onthespot Posted August 4, 2009 Share Posted August 4, 2009 Can anyone spot why this is returning "Resource id #20" $champion=mysql_query("SELECT champion FROM competitions WHERE comp_name = '$_GET[comp]'"); <td>The reigning champion is <a href=\"userprofile.php?user=$champion\">$champion</a></td> any ideas? Link to comment https://forums.phpfreaks.com/topic/168801-simple-issue/ Share on other sites More sharing options...
jonsjava Posted August 4, 2009 Share Posted August 4, 2009 <?php $comp = mysql_real_escape_string($_GET['comp']; $champion=mysql_query("SELECT champion FROM competitions WHERE comp_name = '$_GET[comp]' LIMIT 1"); $row = mysql_fetch_assoc($champion); $champion2 = $row['champion']; echo "<td>The reigning champion is <a href=\"userprofile.php?user=$champion\">$champion2</a></td>"; I escaped the $_GET (so you don't get injection attacks), and you weren't parsing the results. I fixed those. If you want further explanation, let me know. Link to comment https://forums.phpfreaks.com/topic/168801-simple-issue/#findComment-890564 Share on other sites More sharing options...
onthespot Posted August 4, 2009 Author Share Posted August 4, 2009 Thanks mate, ill try this now. How could this have been targetting by injection attacks? Could you explain? Link to comment https://forums.phpfreaks.com/topic/168801-simple-issue/#findComment-890570 Share on other sites More sharing options...
onthespot Posted August 4, 2009 Author Share Posted August 4, 2009 This wont work... $comp = mysql_real_escape_string($_GET['comp']); $champion=mysql_query("SELECT * FROM competitions WHERE comp_name = $comp"); $row = mysql_fetch_assoc($champion); $champion2 = $row['champion']; Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource Thats the error Link to comment https://forums.phpfreaks.com/topic/168801-simple-issue/#findComment-890575 Share on other sites More sharing options...
micah1701 Posted August 4, 2009 Share Posted August 4, 2009 it doesn't seem to like the value of $champion two things 1) add single 'quotes' to the $comp var (unless the value is an integer): $champion=mysql_query("SELECT * FROM competitions WHERE comp_name = '$comp' "); 2) check for errors in your sql statement: $champion=mysql_query("SELECT * FROM competitions WHERE comp_name = '$comp' ") or die(mysql_error() ); Link to comment https://forums.phpfreaks.com/topic/168801-simple-issue/#findComment-890579 Share on other sites More sharing options...
dadamssg Posted August 4, 2009 Share Posted August 4, 2009 try it this way $cxn = mysqli_connect($host,$user,$passwd,$dbname) or die ("Couldn't connect"); $comp = mysql_real_escape_string($_GET['comp']); $query = "SELECT * FROM competitions WHERE comp_name = $comp"; $result = mysqli_query($cxn,$query) or die ("Couldn't execute"); $row = mysql_fetch_assoc($champion); $champion2 = $row['champion']; Link to comment https://forums.phpfreaks.com/topic/168801-simple-issue/#findComment-890580 Share on other sites More sharing options...
onthespot Posted August 4, 2009 Author Share Posted August 4, 2009 thats fixed it, the first one oh a question, is it safe to add the or die part? is that safer than not having it? Link to comment https://forums.phpfreaks.com/topic/168801-simple-issue/#findComment-890583 Share on other sites More sharing options...
micah1701 Posted August 4, 2009 Share Posted August 4, 2009 the or die is only for error handling. you can take it out once you've solved the problem. if you leave it in, if there is an error with the query it will break your page. (probably a bad thing) also, if someone does attempt a sql-injection, allowing them to see the error in your die() statement will just help them figure out how to improve their injection attack. I vote take it out. Link to comment https://forums.phpfreaks.com/topic/168801-simple-issue/#findComment-890586 Share on other sites More sharing options...
Bjom Posted August 4, 2009 Share Posted August 4, 2009 That is why "...or die()" has no place at all. It is always always a bad idea, because there are better options that are as easy to use. Read the related blog on this site ...or trigger_error('myMsg', E_USER_ERROR); will achieve the same in informing you, and it doesn't break the site, because you can control it by setting the error reporting levels (and there are more neat options, that you can figure out yourself in the php manual ) Bjom Link to comment https://forums.phpfreaks.com/topic/168801-simple-issue/#findComment-890595 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.