ansaurus

Question

Answer 1

+1 A:

You've got mixed apostrophes and quotes here:

 $tmp = mysql_query("SELECT commercial FROM Channels WHERE name='.$_POST[name].'");

Ought to be:

 $tmp = mysql_query('SELECT commercial FROM Channels WHERE name="'.$_POST['name'].'"');

Edit: And, as others have mentioned, it'd be prudent to turn off Magic Quotes, if they're enabled, and to add mysql_real_escape_string(), so:

 $tmp = mysql_query('SELECT commercial FROM Channels WHERE name="'.mysql_real_escape_string($_POST['name']).'"');

Also, to clarify, the reason why I switched from outer quotes to apostrophes is that variable parsing (as opposed to doing the work yourself) adds a bit of overhead.

JKS 2010-10-14 18:34:47

http://ca2.php.net/manual/en/language.types.array.php jump to "Array do's and don'ts" where it specifies you should not be refrencing that array's element `name` without it being a string literal.

2010-10-14 18:51:22

@user257493: Very true. Actually, I didn't even know you *could* reference a key like that.

JKS 2010-10-14 18:55:44

Answer 2

A:

Your SQL string is probably the problem here...

$tmp = mysql_query("SELECT commercial FROM Channels WHERE name='{$_POST['name']}'");

Try this instead. I'm using {} braces to encapsulate the string. The . operator preforms concatenation strings, but only when outside of a string.

Eg,

$temp = "string one 'and' ;;: " . "two";

2010-10-14 18:37:11

that's wrong syntax. remove curly braces

Col. Shrapnel 2010-10-14 18:38:45

http://ca3.php.net/manual/en/language.types.string.php#language.types.string.parsing it's not part of SQL, but it's to parse variables inside strings.

2010-10-14 18:39:26

that's wrong syntax. read this man page yourself

Col. Shrapnel 2010-10-14 18:41:29

@Col. His syntax is fine. That's a feature of PHP

Cfreak 2010-10-14 18:44:25

@Col. What man page? It's a standard feature of string parsing in php, and easier to read and write `codecodecode'{$var['dedar']}'codecodecode` than it is `codecodecode'".$var['dedar']."'codecodecode`, doubly so if you have a lot of code. Plus it allows for useage of the Nowdoc syntax.

2010-10-14 18:47:34

@Cfreak he has it corrected atm, but it was wrong. And please don't tell me of correct syntax. I happen to know PHP syntax, unlike most folks around.

Col. Shrapnel 2010-10-14 18:50:25

@Col. What was wrong with it? I'd hate to be making these mistakes.

2010-10-14 18:53:28

just run it and see. PHP will throw an error.

Col. Shrapnel 2010-10-14 18:54:25

I just did and I don't see the problem under PHP5.2.10. Could you be more specific? http://pastebin.com/RvX0pVYK

2010-10-14 18:57:43

I don't see it too but it was edited.

Col. Shrapnel 2010-10-14 18:59:01

Really weird, I don't see the revision history on my post. I'll look into this. I know I updated it with a link to the manpage, and I made the array element reference a string literal, but I don't recall anything with additional curly braces than required.

2010-10-14 19:01:59

yes, that was error I am talking about. You could either add quotes or remove braces. actually it's easier to write without either quotes and braces, I'd say, just as `"codecodecode'$var[dedar]'codecodecode"`.

Col. Shrapnel 2010-10-14 19:05:37

My Code now:$tmp = mysql_query("SELECT commercial FROM Channels WHERE name='{$_POST['name']}'");while( $row = mysql_fetch_row($tmp)){echo $row['name'];} //But the outlay is empty and should be 0

hanswurst 2010-10-14 19:07:43

Does dedar get evaluated as a string literal?

2010-10-14 19:08:04

yes it does. see "More examples" snippet at http://php.net/manual/en/language.types.array.php

Col. Shrapnel 2010-10-14 19:10:18

That... is so weird. Thanks for showing me this.

2010-10-14 19:13:42

Answer 3

+2 A:

The problem is with your query:

$tmp = mysql_query("SELECT commercial FROM Channels WHERE name='.$_POST[name].'");

When you have an array item that you want to include in a string, you need to enclose it in curly braces:

$tmp = mysql_query("SELECT commercial FROM Channels WHERE name='{$_POST['name']}'");

However DO NOT DO THIS. This query is highly insecure and open to SQL injection. Firstly ensure that magic_quotes_gpc is set to off in your PHP configuration (it is insecure and unreliable -- you can use var_dump(get_magic_quotes_gpc()); to confirm whether it is on or not). Then do the following:

$tmp = mysql_query("SELECT commercial FROM Channels WHERE name='" . mysql_real_escape_string($_POST[name]) . "'");

This will help ensure that your site is not open to an SQL injection attack.

I would also encourage you to look into more modern and secure ways of doing database queries, such as PDO or MySQLi.

lonesomeday 2010-10-14 18:41:28

+1 for suggesting SQL Injection and PDO. It kills me how many people still struggle with this concept

Cfreak 2010-10-14 18:45:02

your second code snippet has wrong syntax. Remove curly braces. @Cfreak I've never seen anyone who has been convinced by such a "suggestion". Especially accompanied by old-style code. I even suspect that most of these people do not use PDO in their code.

Col. Shrapnel 2010-10-14 18:48:31

@Col. I meant how many people struggle with the concept of SQL injection.

Cfreak 2010-10-14 18:52:32

@Col Well, the curly braces aren't a syntax error, but the lack of quotes on the array reference is. I'll correct this. Properly protecting against SQL injection is *vital*; PDO is merely an excellent way of going about it.

lonesomeday 2010-10-14 21:06:30

Do you use PDO yourself? And lack of quotes is not an error here.

Col. Shrapnel 2010-10-15 06:04:04

@Col Sometimes, yes, though it's not my choice every time -- I use Doctrine on occasions as well. I was not familiar with the syntax point you raise (you could have explained it, rather than just saying I'd got it wrong...). I have to say, though, that I don't like it!

lonesomeday 2010-10-15 15:33:25

well you are right, sorry. I've been disappointed by many wrong answers here. So, PDO is not your choice - that's what I am talking about. That's strong habit here it seems - one tend to recommend a thing which he don't use himself. It will never work. It will work with copy-pasteable example only...

Col. Shrapnel 2010-10-15 15:46:23

@Col I meant I disliked your syntax, not PDO! PDO is frequently not enough for me -- I use an ORM instead -- but I *always* use it in preference to raw SQL.

lonesomeday 2010-10-15 16:51:24

Answer 4

A:

You have a syntax error:
$tmp = mysql_query("SELECT commercial FROM Channels WHERE name='.$_POST[name].'");

You likely want:

$tmp = mysql_query("SELECT commercial FROM Channels WHERE name='" . $_POST['name'] ."'");

Otherwise if your name was "Some Thing" you're asking mysql for ".Some Thing." (also don't use that query as I've written it, it's a security problem, see below)

$tmp isn't an array it should be a result. You'll need to call one of the mysql_fetch_* functions to get the result. You should also check for an error using mysql_error() to make sure the query succeeds. For example:

if( !mysql_error() ) { $row = mysql_fetch_row($tmp); // do something with the row of data }
The query as written is a security problem. Someone can use that to take over your database and do anything they want. Use mysql_real_escape_string() to avoid that:

$tmp = mysql_query("SELECT commercial FROM Channels WHERE name='" . mysql_real_escape_string($_POST['name']) ."'");

Cfreak 2010-10-14 18:42:51

My Code now:$tmp = mysql_query("SELECT commercial FROM Channels WHERE name='{$_POST['name']}'");while( $row = mysql_fetch_row($tmp)){echo $row['name'];} //But the outlay is empty and should be 0

hanswurst 2010-10-14 19:06:23

note what I said about the security issue. Also check mysql_error() to be sure the query succeeded. If that doesn't work. Check your data

Cfreak 2010-10-14 20:06:00

ansaurus

tags:

views:

answers:

Problem with MySQL and PHP

related questions