Alex1646 Posted March 9, 2011 Share Posted March 9, 2011 Here is the code: <?php $db = mysql_query(" SELECT story_id FROM story_info WHERE story='$story_form' AND user='$username' ")or die(mysql_error()); $rows = mysql_fetch_assoc($db); $id = $rows['story_id']; ?> All of the variables are defined earlier in the code. Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 9, 2011 Share Posted March 9, 2011 Define "it won't work". What doesn't work? Errors? What do you expect to happen? Ken Quote Link to comment Share on other sites More sharing options...
Alex1646 Posted March 9, 2011 Author Share Posted March 9, 2011 Well, the ID variable is simply not getting defined. When I insert the $rows = mysql_fetch_assoc($db) or die(mysql_error()); code, It does DIE but there is no message from mysql_error() Quote Link to comment Share on other sites More sharing options...
Alex1646 Posted March 9, 2011 Author Share Posted March 9, 2011 Here is the whole code if you need it. <?php if(isset($_POST['hidden'])) { die('SPAM BOT!'); } if ( !isset($_POST['title']) && !isset($_POST['summary']) && !isset($_POST['story']) && !isset($_POST['rating']) && !isset($_POST['cat']) ) { die("<div id='impor'>You forgot to enter one(or more) of the following fields <br /> 1. Title <br /> 2. Summary <br /> 3. Story<br /> </div> "); } mysqlConnect(); //put notes in story if they are set if(isset($_POST['notes'])) { $notes_form = mysql_real_escape_string($_POST['notes']); $notes_final = bb($notes_form); mysql_query(" INSERT INTO story_info(notes) VALUES ('$notes_final') "); } //put other in array. Use while loop to put link code. Then but it back into one non array variable if(isset($_POST['u_id'])) { $uid = mysql_real_escape_string($_POST['u_id']); $uid_db = str_replace(' ','_', $uid); $blerg = " INSERT INTO story_info(series_id) VALUES('$uid_db') "; mysql_query($blerg); } //take data from form an\ put them in variable $title_form = bb(mysql_real_escape_string($_POST['title'])); //required $summ_form = bb(mysql_real_escape_string($_POST['summary']));// required $story_form = bb(mysql_real_escape_string($_POST['story'])); $cat_form = $_POST['cat']; $rating_form = $_POST['rating']; $username = $_SESSION['user']; // Make the other var into a list of links mysql_query(" INSERT INTO story_info (title, sum, story, user, cat, rating) VALUES('$title_form','$summ_form', '$story_form,', '$username', '$cat_form','$rating_form') "); echo "<h1> Your Story Has Been Posted! Thanks for posting $username . </h1>"; echo "Please review the post below <br />"; echo "<h2> $title_form </h2>"; echo "<strong> <h2> Summary: </h2> </strong> $summ_form"; echo "<h4> Story: </h4>"; echo "$story_form"; if(isset($notes)) { echo "<h4> Author's Notes: </h4> "; echo "$notes_final"; } if (isset($uid_db)) { echo '<h3> Unique Series ID </h3>'; echo '<p> Make sure to write down this! <br />' .$uid_db .'</p> '; } $db = mysql_query(" SELECT story_id FROM story_info WHERE story='$story_form' AND user='$username' ")or die(mysql_error()); $rows = mysql_fetch_assoc($db); $id = $rows['story_id']; echo "Catagory: $cat_form <br /> Rating: $rating_form <br /> "; echo "<a href='?p=page&id=$id'> Click here to view your story! </a>'"; ?> Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 9, 2011 Share Posted March 9, 2011 What prints when you do <?php $q = "SELECT story_id FROM story_info WHERE story='$story_form' AND user='$username'"; $db = mysql_query($q)or die("Problem with the query: $q<br>" . mysql_error()); if (mysql_numrows($db) > 0) { $rows = mysql_fetch_assoc($db); $id = $rows['story_id']; } else { echo "No rows found"; } ?> Ken Quote Link to comment Share on other sites More sharing options...
Alex1646 Posted March 9, 2011 Author Share Posted March 9, 2011 I ended up getting no rows found, but this confuses me. I thought I just inserted the data. Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 9, 2011 Share Posted March 9, 2011 Since you don't check to see that the insert queries executed successfully, how do you know they worked? Ken Quote Link to comment Share on other sites More sharing options...
trinaryoc Posted March 9, 2011 Share Posted March 9, 2011 two things... one, for your own safty filter your user input: foreach($_POST as $key => $value) {$data[$key] = filter($value);} most every hosting service has a filter installed. dont just use mysql_real_escape_string two: add a die() at the end of your input statements just to make sure that they are working correctly. not knowing how you have your DB_ setup, cant really tell if they're working correctly. mysql_query(" -- insert query here--") or die(mysql_error()); Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted March 9, 2011 Share Posted March 9, 2011 Why would you loop through the entire $_POST array with the same 'filter', when not all data needs the same sanitization, and some, such as values that will be hashed, needs none at all? What filter would it be that most hosting companies have installed? What exactly do you feel is wrong with mysql_real_escape_string()? Using or die( mysql_error() ) is a bad idea, especially on a live, production server. Quote Link to comment Share on other sites More sharing options...
trinaryoc Posted March 9, 2011 Share Posted March 9, 2011 Why would you loop through the entire $_POST array with the same 'filter', when not all data needs the same sanitization, and some, such as values that will be hashed, needs none at all? and as it appears, each of OP's $_POST variables are user entered data. Because it's a single line of very simple code. simpler then singling out each $_POST variable that need filtering. you can design the function however you wish. a simple filter finction for this application could be something like this: function filter($data) { $data = trim(htmlentities(strip_tags($data))); if (get_magic_quotes_gpc()) $data = stripslashes($data); $data = mysql_real_escape_string($data); return $data; } What filter would it be that most hosting companies have installed? Pre PHP 5.2 you would have had to have installed PECL extention. Post 5.2 it was included within PHP. What exactly do you feel is wrong with mysql_real_escape_string()? mysql_real_escape_string only alters for escape charactors, doesnt touch any code that might have been inserted in the text area. and i didnt say not to use it, i daid not ONLY use it. Using or die( mysql_error() ) is a bad idea, especially on a live, production server. This was for diagnostics... OP thought he was having issues on his INSERTS Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted March 9, 2011 Share Posted March 9, 2011 Ease and simplicity is a poor reason. Just because it's simple doesn't mean it's the right way to do it. Every piece of date may not need the same handling, and should be dealt with according to the data type it's expected to be. I suppose you could still use the values from the original $_POST array, but I can see that causing more confusion than it's worth. Some of the filter() functions aren't nearly up to par, IMO. If the string is properly escaped using mysql_real_escape_string() any SQL syntax in the string won't be executed. Fair enough, but it's really not that much more work to add the proper logic to handle the errors rather than use a hack like or die(). I'd say that's especially true on an INSERT/UPDATE, when mysql_error() may be only give you half of the story and you'd need mysql_affected_rows() to present the other half. Quote Link to comment Share on other sites More sharing options...
trinaryoc Posted March 9, 2011 Share Posted March 9, 2011 Some of the filter() functions aren't nearly up to par, IMO. Not to hijack the thread, but could clatify that a little, you've peeked my curiosity. Quote Link to comment Share on other sites More sharing options...
Alex1646 Posted March 10, 2011 Author Share Posted March 10, 2011 Ok. I never did get my insert question answered. But I did figure out whats wrong, when I use another insert statement it creates a new row. I tryed using UPDATE but it doesnt seem to work. Im going to start a new thread on this. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.