Jump to content

[SOLVED] query returns all records in php5 (but not php4) ?????

cmburbul

By cmburbul
in PHP Coding Help

 Share

Recommended Posts

cmburbul Newbie

cmburbul

Posted
Posted

Hi,

 

I am moving all my PHP sites form a server running PHP 4 to a new server running PHP 5 Having trouble with a URL passed variable or the query syntax.

 

URL calls a PHP page and passes a variable:

 

http://XXXXXX.com/searchupdatecatlist.php?catagory=Accountant

 

This is the query on the php page:

 

$db_name = "XXXXXXXX";

$table_name = "members";

$connection = @mysql_connect("localhost","XXXXXX","XXXXX") or die("Couldn't Connect.");

$db = @mysql_select_db($db_name, $connection) or die("Couldn't select database.");

$sql ="SELECT id,catagory,company,first_name,last_name,address,city,state, zip,phone,email,web,description FROM $table_name WHERE catagory like \"$catagory%\" order by company ASC";

$result = @mysql_query($sql, $connection) or die("Error #". mysql_errno() . ": " . mysql_error());

 

The page executes fine but it returns all the records in the database. (the display code is left out for clarity)

 

Is the problem the passed variable not being recognized? Is the query wrong for PHP5??

 

????

 

Also, any recommendations on a good reference website or book for upgrading to PHP 5 wwould be appreciated. Definetly something for a noobie who can't really code PHP!

 

Thanks in advance for any help you can render!

 

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

The new php probably has register_globals switched off.  Add this at the top of your script:

 

$catagory = $_REQUEST['catagory'];

 

You will need to do the same for all data which comes in via post, get, cookie and session.

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

Just posting to notify you a few things.

 

Take caution when you are using client set variables, these are _POST, _GET, _REQUEST and _COOKIE. These variables come from the user accessing your site. Never trust any data that comes to you from the client.

 

If you use raw data from the user then a malicious user can run SQL Injection attacks on your database. Using SQL injection they can login as an admin or any other user, or they can completely destroy your database by simply deleting it. SQL Injection is one of the many security exploits users use to attack sites. To learn more about SQL Injection have a search on google for SQL Injection. You'll find many article discussing it and how to prevent it.

 

A good way to prevent it is to escape user data using a function called mysql_real_escape_string. mysql_real_escape_string can be used to prevent SQL Injection attacks. You should always run this function on any variables you use within your database that deals with strings.

 

Just through I'll through that in.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.