JPV555 Posted February 24, 2008 Share Posted February 24, 2008 Hello, I tried searching but I couldn't really find my exact problem. Here it goes: I'm trying to make my script more secure, so I'm trying to implement the mysql_real_escape_string function. It works when there's just one but if I get more than one ('%s'), it will just list every row in that database. Here's the code: <?php $safequery3 = sprintf("SELECT category, movieid, genreid, dvd_reviews.id FROM genre, moviegenre, dvd_reviews WHERE movieid='%s' AND genreid-genre.id AND dvd_reviews.id='%s' ORDER BY category", mysql_real_escape_string($id), mysql_real_escape_string($id)); $genreinfo = @mysql_query($safequery3); $cat_array = array(); while ($ginfo = mysql_fetch_array($genreinfo)) { array_push($cat_array, $ginfo['category']); } $cat_string = implode(" / ", $cat_array); echo $cat_string; ?> For instance: A movie might have 3 genres associated with it and there are 20 genres. Well, if I leave off one mysql_real_escape_string($id), I'll get an error. I put that one on there, it will list every genre in that table rather than just posting the ones associated. Before, if I just did a query straight up with $id, it will parse it just fine. I would appreciate any help Link to comment https://forums.phpfreaks.com/topic/92777-mysql_real_escape_string-error/ Share on other sites More sharing options...
Northern Flame Posted February 24, 2008 Share Posted February 24, 2008 i dont know if that is all you code but you never connected to mysql in that script. Link to comment https://forums.phpfreaks.com/topic/92777-mysql_real_escape_string-error/#findComment-475371 Share on other sites More sharing options...
JPV555 Posted February 24, 2008 Author Share Posted February 24, 2008 No, that's not the entire code. It connects fine. The page displays fine when just doing the query using $id. And it displays fine when using the mysql_real_escape_string($id) if there's only one '%s', but if I have two, like the code I posted, it'll display everything in the genre table. Here's the first part with the connection and the first usage of the mydql_real_escape_string: <?php include '*removed*/connection-db.php'; $id = $_GET['id']; $safequery = sprintf("SELECT title, year, edition, hddvd FROM dvd_reviews WHERE id='%s'", mysql_real_escape_string($id)); $titleinfo = @mysql_query($safequery); if (!$titleinfo) { exit('<p>Error retrieving information from database.<br />'. 'Error: ' . mysql_error() . '</p>'); } $num_rows = mysql_num_rows($titleinfo); //if query result is empty, returns NULL, otherwise, returns an array containing the selected fields and their values if($num_rows == NULL) { echo "<meta HTTP-EQUIV='REFRESH' content='0; url=http://www.moviemansguide.com/404.htm'>"; } else { while ($info = mysql_fetch_array($titleinfo)) { $title = $info['title']; $year = $info['year']; $edition = $info['edition']; $display_edition = ($edition)?" - $edition":""; $hddvd = $info['hddvd']; $display_hddvd = ($hddvd)?"[$hddvd]":""; echo "<title>Movieman's Guide to the Movies >> DVD Review >> $title ($year)$display_edition $display_hddvd</title>"; } } ?> This parses just fine... Link to comment https://forums.phpfreaks.com/topic/92777-mysql_real_escape_string-error/#findComment-475373 Share on other sites More sharing options...
darkfreaks Posted February 24, 2008 Share Posted February 24, 2008 put it above the query not in your query that is your prob Link to comment https://forums.phpfreaks.com/topic/92777-mysql_real_escape_string-error/#findComment-475381 Share on other sites More sharing options...
JPV555 Posted February 24, 2008 Author Share Posted February 24, 2008 Sorry, I'm a newb at this. What do you mean? Link to comment https://forums.phpfreaks.com/topic/92777-mysql_real_escape_string-error/#findComment-475386 Share on other sites More sharing options...
darkfreaks Posted February 24, 2008 Share Posted February 24, 2008 <?php $id= mysql_real_escape_string($_POST['id']); $safequery = sprintf("SELECT title, year, edition, hddvd FROM dvd_reviews WHERE id='%s'"; $titleinfo = @mysql_query($safequery);?> Link to comment https://forums.phpfreaks.com/topic/92777-mysql_real_escape_string-error/#findComment-475390 Share on other sites More sharing options...
JPV555 Posted February 24, 2008 Author Share Posted February 24, 2008 Well, I did that and now I get an error. There was nothing wrong with the second code I posted, it was the code in my first post I'm having trouble with (it was to show the connection to my db). Here's the error: Warning: sprintf() [function.sprintf]: Too few arguments in /home2/*removed*/public_html/reviews/DVD/read2.php on line 12 Error retrieving information from database. Error: Query was empty If I put back to way I had it, it shows up fine. Here's the page to see what my problem is: http://www.moviemansguide.com/reviews/DVD/read2.php?id=aeonflux And I'll repost my original code concerning that section: <?php $safequery3 = sprintf("SELECT category, movieid, genreid, dvd_reviews.id FROM genre, moviegenre, dvd_reviews WHERE movieid='%s' AND genreid=genre.id AND dvd_reviews.id='%s' ORDER BY category", mysql_real_escape_string($id), mysql_real_escape_string($id)); $genreinfo = @mysql_query($safequery3); $cat_array = array(); while ($ginfo = mysql_fetch_array($genreinfo)) { array_push($cat_array, $ginfo['category']); } $cat_string = implode(" / ", $cat_array); echo $cat_string; ?> If I can figure out what I'm doing wrong there, I can fix other parts as well. Link to comment https://forums.phpfreaks.com/topic/92777-mysql_real_escape_string-error/#findComment-475396 Share on other sites More sharing options...
JPV555 Posted February 24, 2008 Author Share Posted February 24, 2008 Nevermind, I got it! I left off an expression. Problem solved. Thanks for your help, though Link to comment https://forums.phpfreaks.com/topic/92777-mysql_real_escape_string-error/#findComment-475400 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.