#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    6
    Rep Power
    0

    Problem with data fetching from database using session mechanism


    i want to fetch rows from database and display them as output on a php scripted web page ...the rows which are the result of the matching entered data in a text box in the form with the table in a database but its somehow not happening....below is some code i use..
    1) this is the form ....
    Code:
    PHP Code:
    <? session_start(); $_SESSION['from']=""; //setcookie("unm",""); ?>
    <form action = "linkpage.php" method = "post"> <input type = "text" name = "from" id = "from"/> <input type = "text" name = "to" id = "to"/> </form>
    2) this is the php code for the form
    $nor=mysql_num_rows(mysql_query("select * from bus where to_here='".$_POST['to']."' and from_here='".$_POST['from']."'"));
    if($nor>0)
    {
    $_SESSION['from'] = $_POST['from'];
    header("Location:searched_bus.php");
    }

    3) and this is the actual php code through which i want to fetch rows from the database and display as output .....
    PHP Code:
    <?php
        session_start
    ();
        if(
    $_SESSION['from']=="")
        {
        
    header("Location:homepage1.php");
        }

        
    ?>
    below is the query which i use in the same php script of above......
    $sql = "SELECT id, from_here, to_here, ac, nonac FROM bus WHERE image= '".$_POST['depart']."' AND fair = '".$_POST['return']."'";

    when i dont use $_POST[] and use the typical where clause then it works fine but when i use $_POST[] then it doesnt work so i think the problem is in my understanding of using sessions and session variables.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    I already told you that your way of accessing the database is very wrong and very dangerous. It might be a good idea to take that seriously.

    Right now, you're giving the whole world direct access to your database system and possibly the whole server. You need to fix that.

    Apart from that, I have a hard time understanding your code. So the third script is searched_bus.php which you redirect to after you've processed the form? Then where are the POST values supposed to come from? You never send data to that script.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jan 2004
    Location
    New Springfield, OH
    Posts
    1,217
    Rep Power
    1469
    I completely agree with Jacques. Fix your security holes before going any farther. Seriously. They will be exponentially harder to fix the more code you write.

    Go do it. We'll wait.

    That being said, your code in number 3 makes me shudder a bit. Why are you directing traffic based on session contents? That's probably a bad idea, but outside of that, it indicates that you probably have a bad design going. Why load a page that checks session data and then loads a different page? Why not just direct your traffic wherever the session data is being set in the first place? It just seems like this might be indicative of a poor underlying design.

    In addition to the security stuff already mentioned (and maybe this has been too) you should not be putting POST values directly in to your queries. Big no-no. At the very least, you should use prepared statements for this. You're opening yourself up to a world of problems. Since POST data is easy to change and spoof, you can't even count on front-end validation for protection.
    Don't like me? Click it.

    Scripting problems? Windows questions? Ask the Windows Guru!

    Stay up to date with all of my latest content. Follow me on Twitter!

    Help us help you! Post your exact error message with these easy tips!
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    6
    Rep Power
    0

    reply


    hey first of all thanks for ur response.....................actually i m trying to match the form data with the database ....if the rows containing the data exists in the database then i want to display those rows in my searched_bus.php file .......and i m just a trainee in php......working on a localhost server yet at this time.

    the code which i use and as i tried to explain above works but it displays the whole table in the searched_bus.php.......instead i want to display just the rows which are containing the data relevant to which i entered into the form and my form file name is homepage1.php..............i m just confused......but still trying ......i m learning and knowing more things in detail
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Well, like we already said, you first need to get your database code right and fix the security holes. That's the very first step.

    When that's done, you should post your complete code and explain it a bit more. Right now, it doesn't make a lot of sense. You said you want to select database rows based on the values of a form. But instead of simply sending the form data to the target script (searched_bus.php), you send it to some other script (linkpage.php), store some (but not all) form data in the session and then redirect to the actual script. In this script, however, you don't seem to use the session values but instead try to access the original POST values (which no longer exist at this point). Um, what?

    Using POST isn't really appropriate here, anyway. This is about fetching data, so you should be using GET.

    Comments on this post

    • Nilpo agrees
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo