#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    4
    Rep Power
    0

    Probably old mysql version


    I currently am trying to adapt my code to another mysql database. I used mysqli-functions for everything. But this new database doesn't even know these. The server version is from somewhere around 2005, according to the changelog, because the exact current version isn't written down anywhere.

    So I changed the code, but it still won't work.

    Code:
    $result = mysql_query( "SELECT `password` FROM `admin` WHERE `username`=`".$username."`" );
        var_dump($result);
    This says bool(false).
    Tried to change it like this:
    Code:
    $result = mysql_query( "SELECT `password` FROM `admin` WHERE `username`=%s", $username );
        var_dump($result);
    This returns NULL.
    I'm not quite sure what else to do with the code, so that the query finally will be executed properly.
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,692
    Rep Power
    6351
    You really shouldn't be using a host which is that critically out of date. Is there some reason you're being forced to adapt your code to ancient versions of these applications? You're introducing major security flaws.

    This code would be better as:
    PHP Code:
    $result mysql_query"SELECT `password` FROM `admin` WHERE `username`='".mysql_real_escape_string($username)."'" );
        
    var_dump($result); 
    This is dangerous though, and you shouldn't be doing this.

    Also, get the PHP version easily with phpinfo()
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    4
    Rep Power
    0
    The php-Version is 4.4.9.
    But this information doesn't help me. The query string is correct, but the wrong return value still confuses me and I don't know how to fix this.
    And I really don't think that my code is the problem, but the way I have to set things up, so that it works with this old version.

    Or should I just tell my costumer to change host?
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,925
    Rep Power
    1045
    Hi,

    in the first query, you've enclosed the username string in backticks ``. This is incorrect (they're only used for identifiers like table or column names).

    You know what? Get rid of the stupid backticks altogether. They just bloat the query and lead to all kinds of confusion (as we just saw).

    What's much more important, though, is security. Is $username escaped with mysql_real_escape_string() as shown by ManiacDan? If not, you need to do that right now. Otherwise you risk the whole server being captured by an attacker.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    4
    Rep Power
    0
    But still, if I do it this way:
    PHP Code:
    $result mysql_query"SELECT password FROM admin WHERE username=".mysql_real_escape_string($username)."" ); 
    It returns just false.

    And this way:
    PHP Code:
    $result mysql_query"SELECT password FROM admin WHERE username=%s"mysql_real_escape_string($username) ); 
    it says that $result is NULL.

    I really feel somewhat lost with this not working.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,925
    Rep Power
    1045
    Both queries are incorrect and vulnerable to SQL injections, because the strings aren't enclosed in quotes. The second statement doesn't even make sense, because mysql_query() is no printf() or something. You cannot use a format string there.

    No offense, but are you sure you know what you're doing? If not, it might not be the best idea to fumble with a live system, because getting a server hacked due to a security hole usually has severe consequences.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    4
    Rep Power
    0
    What the..
    Sorry. Been somehow blind. Works now.

IMN logo majestic logo threadwatch logo seochat tools logo