Mobil-D Posted March 9, 2011 Share Posted March 9, 2011 I'm hoping someone can help me cos my hair's going white with this one. I'm trying to put together a script that acts as web-based interface to an SQL server. There are actually two parts, admin.htm and admin.php. The first part is just a form that passes login credentials to the PHP file. That part seems to work fine, but I'll post the source anyway: - <!DOCTYPE HTML> <html lang="en"> <head> <title>SQL admin login</title> <meta charset="iso-8859-1" /> </head> <body> <form action="admin.php" method="post"> <label for="username">Username: -</label> <br /> <input type="text" name="username" id="username" /> <br /> <br /> <label for="password">Password: -</label> <br /> <input type="password" name="password" id="password" /> <br /> <br /> <label for="server">Server: -</label> <br /> <input type="text" name="server" id="server" /> <br /> <br /> <label for="database">Database: -</label> <br /> <input type="text" name="database" id="database" /> <br /> <br /> <input type="submit" value="Login" /> <input type="reset" value="Reset" /> </form> </body> </html> Following is the content of admin.php. By this point I can see the connection in MySQL Workbench, and when I submit the query 'SELECT * FROM subscribers' it's being stored in '$_POST['query']', but 'mysql_query($_POST['query'],$_SESSION['con']);' is returning nothing. There is definitely a record in that table, and the user I'm logging on with has permission to run the 'SELECT' command against this database, so I can't figure out why mysql_query(); is returning nothing: - <!DOCTYPE HTML> <?php session_start(); if(!$_SESSION['con']) { if(!($_POST['username'] || $_POST['password'])) { if(!($_SESSION['username'] || $_SESSION['password'])) { $error="Username and password variables empty."; } } else { $_SESSION['username']=mysql_real_escape_string($_POST['username']); $_SESSION['password']=mysql_real_escape_string($_POST['password']); $_SESSION['server']=mysql_real_escape_string($_POST['server']); $_SESSION['database']=mysql_real_escape_string($_POST['database']); $_SESSION['con']=mysql_pconnect($_SESSION['server'],$_SESSION['username'],$_SESSION['password']); if(!$_SESSION['con']) { $error="Failed to connect to server."; } else { $database=mysql_select_db($_SESSION['database'],$_SESSION['con']); if(!$database) { $error="Failed to connect to database."; } } } } if(!$_POST['query']) { $error="No query submitted."; } else { $result=mysql_query($_POST['query'],$_SESSION['con']); if(!$result) { $error="Query returned nothing."; } } ?> <html lang="en"> <head> <title>SQL admin interface</title> <meta charset="iso-8859-1" /> </head> <body> <form action="admin.php" method="post"> <textarea name="query" rows="10" cols="50">SELECT * FROM subscribers</textarea> <br /> <br /> <input type="submit" value="Submit query" /> </form> <?php if($error) { echo $_POST['query']."<br /><br />".$result."<br /><br />".$error; die(); } else { while($row=mysql_fetch_assoc($result)) { echo $row['name']." ".$row['email']; echo "<br />"; } } ?> </body> </html> Can anyone help? MOD EDIT: . . . tags added. Link to comment https://forums.phpfreaks.com/topic/230103-mysql_query-returns-nothing/ Share on other sites More sharing options...
PFMaBiSmAd Posted March 9, 2011 Share Posted March 9, 2011 You would NEVER execute a query statement that comes entirely from outside your code, in your case a form, because a hacker will quickly take over your database. Also, since you cannot store a database connection in a session and have it persist between pages, using $_SESSION['con'] is pointless. Your logic is testing if the query executed with or without an error. That is not the same as a query that executes but matches zero rows in your database. You can use mysql_error() to find out why your query is failing. Link to comment https://forums.phpfreaks.com/topic/230103-mysql_query-returns-nothing/#findComment-1185037 Share on other sites More sharing options...
Pikachu2000 Posted March 9, 2011 Share Posted March 9, 2011 When posting code, please enclose it within the forum's . . . BBCode tags. Link to comment https://forums.phpfreaks.com/topic/230103-mysql_query-returns-nothing/#findComment-1185066 Share on other sites More sharing options...
Mobil-D Posted March 9, 2011 Author Share Posted March 9, 2011 Thanks for the reply PFMaBiSmAd (and sorry about the oversight Pikachu2000). I'll definitely follow your security advice whenever I start working on production networks. Right now I'm working purely locally and all I want is for the thing to work. I hear what you're saying about '$_SESSION['con']', I've replaced that with '$con'. But mysql_error() returns nothing when I try to execute a query. Link to comment https://forums.phpfreaks.com/topic/230103-mysql_query-returns-nothing/#findComment-1185106 Share on other sites More sharing options...
Mobil-D Posted March 10, 2011 Author Share Posted March 10, 2011 Never mind, got it working. Thanks guys. Link to comment https://forums.phpfreaks.com/topic/230103-mysql_query-returns-nothing/#findComment-1185468 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.