Jump to content

Recommended Posts

Hi People. Hope someone can help with this. I am new to php5 and finding all sorts of things that differ to php4.

 

I have links that have variables to query a mysql table.

 

The old method I used to use to retrieve the data from mysql with php4 was this:

 

$sql = "SELECT * FROM products WHERE '$_REQUEST[category]' = 'Y' ORDER BY price ASC"; 

 

But I am getting no results returned.

The urls also contained the following:

products.php?category=cat_1

 

But I am hearing that this is no longer the case? Can anyone help me?

 

Link to comment
https://forums.phpfreaks.com/topic/212880-php-4-to-5-code-changes/
Share on other sites

That is not a PHP4 vs. PHP5 issue. Your query is using strait-quotes for what appears to be a field name. You need to use backquotes for field names. Plus, you have the array index (category) as a constant instead of a string. You should use single quotes for the array index and enclose the array variable inside curly brackets

 

Try this:

$sql = "SELECT * FROM products WHERE `{$_REQUEST['category']}` = 'Y' ORDER BY price ASC";

Hi there zimmo,

 

Apart from missing the column name I would recommend NOT using $_REQUEST as this has proven security vulnerabilities, and as you are using directly in mysql, I would also advocate using some sort of sanitising functions, purely to make sure that what ever data is sent to this script can have any malicious content removed.

 

Just thought I would raise this point.

 

$sql = "SELECT * FROM `products` WHERE `".strip_tags(mysql_real_escape_string($_POST[category]))."` = 'Y' ORDER BY `price` ASC"; 

 

And you don't single quote column names, this will give an error from mysql end of things, you should back tick - and only use that to make the column names 'safer' because you can then have spaces & reserved words, though I do NOT advocate this, it's just handy to know as back ticks a very useful when retro-fitting code.

 

Hope that makes sense.

 

Cheers,

Rw

@rwwd: You are absolutely correct that any data from the user must be sanitized. However, your usage of stripslashes() and mysql_real_escape_string() is backwards.

 

mysql_real_escape_string() will add slashes for characters that need to be escapes and then stripslashes will remove it. So, you would end up with the original unsanitary data. You would want to use strip slashes first ONLY if the input is on a server where POST/GET data has slashes automatically added because of magic quotes being enabled (which it shouldn't be). This is detailed in the manual.

 

http://us2.php.net/manual/en/security.magicquotes.php

http://us2.php.net/manual/en/security.magicquotes.disabling.php

@mjdamato,

 

I haven't mentioned stripslashes in this post, unless you are referring to another post I have put my 10p in this evening!

 

But yes, I know that real_escape_string adds slashes to escape certain chars - I had issues with it a few weeks ago, when I hadn't realised that you need a connection handle for it to function. Doh!

 

Thanks for the heads up though, appreciated.

 

Cheers,

Rw

I haven't mentioned stripslashes in this post..

 

Right you are! I misread your previous post where you used strip_tags(). I'm using IE on this PC and sometimes small code blocks are partially hidden where I have to scroll up and down to only see one line at a time. Sorry 'bout that.

 

Although, I would think you would only use strip_tags() in the SELECT query if you used it on the INSERT query.

Plus, you have the array index (category) as a constant instead of a string. You should use single quotes for the array index and enclose the array variable inside curly brackets

Actually, because constants aren't interpolated into strings like that, leaving out the quotes for associative array indices within double quotes is completely valid.

Plus, you have the array index (category) as a constant instead of a string. You should use single quotes for the array index and enclose the array variable inside curly brackets

Actually, because constants aren't interpolated into strings like that, leaving out the quotes for associative array indices within double quotes is completely valid.

 

Not saying you are wrong, but this is what the manual states:

 

http://php.net/manual/en/language.types.array.php

Always use quotes around a string literal array index. For example, $foo['bar'] is correct, while $foo[bar] is not.

 

As the manual states it works, but is bad practice. Maybe there is some exceptions within a double-quoted string, but I prefer to adhere to a standard for my own sake.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.