PDA

View Full Version : PHP MySQL issues.


Saldash
18-04-11, 20:29
Hey folks,

Wondering if you guys might be able to help me out with a problem I'm having getting a PHP script to work correctly.

To start off, the script is designed to take input from $_POST (scrubbing of $_POST will be added when I get the main script working), fetch all columns from a record in a database table and compare two strings.



mysql_connect("dbhost", "dbuser", "dbpass") or die(mysql_error());
mysql_select_db("databasename");

If (!empty($_POST)) {

$post_user = $_POST['usr'];
$post_pass = $_POST['pas'];

$result = mysql_query("SELECT * FROM vbnet_auth WHERE username = $post_user") or die(mysql_error());
$row = mysql_fetch_array( $result );

If ( $post_user == $row['username'] ) {
If ( $post_pass == $row['app_key'] ) {
Echo "auth_yes";
} Else {
Echo "auth_no";
}
} Else {
Echo "auth_no";
}

} Else {
die("Hacking Attempt!");
}


Problem is I keep getting a return error Unknown column '{username}' in 'where clause'
Where {username} is the username submitted through $_POST['usr'] to $post_user

The basic purpose of this script is purely to verify that registered username's product key is valid.
(I submit the POST data using httpwebrequest and read off the scripts Echo in httpwebresponse using my vb.net application.)

Again, I know it's far from secure, but I want to get the basic system working before I make it more complex.

Any help would be super appreciated!
iGoD ReLeNtLeS
18-04-11, 20:41
Try using this.


$result = mysql_query("SELECT * FROM `vbnet_auth` WHERE `username` = '$post_user' ") or die(mysql_error());

when using any MySQL in php ` is used to wrap names of columns, tables etc and ' is wrapped around php variables ;)
Saldash
18-04-11, 21:39
Thank you for the response iGod,

I was just trying this out when I got your reply, does it look ok?

$post_user = mysql_real_escape_string($_POST['usr']);
$post_pass = mysql_real_escape_string($_POST['pas']);

$result = mysql_query("SELECT * FROM vbnet_auth WHERE username = '$post_user';") or die(mysql_error());

Would just using mysql_real_escape_string() be adequate enough for what I need?
iGoD ReLeNtLeS
18-04-11, 21:49
Thank you for the response iGod,

I was just trying this out when I got your reply, does it look ok?

$post_user = mysql_real_escape_string($_POST['usr']);
$post_pass = mysql_real_escape_string($_POST['pas']);

$result = mysql_query("SELECT * FROM vbnet_auth WHERE username = '$post_user';") or die(mysql_error());

Would just using mysql_real_escape_string() be adequate enough for what I need?

That should work, just remove the ; in the mysql_query.

Although that will work, you really should start wrapping ` around your table and column names etc, else when you will start to get errors when you get to more complex stuff. Its also good practice and its always a good habit to get into :thumb:

For example, like this:


$result = mysql_query("SELECT * FROM `vbnet_auth` WHERE `username` = '$post_user'") or die(mysql_error());

Otherwise you will cause yourself unnecessary errors if your table or column name has spaces in, it also helps keep things tidy ;)
Saldash
18-04-11, 21:59
That should work, just remove the ; in the mysql_query.

Although that will work, you really should start wrapping ` around your table and column names etc, else when you will start to get errors when you get to more complex stuff. Its also good practice and its always a good habit to get into :thumb:

For example, like this:


$result = mysql_query("SELECT * FROM `vbnet_auth` WHERE `username` = '$post_user'") or die(mysql_error());

Otherwise you will cause yourself unnecessary errors if your table or column name has spaces in, it also helps keep things tidy ;)

Will do :thumb:
Thank you for the help :D
DoubleTop
19-04-11, 09:48
foreach($_POST as $key => $value)
{
$$key = mysql_real_escape_string(trim($value));
}

I tend to use this a lot, create variables out of the $_POST data that I know is then safe to use, for large forms it saves a load of typing and/or copy/paste !

slightly confused with the capitalisation in the first post as well, that looks like VB :facepalm:

DT.
Saldash
10-05-11, 00:09
foreach($_POST as $key => $value)
{
$$key = mysql_real_escape_string(trim($value));
}

I tend to use this a lot, create variables out of the $_POST data that I know is then safe to use, for large forms it saves a load of typing and/or copy/paste !

slightly confused with the capitalisation in the first post as well, that looks like VB :facepalm:

DT.

Hi DoubleTop,
I know it has been 2 weeks, I've only just noticed you replied :o

In your sample code, you have;

$$key = mysql_real_escape_string(trim($value));
Is the "$$key = "... meant to be a double $$ or was that just a typo,
Silly as it may sound, I've been run circles around by clever coding before, so it's hard for me to tell =/
DoubleTop
10-05-11, 00:16
not a typo, it's there on purpose :)

You create a new variable that way on each $key in $_POST

So if your post array was
key1 = valueofkey1
key2 = valueofkey2

you would have variables of
$key1 = valueofkey1
$key2 = valueofkey2
Saldash
10-05-11, 00:22
not a typo, it's there on purpose :)

You create a new variable that way on each $key in $_POST

So if your post array was
key1 = valueofkey1
key2 = valueofkey2

you would have variables of
$key1 = valueofkey1
$key2 = valueofkey2

AH.. I understand it now :)

Thank you :thumb: