JPV555 Posted February 24, 2008 Share Posted February 24, 2008 Hello, I tried searching but I couldn't really find my exact problem. Here it goes: I'm trying to make my script more secure, so I'm trying to implement the mysql_real_escape_string function. It works when there's just one but if I get more than one ('%s'), it will just list every row in that database. Here's the code: <?php $safequery3 = sprintf("SELECT category, movieid, genreid, dvd_reviews.id FROM genre, moviegenre, dvd_reviews WHERE movieid='%s' AND genreid-genre.id AND dvd_reviews.id='%s' ORDER BY category", mysql_real_escape_string($id), mysql_real_escape_string($id)); $genreinfo = @mysql_query($safequery3); $cat_array = array(); while ($ginfo = mysql_fetch_array($genreinfo)) { array_push($cat_array, $ginfo['category']); } $cat_string = implode(" / ", $cat_array); echo $cat_string; ?> For instance: A movie might have 3 genres associated with it and there are 20 genres. Well, if I leave off one mysql_real_escape_string($id), I'll get an error. I put that one on there, it will list every genre in that table rather than just posting the ones associated. Before, if I just did a query straight up with $id, it will parse it just fine. I would appreciate any help Quote Link to comment Share on other sites More sharing options...
Northern Flame Posted February 24, 2008 Share Posted February 24, 2008 i dont know if that is all you code but you never connected to mysql in that script. Quote Link to comment Share on other sites More sharing options...
JPV555 Posted February 24, 2008 Author Share Posted February 24, 2008 No, that's not the entire code. It connects fine. The page displays fine when just doing the query using $id. And it displays fine when using the mysql_real_escape_string($id) if there's only one '%s', but if I have two, like the code I posted, it'll display everything in the genre table. Here's the first part with the connection and the first usage of the mydql_real_escape_string: <?php include '*removed*/connection-db.php'; $id = $_GET['id']; $safequery = sprintf("SELECT title, year, edition, hddvd FROM dvd_reviews WHERE id='%s'", mysql_real_escape_string($id)); $titleinfo = @mysql_query($safequery); if (!$titleinfo) { exit('<p>Error retrieving information from database.<br />'. 'Error: ' . mysql_error() . '</p>'); } $num_rows = mysql_num_rows($titleinfo); //if query result is empty, returns NULL, otherwise, returns an array containing the selected fields and their values if($num_rows == NULL) { echo "<meta HTTP-EQUIV='REFRESH' content='0; url=http://www.moviemansguide.com/404.htm'>"; } else { while ($info = mysql_fetch_array($titleinfo)) { $title = $info['title']; $year = $info['year']; $edition = $info['edition']; $display_edition = ($edition)?" - $edition":""; $hddvd = $info['hddvd']; $display_hddvd = ($hddvd)?"[$hddvd]":""; echo "<title>Movieman's Guide to the Movies >> DVD Review >> $title ($year)$display_edition $display_hddvd</title>"; } } ?> This parses just fine... Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted February 24, 2008 Share Posted February 24, 2008 put it above the query not in your query that is your prob Quote Link to comment Share on other sites More sharing options...
JPV555 Posted February 24, 2008 Author Share Posted February 24, 2008 Sorry, I'm a newb at this. What do you mean? Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted February 24, 2008 Share Posted February 24, 2008 <?php $id= mysql_real_escape_string($_POST['id']); $safequery = sprintf("SELECT title, year, edition, hddvd FROM dvd_reviews WHERE id='%s'"; $titleinfo = @mysql_query($safequery);?> Quote Link to comment Share on other sites More sharing options...
JPV555 Posted February 24, 2008 Author Share Posted February 24, 2008 Well, I did that and now I get an error. There was nothing wrong with the second code I posted, it was the code in my first post I'm having trouble with (it was to show the connection to my db). Here's the error: Warning: sprintf() [function.sprintf]: Too few arguments in /home2/*removed*/public_html/reviews/DVD/read2.php on line 12 Error retrieving information from database. Error: Query was empty If I put back to way I had it, it shows up fine. Here's the page to see what my problem is: http://www.moviemansguide.com/reviews/DVD/read2.php?id=aeonflux And I'll repost my original code concerning that section: <?php $safequery3 = sprintf("SELECT category, movieid, genreid, dvd_reviews.id FROM genre, moviegenre, dvd_reviews WHERE movieid='%s' AND genreid=genre.id AND dvd_reviews.id='%s' ORDER BY category", mysql_real_escape_string($id), mysql_real_escape_string($id)); $genreinfo = @mysql_query($safequery3); $cat_array = array(); while ($ginfo = mysql_fetch_array($genreinfo)) { array_push($cat_array, $ginfo['category']); } $cat_string = implode(" / ", $cat_array); echo $cat_string; ?> If I can figure out what I'm doing wrong there, I can fix other parts as well. Quote Link to comment Share on other sites More sharing options...
JPV555 Posted February 24, 2008 Author Share Posted February 24, 2008 Nevermind, I got it! I left off an expression. Problem solved. Thanks for your help, though Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.