MySQL PHP Variables

I am still new to PHP, but have come here to this site before for help. My issue is this I have a database that holds a few users by lastname, firstname in that format every the first query I run it pulls all of the users in a drop down menu. Then I select my user and post to another php script that is suppose to give me more information about that user. However, the variable after it has been passed for the second time it show up as lastname, and that is it. Once I get past that part I can continue with the formatting. Hopefully someone else here will have a solution or a suggestion on where to look to figure this out.

Thank you in advance

Submit.php


Submit2.php

I see that many people are saying to use a PDO instead of the MySQL function also. Is there any good guides out there anyone would recommend to change this code here. I guess this is bad practice?

For help on PDO: http://wiki.hashphp.org/PDO_Tutoria...ySQL_Developers

it's good tag..

Hi,

I hope that code isn't online yet!



It's not only the ancient mysql_ functions. You also give away database internals through error messages and completely failed to escape the user input. So your code is basically a playground for script kiddies to try out SQL injections and see what they can do. I'm sure your server will be a valuable member of some Russian botnet.

Just take your very first line of code:

The mysql_error() will print a nicely formatted string with both your username and password, inviting every single internet user to play with your database.

Whatever sh*tty online "tutorial" or book you go this techniques from: delete it from your browser cache, burn it, throw it away, whatever. But don't use it ever again.

The very first thing you should do is to start thinking about security. Obviously it has never occured to you that people might attack your website by manipulating your queries or injecting JavaScript code. To get an impression of security risks, read the Wikipedia articles on SQL injections (as linked above) and cross-site scripting.

After that, get accustomed to the already mentioned PDO. Read the part on prepared statements very carefully, because that's what you gonna use whenever you want to pass variables to a query.

And then you'll have to go through your whole code (not just this script) and fix all the security holes:

• delete ever mysql_error() and similar stuff. Do not display internal error messages to the user. They help attackers and irritate legitimate users.
• replace all mysql_ stuff with the corresponding PDO code. Do not piece query strings together. Use prepared statements instead.
• Do not output raw variables. This can be used to inject JavaScript. Every variable must be escaped with htmlentities() first.

No way is this live. This is a test script for me to learn. I wanted to learn how to make a drop down menu that was populated by MySQL and could carry on to the next. The mysql_error() I was aware of earlier I have problems with the script running and wanted to see where the script was failing. Thank you very much for the helpful advice I will go through and make changes and try to repost with newer code and maybe I could get some help from there.