LiquidFusi0n

As already stated mysql_real_escape_string() can be bypassed in a couple of different circumstances, of course use it, but do not rely on it. Also they need to know your table names, field names etc... etc... We are not living so much in the days of MySQL 4 now are we. We have a lovely table called Information_Schema that can provide the attackers with that information... to state don't worry about it too much is a fallacy. Worry about it, and make sure you prevent it. --LiquidFusi0n

I 'THINK' I understand what you are wanting. When using SELECT * it will select all and basically show a row at a time.... you are wanting to show a column at a time right? If so use the following SQL. SELECT logonname FROM venues; And then rinse and repeat for the other columns Hope this helps --LiquidFusi0n

That's twice in one day that's been the solution.... It was the solution to my own problem but I forgot a " No problem, glad you got it sorted --LiquidFusi0n

OK Thread can be closed. After some more de-bugging it was clear that username wasn't being passed. Want to see the culprit? Username: <input type="text" name=username"> Typo's will be the end of us --LiquidFusi0n

Well I can now 100% say it's not a PHP bug as I have just written a working code. 1 <html> 2 <body> 3 4 <form method="POST" action="test.php"> 5 Feedback: <input type="text" name="feedback"> 6 <input type="submit" value="Feedback" name="submit"> 7 8 <?php 9 10 if(isset($_POST['submit']) && isset($_POST['feedback'])){ 11 $file = "test.txt"; 12 $data = $_POST['feedback']; 13 file_put_contents ($file, $data); 14 echo "Done"; 15 } 16 17 ?> 18 19 </body> 20 </html> So now we know it is a machine/code specific problem hmmmmm --LiquidFusi0n

It re-enforces yes... but I like one person on that forum have successfully done this before.... So don't believe it to be a PHP bug. So it may be a machine/set-up specific bug... I'm not sure I will try it out fully tomorrow with both functions. --LiquidFusi0n

Apologies for this 'self-bump' but this is getting beyond a joke I have now added error checking at every stage and no errors are given. This to means it MUST be an error with 'mysql_num_rows'. Anyways I have re-done the code for you guys and I will post the database structure so you can see for yourselves what is looks like MySQL Query With Result mysql> SELECT * FROM details WHERE un='test' AND pwd='pass'; +----+------+------+ | id | un | pwd | +----+------+------+ | 2 | test | pass | +----+------+------+ 1 row in set (0.00 sec) Code: <html> <head> <title> Log-in </title> </head> <body> <form action="login.php" method="POST"> Username: <input type="text" name=username"> Password: <input type="password" name="password"> <input type="submit" name="login" value="Login"> </form> <?php $un = ''; if(isset($_POST['username'])){ $un = $_POST['username']; } $pass = ''; if(isset($_POST['password'])){ $pass = $_POST['password']; } $db = mysql_connect("127.0.0.1:3306", "root" , "password"); //Not actual password btw if(!$db) { die("Error connecting to database: " . mysql_error()); } $db_used = mysql_select_db("login", $db); if(!$db_used){ die("Could not select database: " . mysql_error()); } $user_name = mysql_real_escape_string($un); $password = mysql_real_escape_string($pass); $query = "SELECT * FROM details WHERE un='$user_name' AND pwd='$password'"; //Exact same command works when given the MySQL directly $result = mysql_query($query); if(!$result){ die("SQL query failed: " . mysql_error()); //Query is not returning an error } if(mysql_num_rows($result) == 1) { echo "Login successful welcome back, " . $user_name . ""; } else{ echo "Login unsuccessful"; } ?> </body> </html> This is now past how to do it I really want to know WHY it isn't working --LiquidFusi0n

Hmm one last thought. Do you have the correct permissions set on the directory the text file is in? Try: chmod 777 /whatever/directory/your/in Also chmod 777 the actual file, but directory if PHP is generating the file for you. Also in your above code you never gave the correct arguments You gave file_put_contents($data, $data) instead of file_put_contents($file, $data) If your going to use file_put_contents I would also suggest using LOCK_EX. file_put_contents($file, $data, LOCK_EX) Hope this helps --LiquidFusi0n

Looks like it should work... matches the correct syntax for the command. You may not want to but just try storing it to to a variable and passing fwrite that instead. --LiquidFusi0n

Sorry for the double post but I figured it out. Non of the values were being stored. You never gave submit a name <input type="submit" value="submit" name="submit"> Your code will now work --LiquidFusi0n

Hmm I don't know why the variable is showing as undefined but you can use the following code and it works. Also remember your <html> & <body> tags <?php if(isset($_POST["submit"])){ $value1=$_POST["value1"]; $value2=$_POST["value2"]; $option=$_POST["option"]; } echo $_POST['value1']; ?> <html> <body> <form action="test.php" name="submit" method="post"> <input type="text" name="value1"> <select name="option"> <option>+</option> <option>-</option> <option>*</option> <option>/</option> </select> <input type="text" name="value2"> <input type="submit" value="submit"> </form> </body> </html>

My suggestion would be to run the script and try the RFI yourself. Make sure to test thoroughly. --LiquidFusi0n

Thank you, I will use that if I can't get my own code fixed I am still failing to see why my code is not working... the syntax/logic looks sound to me? --LiquidFusi0n

I always feel bad for my first post on a new forum being a question. But this has me stuck I am writing a very simple log-in script. To check I am using 'mysql_num_rows' and seeing that only one row is returned. I have tried debugging this, and using Google but to no avail. The page is saying 'Login unsuccessful' even when the values are correct. Any help is greatly appreciated. <html> <head> <title> Log-in </title> </head> <body> <form action="login.php" method="POST"> Username: <input type="text" name=username"> Password: <input type="password" name="password"> <input type="submit" name="login" value="Login"> </form> <?php if(isset($_POST['username'])){ $un = $_POST['username']; } if(isset($_POST['password'])){ $pass = $_POST['password']; } $db = mysql_connect("127.0.0.1:3306", "root" , "password"); //Not actual password btw if(!$db) { die("Error connecting to database: " . mysql_error()); } $db_used = mysql_select_db("login", $db); if(!$db_used){ die("Could not select database: " . mysql_error()); } $user_name = mysql_real_escape_string($un); $password = mysql_real_escape_string($pass); $query = "SELECT * FROM details WHERE un=" . $user_name . " AND pwd=" . $password. ""; $query2 = "SELECT * FROM details WHERE un='$user_name' AND pwd='$password'"; //This was for debugging, seeing if it was the passing that was failing $result = mysql_query($query); if(!$result){ echo "There was an error processing your request: " . mysql_error() . ""; } $check = mysql_num_rows($result); if($check == 1){ echo "Login successful, welcome back " . $user_name . ""; } else{ echo "Login unsuccessful, please ensure you are using the correct details"; } ?> </body> </html> Thanks in advance guys.... --LiquidFusi0n