onthespot Posted August 4, 2009 Share Posted August 4, 2009 Can anyone spot why this is returning "Resource id #20" $champion=mysql_query("SELECT champion FROM competitions WHERE comp_name = '$_GET[comp]'"); <td>The reigning champion is <a href=\"userprofile.php?user=$champion\">$champion</a></td> any ideas? Quote Link to comment Share on other sites More sharing options...
jonsjava Posted August 4, 2009 Share Posted August 4, 2009 <?php $comp = mysql_real_escape_string($_GET['comp']; $champion=mysql_query("SELECT champion FROM competitions WHERE comp_name = '$_GET[comp]' LIMIT 1"); $row = mysql_fetch_assoc($champion); $champion2 = $row['champion']; echo "<td>The reigning champion is <a href=\"userprofile.php?user=$champion\">$champion2</a></td>"; I escaped the $_GET (so you don't get injection attacks), and you weren't parsing the results. I fixed those. If you want further explanation, let me know. Quote Link to comment Share on other sites More sharing options...
onthespot Posted August 4, 2009 Author Share Posted August 4, 2009 Thanks mate, ill try this now. How could this have been targetting by injection attacks? Could you explain? Quote Link to comment Share on other sites More sharing options...
onthespot Posted August 4, 2009 Author Share Posted August 4, 2009 This wont work... $comp = mysql_real_escape_string($_GET['comp']); $champion=mysql_query("SELECT * FROM competitions WHERE comp_name = $comp"); $row = mysql_fetch_assoc($champion); $champion2 = $row['champion']; Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource Thats the error Quote Link to comment Share on other sites More sharing options...
micah1701 Posted August 4, 2009 Share Posted August 4, 2009 it doesn't seem to like the value of $champion two things 1) add single 'quotes' to the $comp var (unless the value is an integer): $champion=mysql_query("SELECT * FROM competitions WHERE comp_name = '$comp' "); 2) check for errors in your sql statement: $champion=mysql_query("SELECT * FROM competitions WHERE comp_name = '$comp' ") or die(mysql_error() ); Quote Link to comment Share on other sites More sharing options...
dadamssg Posted August 4, 2009 Share Posted August 4, 2009 try it this way $cxn = mysqli_connect($host,$user,$passwd,$dbname) or die ("Couldn't connect"); $comp = mysql_real_escape_string($_GET['comp']); $query = "SELECT * FROM competitions WHERE comp_name = $comp"; $result = mysqli_query($cxn,$query) or die ("Couldn't execute"); $row = mysql_fetch_assoc($champion); $champion2 = $row['champion']; Quote Link to comment Share on other sites More sharing options...
onthespot Posted August 4, 2009 Author Share Posted August 4, 2009 thats fixed it, the first one oh a question, is it safe to add the or die part? is that safer than not having it? Quote Link to comment Share on other sites More sharing options...
micah1701 Posted August 4, 2009 Share Posted August 4, 2009 the or die is only for error handling. you can take it out once you've solved the problem. if you leave it in, if there is an error with the query it will break your page. (probably a bad thing) also, if someone does attempt a sql-injection, allowing them to see the error in your die() statement will just help them figure out how to improve their injection attack. I vote take it out. Quote Link to comment Share on other sites More sharing options...
Bjom Posted August 4, 2009 Share Posted August 4, 2009 That is why "...or die()" has no place at all. It is always always a bad idea, because there are better options that are as easy to use. Read the related blog on this site ...or trigger_error('myMsg', E_USER_ERROR); will achieve the same in informing you, and it doesn't break the site, because you can control it by setting the error reporting levels (and there are more neat options, that you can figure out yourself in the php manual ) Bjom Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.