Hello

Hi I am new to this list.
I am in need of some help or direction.
I am new to php and databases, so forgive me if my request seems too
simple.

I am making a database if users and have had much success in getting
it to work however, not all my data is getting shown once I try to
display results. I am running an INSERT query that inputs data into
the database from a form. But here is the hiccup. I am asigning the
form data to a $variable.

Eg: $Username = $_POST['Username'];

I then run $Username through some checks to make sure it's not an
injection. After all that I want to insert it into the database. This
works fine if I use:

$query = "INSERT INTO users (Username, UserEmail, etc)

VALUES ('".$_POST['Username']."', '".$_POST['UserEmail']."', etc)";

And it works if I use

VALUES ('".$Username."', '".$UserEmail."', etc)";

However I have some variables that are not posted from the form and in
the first example, it does not insert those in the database.

In the second, it will insert them into the database, but when I go to
display them it is saying there are no records to retrieve. ???? I
looked at the database in phpMySql and they are there. It will only
display them in the results page if they had been inserted using
$_POST. Is this normal?
What is the best way to $_POST a $Variable. Something like $_POST
[$Username] (which doesn't work).

Any help would be greatly appreciated.
Thanks,

Karl
Design Drumm

Sent from losPhone

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Hello

--001636d34d04ed8d1b047aa82a78
Content-Type: text/plain; charset=ISO-8859-1

I don't quite understand what your problem is but it looks as if some fields
of the records that show up in phpMySql are empty and that the result page
that you have built does not show them. If that is the case, is there a
where clasue that causes them to not return?

Can you run the query that is on your result page in phpmysql and see what
it returns.


Jack

2009/12/14 Karl DeSaulniers

> Hi I am new to this list.
> I am in need of some help or direction.
> I am new to php and databases, so forgive me if my request seems too
> simple.
>
> I am making a database if users and have had much success in getting it to
> work however, not all my data is getting shown once I try to display
> results. I am running an INSERT query that inputs data into the database
> from a form. But here is the hiccup. I am asigning the form data to a
> $variable.
>
> Eg: $Username = $_POST['Username'];
>
> I then run $Username through some checks to make sure it's not an
> injection. After all that I want to insert it into the database. This works
> fine if I use:
>
> $query = "INSERT INTO users (Username, UserEmail, etc)
>
> VALUES ('".$_POST['Username']."', '".$_POST['UserEmail']."', etc)";
>
> And it works if I use
>
> VALUES ('".$Username."', '".$UserEmail."', etc)";
>
> However I have some variables that are not posted from the form and in the
> first example, it does not insert those in the database.
>
> In the second, it will insert them into the database, but when I go to
> display them it is saying there are no records to retrieve. ???? I looked at
> the database in phpMySql and they are there. It will only display them in
> the results page if they had been inserted using $_POST. Is this normal?
> What is the best way to $_POST a $Variable. Something like
> $_POST[$Username] (which doesn't work).
>
> Any help would be greatly appreciated.
> Thanks,
>
> Karl
> Design Drumm
>
> Sent from losPhone
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


--
Jack van Zanen

-------------------------
This e-mail and any attachments may contain confidential material for the
sole use of the intended recipient. If you are not the intended recipient,
please be aware that any disclosure, copying, distribution or use of this
e-mail or any attachment is prohibited. If you have received this e-mail in
error, please contact the sender and delete all copies.
Thank you for your cooperation

--001636d34d04ed8d1b047aa82a78--

Re: Hello

HI,
Thanks for your response. Here is my query. UserID is auto incrament
and UserLastLogin is a current_timestamp.

$query_users = "INSERT INTO users(UserID, Username, UserEmail,
UserPassword, UserFirstName, UserLastName, UserCompany, UserAddress,
UserAddress2, UserCity, UserState, UserCountry, UserZip, UserPhone,
UserFax, UserEmailVerified, UserRegistrationDate,
UserVerificationCode, UserIP, UserLastLogin)

VALUES('NULL','".$Username."','".$UserEmail."','".
$UserPassword."','".$UserFirstName."','".$UserLastName."','" .
$UserCompany."','".$UserAddress."','".$UserAddress2."','".
$UserCity."','".$UserState."','".$UserCountry."','".$UserZip ."','".
$UserPhone."','".$UserFax."','".$UserEmailVerified."','".
$UserRegistrationDate."','".$UserVerificationCode."','".$Use rIP."',
now())";

This works as far as populating the database, but my results page
does not return anything.

Only if the VALUES is set like this:

VALUES('NULL','".$Username=$_POST['Username']."','".$UserEma il=$_POST
['UserEmail']."','".$UserPassword=$_POST['UserPassword']."', '".
$UserFirstName=$_POST['UserFirstName']."','".$UserLastName=$ _POST
['UserLastName']."','".$UserCompany=$_POST[$UserCompany]."', '".
$UserAddress=$_POST['UserAddress']."','".$UserAddress2=$_POS T
['UserAddress2']."','".$UserCity=$_POST['UserCity']."','".$U serState=
$_POST['UserState']."','".$UserCountry=$_POST[$UserCountry]. "','".
$UserZip=$_POST['UserZip']."','".$UserPhone=$_POST['UserPhon e']."','".
$UserFax=$_POST[$UserFax]."','".$UserEmailVerified=$_POST
[$UserEmailVerified]."','".$UserRegistrationDate=$_POST
[$UserRegistrationDate]."','".$UserVerificationCode=$_POST
['UserVerificationCode']."','".$UserIP=$_POST[$UserIP]."', now())";

but some do not work with this setup. variables like
$UserEmailVerified, $UserRegistrationDate and $UserIP are not created
from the form that was submitted.
for example, User IP date is created like this.

$UserIP = md5($_SERVER[REMOTE_ADDR]);

---------------------

Below is a snip of how I retrieve the info on the result page (dont
want to clutter with whole code. also $fieldOne etc are MySql
wildcards '%' from some dropdown lists that show before this code is
executed. The results from adding show up fine there.)

$query_users = "SELECT * FROM users WHERE UserID LIKE '$fieldOne' AND
Username LIKE '$fieldTwo' AND UserEmail LIKE '$fieldThree' AND
UserPassword LIKE '$fieldFour' AND UserFirstName LIKE '$fieldFive'
AND UserLastName LIKE '$fieldSix' AND UserCompany LIKE '$fieldSeven'
AND UserAddress LIKE '$fieldEight' AND UserAddress2 LIKE '$fieldNine'
AND UserCity LIKE '$fieldTen' AND UserState LIKE '$fieldEleven' AND
UserCountry LIKE '$fieldTwelve' AND UserZip LIKE '$fieldThirteen' AND
UserPhone LIKE '$fieldFourteen' AND UserFax LIKE '$fieldFifteen' AND
UserEmailVerified LIKE '$fieldSixteen' AND UserRegistrationDate LIKE
'$fieldSeventeen' AND UserVerificationCode LIKE '$fieldEighteen' AND
UserIP LIKE '$fieldNineteen' AND UserLastLogin LIKE '$fieldTwenty'
LIMIT $min, $max_results";

$result = mysql_query($query_users) or die(mysql_error());

for($i = 1; $i <= $num_sql; $i++) {
$r = mysql_fetch_array($result, MYSQL_ASSOC);
$UserID = $r['UserID'];
$Username = $r['Username'];
$UserEmail = $r['UserEmail'];
$UserPassword = $r['UserPassword'];

so I have 3 pages. one adds the users, the next reviews and the last
shows the results of what is picked.

Thanks,

Karl


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Hello

Karl DeSaulniers wrote:
> HI,
> Thanks for your response. Here is my query. UserID is auto incrament and
> UserLastLogin is a current_timestamp.
>
> $query_users = "INSERT INTO users(UserID, Username, UserEmail,
> UserPassword, UserFirstName, UserLastName, UserCompany, UserAddress,
> UserAddress2, UserCity, UserState, UserCountry, UserZip, UserPhone,
> UserFax, UserEmailVerified, UserRegistrationDate, UserVerificationCode,
> UserIP, UserLastLogin)
>
> VALUES('NULL','".$Username."','".$UserEmail."','".$UserPassw ord."','".$UserFirstName."','".$UserLastName."','".$UserComp any."','".$UserAddress."','".$UserAddress2."','".$UserCity." ','".$UserState."','".$UserCountry."','".$UserZip."','".$Use rPhone."','".$UserFax."','".$UserEmailVerified."','".$UserRe gistrationDate."','".$UserVerificationCode."','".$UserIP."',
> now())";
>
> This works as far as populating the database, but my results page does
> not return anything.
>
> Only if the VALUES is set like this:
>
> VALUES('NULL','".$Username=$_POST['Username']."','".$UserEma il=$_POST['UserEmail']."','".$UserPassword=$_POST['UserPassw ord']."','".$UserFirstName=$_POST['UserFirstName']."','".$Us erLastName=$_POST['UserLastName']."','".$UserCompany=$_POST[ $UserCompany]."','".$UserAddress=$_POST['UserAddress']."','" .$UserAddress2=$_POST['UserAddress2']."','".$UserCity=$_POST ['UserCity']."','".$UserState=$_POST['UserState']."','".$Use rCountry=$_POST[$UserCountry]."','".$UserZip=$_POST['UserZip ']."','".$UserPhone=$_POST['UserPhone']."','".$UserFax=$_POS T[$UserFax]."','".$UserEmailVerified=$_POST[$UserEmailVerifi ed]."','".$UserRegistrationDate=$_POST[$UserRegistrationDate ]."','".$UserVerificationCode=$_POST['UserVerificationCode'] ."','".$UserIP=$_POST[$UserIP]."',
> now())";
>
> but some do not work with this setup. variables like $UserEmailVerified,
> $UserRegistrationDate and $UserIP are not created from the form that was
> submitted.
> for example, User IP date is created like this.
>
> $UserIP = md5($_SERVER[REMOTE_ADDR]);

Problem 1 is sql injection. Wrap each variable in a
mysql_real_escape_string call:

insert into table (...) values ('" . mysql_real_escape_string($username)
.. "' ....

also quoting 'NULL' means it will add 'NULL' as the id - not what you
want. You can leave out the column to use the default from the database.

Any errors from mysql?

Add:
echo mysql_error();

after your insert call.

> ---------------------
>
> Below is a snip of how I retrieve the info on the result page (dont want
> to clutter with whole code. also $fieldOne etc are MySql wildcards '%'
> from some dropdown lists that show before this code is executed. The
> results from adding show up fine there.)
>
> $query_users = "SELECT * FROM users WHERE UserID LIKE '$fieldOne' AND
> Username LIKE '$fieldTwo' AND UserEmail LIKE '$fieldThree' AND
> UserPassword LIKE '$fieldFour' AND UserFirstName LIKE '$fieldFive' AND
> UserLastName LIKE '$fieldSix' AND UserCompany LIKE '$fieldSeven' AND
> UserAddress LIKE '$fieldEight' AND UserAddress2 LIKE '$fieldNine' AND
> UserCity LIKE '$fieldTen' AND UserState LIKE '$fieldEleven' AND
> UserCountry LIKE '$fieldTwelve' AND UserZip LIKE '$fieldThirteen' AND
> UserPhone LIKE '$fieldFourteen' AND UserFax LIKE '$fieldFifteen' AND
> UserEmailVerified LIKE '$fieldSixteen' AND UserRegistrationDate LIKE
> '$fieldSeventeen' AND UserVerificationCode LIKE '$fieldEighteen' AND
> UserIP LIKE '$fieldNineteen' AND UserLastLogin LIKE '$fieldTwenty' LIMIT
> $min, $max_results";

Again you need to escape all your data (except $min, $max_results - just
make sure they are always integers).

I'm assuming there are no errors reported by mysql.

To debug this, I'd simplify the query and work out which bit isn't
matching what you want (it could be $fieldOne isn't quite what you
expect, or it could be $fieldEleven or $fieldEighteen or ..).

Start off with one field, then add another and go from there.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Hello

--Apple-Mail-7--931304791
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed

Hi Chris,

On Dec 14, 2009, at 8:09 PM, Chris wrote:
>>
>
> Problem 1 is sql injection. Wrap each variable in a
> mysql_real_escape_string call:
>
> insert into table (...) values ('" . mysql_real_escape_string
> ($username) . "' ....

At one point I did have the mysql_real_escape_string() and it worked
the same as without as far as populating the database.
But when I would view results, it didnt read anything from the database.

>
> also quoting 'NULL' means it will add 'NULL' as the id - not what
> you want. You can leave out the column to use the default from the
> database.

Actually it works fine with 'NULL' for some reason. UserID is an auto
Incrament and if I take $UserID out as well as its VALUE, I get an
error for number of fields not matching.
>
> Any errors from mysql?
>
> Add:
> echo mysql_error();
>
> after your insert call.
>


>
> Again you need to escape all your data (except $min, $max_results -
> just make sure they are always integers).

Those are so I can control the number of items shown per page.

>
> I'm assuming there are no errors reported by mysql.
>
> To debug this, I'd simplify the query and work out which bit isn't
> matching what you want (it could be $fieldOne isn't quite what you
> expect, or it could be $fieldEleven or $fieldEighteen or ..).
>
> Start off with one field, then add another and go from there.

Basically the result page would not show anything in the database
unless it was inserted in the database using the $_POST method.
Not sure why, but I have since redone the result page utilizing a
different method of retrieval and it looks to be working.

Thank you all for your responses. very quick I might add. :)

>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Karl DeSaulniers
Design Drumm
http://designdrumm.com


--Apple-Mail-7--931304791--

Re: Hello

--Apple-Mail-8--930653288
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed

What does this do exactly?
Documentation was a bit fuzzy for me.
Is it needed at all times to protect with?

On Dec 14, 2009, at 8:22 PM, Karl DeSaulniers wrote:

>> mysql_real_escape_string()

Karl DeSaulniers
Design Drumm
http://designdrumm.com


--Apple-Mail-8--930653288--

Re: Hello

Karl DeSaulniers wrote:
> Hi Chris,
>
> On Dec 14, 2009, at 8:09 PM, Chris wrote:
>>>
>>
>> Problem 1 is sql injection. Wrap each variable in a
>> mysql_real_escape_string call:
>>
>> insert into table (...) values ('" .
>> mysql_real_escape_string($username) . "' ....
>
> At one point I did have the mysql_real_escape_string() and it worked the
> same as without as far as populating the database.

Did you try names with single quotes? (Tim O'Reilly is a common example
to try).

> But when I would view results, it didnt read anything from the database.

Sure it went in? Did you see the data when you viewed the table in
phpmyadmin or some other tool?

>>
>> Again you need to escape all your data (except $min, $max_results -
>> just make sure they are always integers).
>
> Those are so I can control the number of items shown per page.

I realise that. mysql_real_escape_string is used for data in your query,
and may cause problems if used in limit clauses. If you end up with this
for example:

select * from table limit mysql_real_escape_string('blah');

of course it's not going work.

Hence the check to make sure $min and $max_results are int's before
passing them to the query so if anyone messes with them it won't break
your queries.

if (!is_int($min)) {
$min = 0;
}

if (!is_int($max_results)) {
$max_results = 5;
}

> Basically the result page would not show anything in the database unless
> it was inserted in the database using the $_POST method.

That still suggests an error with the insert.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Hello

Karl DeSaulniers wrote:
> What does this do exactly?
> Documentation was a bit fuzzy for me.
> Is it needed at all times to protect with?

Per the docs:

prepends backslashes to the following characters: \x00, \n, \r, \, ', "
and \x1a.

So anything that has a null character, a newline (windows/linux/mac),
single and double quotes and \x1a (not sure what that is) is escaped and
ready to be put in a query.

If you don't quote those characters someone could put one of those
characters in a query and cause problems - starting off with an invalid
query but possibly ending up worse.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Hello

So what's the difference with that and addslashes() ?

Karl

Sent from losPhone

On Dec 15, 2009, at 3:50 PM, Chris wrote:

> Karl DeSaulniers wrote:
>> What does this do exactly?
>> Documentation was a bit fuzzy for me.
>> Is it needed at all times to protect with?
>
> Per the docs:
>
> prepends backslashes to the following characters: \x00, \n, \r, \,
> ', " and \x1a.
>
> So anything that has a null character, a newline (windows/linux/
> mac), single and double quotes and \x1a (not sure what that is) is
> escaped and ready to be put in a query.
>
> If you don't quote those characters someone could put one of those
> characters in a query and cause problems - starting off with an
> invalid query but possibly ending up worse.
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Hello

addslashes doesn't take encoding's into account.

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-re al-escape-string

goes into some details.

Karl DeSaulniers wrote:
> So what's the difference with that and addslashes() ?
>
> Karl
>
> Sent from losPhone
>
> On Dec 15, 2009, at 3:50 PM, Chris wrote:
>
>> Karl DeSaulniers wrote:
>>> What does this do exactly?
>>> Documentation was a bit fuzzy for me.
>>> Is it needed at all times to protect with?
>>
>> Per the docs:
>>
>> prepends backslashes to the following characters: \x00, \n, \r, \, ',
>> " and \x1a.
>>
>> So anything that has a null character, a newline (windows/linux/mac),
>> single and double quotes and \x1a (not sure what that is) is escaped
>> and ready to be put in a query.
>>
>> If you don't quote those characters someone could put one of those
>> characters in a query and cause problems - starting off with an
>> invalid query but possibly ending up worse.
>>
>> --
>> Postgresql & php tutorials
>> http://www.designmagick.com/
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>


--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php