cmburbul Posted August 1, 2007 Share Posted August 1, 2007 Hi, I am moving all my PHP sites form a server running PHP 4 to a new server running PHP 5 Having trouble with a URL passed variable or the query syntax. URL calls a PHP page and passes a variable: http://XXXXXX.com/searchupdatecatlist.php?catagory=Accountant This is the query on the php page: $db_name = "XXXXXXXX"; $table_name = "members"; $connection = @mysql_connect("localhost","XXXXXX","XXXXX") or die("Couldn't Connect."); $db = @mysql_select_db($db_name, $connection) or die("Couldn't select database."); $sql ="SELECT id,catagory,company,first_name,last_name,address,city,state, zip,phone,email,web,description FROM $table_name WHERE catagory like \"$catagory%\" order by company ASC"; $result = @mysql_query($sql, $connection) or die("Error #". mysql_errno() . ": " . mysql_error()); The page executes fine but it returns all the records in the database. (the display code is left out for clarity) Is the problem the passed variable not being recognized? Is the query wrong for PHP5?? ???? Also, any recommendations on a good reference website or book for upgrading to PHP 5 wwould be appreciated. Definetly something for a noobie who can't really code PHP! Thanks in advance for any help you can render! Quote Link to comment https://forums.phpfreaks.com/topic/62790-solved-query-returns-all-records-in-php5-but-not-php4/ Share on other sites More sharing options...
btherl Posted August 1, 2007 Share Posted August 1, 2007 The new php probably has register_globals switched off. Add this at the top of your script: $catagory = $_REQUEST['catagory']; You will need to do the same for all data which comes in via post, get, cookie and session. Quote Link to comment https://forums.phpfreaks.com/topic/62790-solved-query-returns-all-records-in-php5-but-not-php4/#findComment-312593 Share on other sites More sharing options...
cmburbul Posted August 1, 2007 Author Share Posted August 1, 2007 Thanks for the advice. Worked like a charm. Looks like I have some work to do as I have a lot of site to move to PHP 5 with undeclared variables! C. Quote Link to comment https://forums.phpfreaks.com/topic/62790-solved-query-returns-all-records-in-php5-but-not-php4/#findComment-312807 Share on other sites More sharing options...
wildteen88 Posted August 1, 2007 Share Posted August 1, 2007 Just posting to notify you a few things. Take caution when you are using client set variables, these are _POST, _GET, _REQUEST and _COOKIE. These variables come from the user accessing your site. Never trust any data that comes to you from the client. If you use raw data from the user then a malicious user can run SQL Injection attacks on your database. Using SQL injection they can login as an admin or any other user, or they can completely destroy your database by simply deleting it. SQL Injection is one of the many security exploits users use to attack sites. To learn more about SQL Injection have a search on google for SQL Injection. You'll find many article discussing it and how to prevent it. A good way to prevent it is to escape user data using a function called mysql_real_escape_string. mysql_real_escape_string can be used to prevent SQL Injection attacks. You should always run this function on any variables you use within your database that deals with strings. Just through I'll through that in. Quote Link to comment https://forums.phpfreaks.com/topic/62790-solved-query-returns-all-records-in-php5-but-not-php4/#findComment-312829 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.