#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    3
    Rep Power
    0

    MySQL PHP Variables


    I am still new to PHP, but have come here to this site before for help. My issue is this I have a database that holds a few users by lastname, firstname in that format every the first query I run it pulls all of the users in a drop down menu. Then I select my user and post to another php script that is suppose to give me more information about that user. However, the variable after it has been passed for the second time it show up as lastname, and that is it. Once I get past that part I can continue with the formatting. Hopefully someone else here will have a solution or a suggestion on where to look to figure this out.

    Thank you in advance

    Submit.php
    PHP Code:
    <?php 
    mysql_connect
    ("localhost""username""password") or die(mysql_error()); 
    mysql_select_db("database") or die(mysql_error()); 
    $query="SELECT lfname FROM table order by lfname";
    $result mysql_query ($query) or die(mysql_error());
    while(
    $nt=mysql_fetch_array($result)){
    $options.= "<option value=$nt[lfname]>$nt[lfname]</option>";
    }
    echo 
    "</select>";
    mysql_free_result($result); 
    ?>
    <table border="0" bgcolor=#FFFFFF>
    <tr>
    <td>
      <form action = "submit2.php" method = "POST">
        <select name = "names">
          <option value="<?='$options'?>"
            <?="$options"?>
          </option>
        </select>
      </td>
    </tr>
    <tr>
      <td>
        <input type = "submit" value = "submit" /><input type = "reset" value = "Reset" />
      </td>
    </tr>
      </form>
    </table>
    Submit2.php
    PHP Code:
    <?php
    mysql_connect
    ('localhost''username''password') or die(mysql_error()); 
    mysql_select_db('database') or die(mysql_error()); 
    $names $_POST['names'];
    $sql = ("SELECT lfname FROM table where lfname = '$names'");
    $result "mysql_query($sql) or die(mysql_error())";
    while(
    $info mysql_fetch_array($result)){}
    Print 
    $names;
    ?>
    <table border="0" bgcolor=#"FFFFFF">
      <tr>
        <td>
          <?.$info?>
        </td>
      </tr>
    </table>
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    3
    Rep Power
    0
    I see that many people are saying to use a PDO instead of the MySQL function also. Is there any good guides out there anyone would recommend to change this code here. I guess this is bad practice?
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2011
    Posts
    105
    Rep Power
    51
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    1
    Rep Power
    0
    it's good tag..
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    I hope that code isn't online yet!

    Originally Posted by jneiling
    I guess this is bad practice?
    It's not only the ancient mysql_ functions. You also give away database internals through error messages and completely failed to escape the user input. So your code is basically a playground for script kiddies to try out SQL injections and see what they can do. I'm sure your server will be a valuable member of some Russian botnet.

    Just take your very first line of code:
    PHP Code:
    mysql_connect("localhost""username""password") or die(mysql_error()); 
    The mysql_error() will print a nicely formatted string with both your username and password, inviting every single internet user to play with your database.

    Whatever sh*tty online "tutorial" or book you go this techniques from: delete it from your browser cache, burn it, throw it away, whatever. But don't use it ever again.

    The very first thing you should do is to start thinking about security. Obviously it has never occured to you that people might attack your website by manipulating your queries or injecting JavaScript code. To get an impression of security risks, read the Wikipedia articles on SQL injections (as linked above) and cross-site scripting.

    After that, get accustomed to the already mentioned PDO. Read the part on prepared statements very carefully, because that's what you gonna use whenever you want to pass variables to a query.

    And then you'll have to go through your whole code (not just this script) and fix all the security holes:
    • delete ever mysql_error() and similar stuff. Do not display internal error messages to the user. They help attackers and irritate legitimate users.
    • replace all mysql_ stuff with the corresponding PDO code. Do not piece query strings together. Use prepared statements instead.
    • Do not output raw variables. This can be used to inject JavaScript. Every variable must be escaped with htmlentities() first.

    Comments on this post

    • Rhytz agrees
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    3
    Rep Power
    0
    No way is this live. This is a test script for me to learn. I wanted to learn how to make a drop down menu that was populated by MySQL and could carry on to the next. The mysql_error() I was aware of earlier I have problems with the script running and wanted to see where the script was failing. Thank you very much for the helpful advice I will go through and make changes and try to repost with newer code and maybe I could get some help from there.

IMN logo majestic logo threadwatch logo seochat tools logo