zimmo Posted September 8, 2010 Share Posted September 8, 2010 Hi People. Hope someone can help with this. I am new to php5 and finding all sorts of things that differ to php4. I have links that have variables to query a mysql table. The old method I used to use to retrieve the data from mysql with php4 was this: $sql = "SELECT * FROM products WHERE '$_REQUEST[category]' = 'Y' ORDER BY price ASC"; But I am getting no results returned. The urls also contained the following: products.php?category=cat_1 But I am hearing that this is no longer the case? Can anyone help me? Quote Link to comment https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/ Share on other sites More sharing options...
Psycho Posted September 8, 2010 Share Posted September 8, 2010 That is not a PHP4 vs. PHP5 issue. Your query is using strait-quotes for what appears to be a field name. You need to use backquotes for field names. Plus, you have the array index (category) as a constant instead of a string. You should use single quotes for the array index and enclose the array variable inside curly brackets Try this: $sql = "SELECT * FROM products WHERE `{$_REQUEST['category']}` = 'Y' ORDER BY price ASC"; Quote Link to comment https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/#findComment-1108773 Share on other sites More sharing options...
rwwd Posted September 8, 2010 Share Posted September 8, 2010 Hi there zimmo, Apart from missing the column name I would recommend NOT using $_REQUEST as this has proven security vulnerabilities, and as you are using directly in mysql, I would also advocate using some sort of sanitising functions, purely to make sure that what ever data is sent to this script can have any malicious content removed. Just thought I would raise this point. $sql = "SELECT * FROM `products` WHERE `".strip_tags(mysql_real_escape_string($_POST[category]))."` = 'Y' ORDER BY `price` ASC"; And you don't single quote column names, this will give an error from mysql end of things, you should back tick - and only use that to make the column names 'safer' because you can then have spaces & reserved words, though I do NOT advocate this, it's just handy to know as back ticks a very useful when retro-fitting code. Hope that makes sense. Cheers, Rw Quote Link to comment https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/#findComment-1108837 Share on other sites More sharing options...
Psycho Posted September 8, 2010 Share Posted September 8, 2010 @rwwd: You are absolutely correct that any data from the user must be sanitized. However, your usage of stripslashes() and mysql_real_escape_string() is backwards. mysql_real_escape_string() will add slashes for characters that need to be escapes and then stripslashes will remove it. So, you would end up with the original unsanitary data. You would want to use strip slashes first ONLY if the input is on a server where POST/GET data has slashes automatically added because of magic quotes being enabled (which it shouldn't be). This is detailed in the manual. http://us2.php.net/manual/en/security.magicquotes.php http://us2.php.net/manual/en/security.magicquotes.disabling.php Quote Link to comment https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/#findComment-1108861 Share on other sites More sharing options...
shlumph Posted September 8, 2010 Share Posted September 8, 2010 This seems to be just a $_POST and $_GET mixup. @mjdamato - strip_tags is different than stripslashes Quote Link to comment https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/#findComment-1108867 Share on other sites More sharing options...
rwwd Posted September 8, 2010 Share Posted September 8, 2010 @mjdamato, I haven't mentioned stripslashes in this post, unless you are referring to another post I have put my 10p in this evening! But yes, I know that real_escape_string adds slashes to escape certain chars - I had issues with it a few weeks ago, when I hadn't realised that you need a connection handle for it to function. Doh! Thanks for the heads up though, appreciated. Cheers, Rw Quote Link to comment https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/#findComment-1108873 Share on other sites More sharing options...
Psycho Posted September 8, 2010 Share Posted September 8, 2010 I haven't mentioned stripslashes in this post.. Right you are! I misread your previous post where you used strip_tags(). I'm using IE on this PC and sometimes small code blocks are partially hidden where I have to scroll up and down to only see one line at a time. Sorry 'bout that. Although, I would think you would only use strip_tags() in the SELECT query if you used it on the INSERT query. Quote Link to comment https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/#findComment-1108892 Share on other sites More sharing options...
Alex Posted September 8, 2010 Share Posted September 8, 2010 Plus, you have the array index (category) as a constant instead of a string. You should use single quotes for the array index and enclose the array variable inside curly brackets Actually, because constants aren't interpolated into strings like that, leaving out the quotes for associative array indices within double quotes is completely valid. Quote Link to comment https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/#findComment-1108905 Share on other sites More sharing options...
Psycho Posted September 8, 2010 Share Posted September 8, 2010 Plus, you have the array index (category) as a constant instead of a string. You should use single quotes for the array index and enclose the array variable inside curly brackets Actually, because constants aren't interpolated into strings like that, leaving out the quotes for associative array indices within double quotes is completely valid. Not saying you are wrong, but this is what the manual states: http://php.net/manual/en/language.types.array.php Always use quotes around a string literal array index. For example, $foo['bar'] is correct, while $foo[bar] is not. As the manual states it works, but is bad practice. Maybe there is some exceptions within a double-quoted string, but I prefer to adhere to a standard for my own sake. Quote Link to comment https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/#findComment-1108909 Share on other sites More sharing options...
Alex Posted September 8, 2010 Share Posted September 8, 2010 I agree that it's a bad practice and stay away from it completely as well, but it is valid. There are no error_reporting settings in which doing that will cause any errors or warnings. Quote Link to comment https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/#findComment-1108911 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.