 2010-05-07 18:07:32

Answer 3

+1 A:

Did you mean to use

mysql_fetch_assoc

instead of mysql_fetch_array? Array would have keys like 0,1,2...

SorcyCat 2010-05-07 17:48:40

It has both, actually. I just changed to assoc, cause I was dumping duplicates on the screen.

DeadMG 2010-05-07 18:09:14

Answer 4

A:

Several thoughts:

// Use mysql_real_escape_string on your $_SESSION value.
echo $query = 'SELECT * FROM flight WHERE Id = \''.mysql_real_escape_string ($_SESSION['LFLightRadio']).'\'';

// Use mysql_error();
$data = mysql_query($request, $query ) or die( mysql_error() );

// check the output
var_dump( $data );

// Check the result of fetch_array
var_dump( mysql_fetch_array( $data ) );

Christopher W. Allen-Poole 2010-05-07 17:51:19

Answer 5

A:

You have a mis-capitalization in your code.

$_SESSION['LFLightRadio'] is most likely intended to be $_SESSION['LFlightRadio']

Array keys are case sensitive.

brandon k 2010-05-07 19:22:48

ansaurus

tags:

views:

answers:

SQL returns non-array value in PHP

related questions