...help! My mysql while aint working

[marklarah]

Im trying to code a forum (its a bitch as those many of you have tried to do so know)

 

Anyway, for some reason, when displaying mesages, it only displays the first entry in the table. Why?

 

http://tls-3.977mb.com/genmessage.php?board=1&topic=1

 

 <?php

$board = $_GET['board'];
$topic = $_GET['topic'];

//  ORDER BY  time LIMIT 20

$resultbob='SELECT * FROM messages WHERE board = '.$board.' and topic = '.$topic;
$tarticles = mysql_query($resultbob) or die(mysql_error());
$tnum = mysql_num_rows($tarticles); 
$rowl = mysql_fetch_array($tarticles);



?>
<table width="98%" align="center" border="1">
<?
  while ($tnum = mysql_fetch_assoc($tarticles)){

echo '<tr><td>';
// $userp = $rowl['username'];
// $message = $rowl['message'];



$userp = $tnum['username'];
$message = $tnum['message'];

echo $userp;
echo $message;
echo '</tr></td>';
}



?>
</table>

 

My table:  http://tls-3.977mb.com/Picture%207.png

 

 

[revraz]

First you do this

 

$rowl = mysql_fetch_array($tarticles);

 

Then you do this

 

while ($tnum = mysql_fetch_assoc($tarticles))

 

So pick one you want to use.

 

Also, don't use <? for php, use <?php

[awpti]

Consider looking up information on SQL Injection attacks. You're wide-open to them.

[marklarah]

First you do this

 

$rowl = mysql_fetch_array($tarticles);

 

Then you do this

 

while ($tnum = mysql_fetch_assoc($tarticles))

 

So pick one you want to use.

 

Also, don't use <? for php, use <?php

 

 

They were returning different bits of the database. Neither of them work properly

[Nhoj]

Also, don't use <? for php, use <?php

 

Eh... There is absolutely no difference providing <? is enabled in php.ini... PHP has NO plans whatsoever to deprecate <? either so by all means, if you want to save yourself from typing 3 extra characters all the time, be my guest.

[Nhoj]

Eh, couldn't edit the last post...

 

Try removing

$rowl = mysql_fetch_array($tarticles);

entirely.

Also, are you 100% sure you have more than one article in the table with the board ID 1 and topic ID1?

 

In addition, you seriously need to look into SQL-Injection... Most anyone on this board could delete your entire message table with the information you've provided just by adjusting the URL...

[revraz]

Bad advice.  How do you know short tags is enabled on his server?

 

Feel free to do it however you like, but don't assume everyone has it enabled.  Sit around here for a few and you'll see how many issues go solved just by this alone.

 

Also, don't use <? for php, use <?php

 

Eh... There is absolutely no difference providing <? is enabled in php.ini... PHP has NO plans whatsoever to deprecate <? either so by all means, if you want to save yourself from typing 3 extra characters all the time, be my guest.

[Nhoj]

Heh, I'm not going to get into a heated debate over short tags or long tags, however, he clearly does have them enabled otherwise his page would look like a mess...

 

Also, if you read my entire post instead of skimming it, you would have read the part that says:

There is absolutely no difference providing <? is enabled in php.ini

[revraz]

I did read it, it made no difference really.

[teng84]

Also, don't use <? for php, use <?php

 

Eh... There is absolutely no difference providing <? is enabled in php.ini... PHP has NO plans whatsoever to deprecate <? either so by all means, if you want to save yourself from typing 3 extra characters all the time, be my guest.

i been in this industry for almost 2 years and you're the first person i heard advising that  ???

[marklarah]

thanks nhoj, it works now, but Im going to leave this topic unsolved, as im a little concerned about mysql injections as you said. Exactly what could happen, and how do I protect it? I know of injections (I did a couple myself) but i kinda completely forgot, and plus the ones i tried were harmless seemingly.

[teng84]

<a href="http://www.php.net/manual/en/function.mysql-escape-string.php">mysql_escape_string()</a>

 

[Nhoj]

Heh, I've been coding PHP for 3 years, I started back when PHP-Nuke was the hot hit lol...

 

It's a matter of personal preference, if your server has <? enabled in php.ini and you are more comfortable using it, then by all means do so. The PHP dev's have announced on multiple occasions the ability to use <? will not be removed (<% will be in PHP6), therefore there's no reason to tell people not to use <?.

 

If your server has it enabled and you are more comfortable using it, go ahead, save yourself the trouble of typing the 3 extra characters.

 

Telling someone not to use it just because it MAY not be enabled on every server is hardly the way to go about teaching people how to properly program PHP applications. All you need to do is lay out the facts and inform them "hey, it may not be enabled on every server, you might want to consider using <?php instead"

 

As for injections, someone could very easily manipulate the $_GET line to do anything they want to your table as you haven't sanatized it at all...

 

To help prevent injections, always clean input appropriately, for example, make a function like the following:

function clean_int($int, $dec, $size) {
$int = round(abs(mb_strcut($int, 0, $size)), $dec);
return $int;
}

 

That will take an input (an integer), and cut it down to a specified length and then adjust it for the # of decimals you want.. Usage would be something like this:

$topic = clean_int($_GET['topic'], 0, 10); //Turn topic into a positive integer, with a length of 10 and 0 decimals

 

That would effectively stop pretty much any SQL-Injection attempt on the $_GET['topic'] part of the url.

 

Also, look into mysql_real_escape_string() for text inputs