Screwey Database

1) Put quotes around literals. $_GET[u] becomes $_GET['u'], likewise with id, even though it works.

2) Did you remember to change the name/id in the form or the query in the URL?

didn't do it. it has something to do with putting a letter. It seems I can only put numbers in it, but that's not right! Ugh.

Letters, numbers? You lost me. How about linking to the whole code -- including form and all?

You have both the php displays.

There is no form. Since I'm using get, and I'm just trying to learn database, and this is an experiment.

How are you accessing the page? What url do you go to? Have you changed ?id=X to ?u=X ?

Ok, I'm starting fresh and it seems I'm having the same problem. I am not using a form at all, just typing the values into the adress bar. I'm using the address:

Quote: http://localhost/CMS%20Tutorial/displaycomments.php?name=jim

and getting this error:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in d:\program files\appserv\www\cms tutorial\displaycomments.php on line 10

Here is the code:

can anyone figure out whats up?

change

to

Also, what are the curly brackets for? Before the first echo and after the last?

Ugh. Still no luck.

The brackets are there from when that was a while loop.

Sorry to be so bothersome, but I just don't know enough about PHP and mysql to trouble shoot any further than I have (which is a very small bit) so I came to you guys.

Tried debugging? die()? mysql_error()? Test the SQL in phpMyAdmin?

Check if all the variables and values are being passed by printing them at various stages.

Use die() with mysql_query() and mysql_connect(), and also use mysql_error() for mysql calls so you know what's failing.

Try the SQL from phpMyAdmin or even command line if you know how. Maybe it's a problem with the tables or database.

Also, try removing the resource identifier ($db) from mysql_query. Just do mysql_query("SELECT ... ");

You can modify example code in the PHP manual to suit your data too. If that works, it might reveal problems with your code.

Btw, remember to mysql_free_result() and mysql_close().

OK, I've figured out that It has something to do with

"WHERE name=$name"

When I take out that bit it displays, but I can't really get rid of, considering I need to be able to view each user individually.

try something like this

If there is no database entries it will display 'sorry no one home'.
If you get mysql errors, uncomment the echo $query; to find out if the name is calling a value. if it shows SELECT * FROM users WHERE name= then you know the $name variable is being lost somewhere

Also if you use anythig like mysql_error() make sure you delete it before uploading, use it for testing only. displaying a mysql error directly to your page for the world to see is like leaving a key under your front door mat

MMM... query looks right, it's echoing ...name=jim

I'm still getting an error though. I wonder if this all has something to do with mysql? I think i'm gonna try doing this on another server. Here's the error:

Quote: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in d:\program files\appserv\www\cms tutorial\displaycomments.php on line 11

Ergh... Tried a different host, and stillt he same problem.

Wait...I get that error sometimes when I have nothing in the database. Do you have anything filled in in the dB?

yes, I have one row filled in with the name being jim and the password being pass.

what happens when you hardcode the name: name='jim' ?

Same thing.

try

WHERE name='".$name."'";

if you can't work out the quotes, it's single, double, dot ..... dot, double, single, double

Quote:
SELECT * FROM users WHERE name=''
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in d:\program files\appserv\www\cms tutorial\displaycomments.php on line 11
sorry, no one home

I'm to the point of about giving up and reading more articles. Then maybe I'll understand this stuff better.

One more go, can you copy and paste your code again please, mainly the bits above the query.
If you hard coded the value there is no way it can't be passed, unless it's in a if statement, wrong case, your using htmlspecialcharacters and the variable starts and end in pointy brackets.

change $name = $_GET['name']; $pass = $_GET['pass']; to $name = "jim"; $pass = "pass";

then show what it displays on the page

Later, incase I forget, always do addslashes($inputted_value) when querying databases or a script kiddy can do stuff.

Quote:
SELECT * FROM users WHERE name='jim'
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in d:\program files\appserv\www\cms tutorial\displaycomments.php on line 11
sorry, no one home

Also, what does addslashes do?

Use or die(mysql_error()) at the end of your mysql_ calls so you know which one is going wrong -- or have you tried this already? The error output shown presently isn't very helpful.

addslashes escapes quote characters by prepending a slash before them. If the user submits "bob" (with quotes included), it becomes \"bob\". The point is to stop the user from escaping your SQL string and inserting their own potentially malicious code.

If you have jim in the database it should work.
change $query = "SELECT * FROM users WHERE name='".$name."'"; to $query = "SELECT * FROM users WHERE name='".%$name%."'";

This script is wrong in several ways, login should use _POST and never _GET, the incoming information should be trimmed (removed leading and trailing white space) and slashes added.

using your method above, if I was to put yoururl.pge?name=admin';# I would be logged in as admin, Ideally you should be checking for name AND password matches, but if you had $query = "SELECT * FROM users WHERE name='$name' and pass='$pass'"; what I entered would still break your code and be logged in as admin as what I put admin';# would make the query stop after the name (with the semicolon) and the # would make anything after that a comment. adding addslashes, slashes any quotes to help avoid this, so this "I don't slash"; would become "I don\'t slash"

Wait a minute. Why aren't you using mysql_select_db()? How is the script to know which database to find the table 'users' in?

Abhishek, I'm guessing he has it above the where the form is

The result on the page is only a warning, not an error, so you can even supress this if you which (add @ infront of the effected line). At a guess I'd say you have error reporting to all - which is good but warnings and errors are different things.
In this case we have no output so there is a fault

Once you get it sorted you can make some changes and make your form/ page, somethign like:

" />
....

then your php section, something like
if($_POST[login] == 'yes')
{
if($_POST[attempts] >= '4')
{
// send them to another page (error page) offering some reasons why they can't login with link back to login page - possible brute force attack.
exit;
}
$name = addslashes($_POST[name]);
$pass = addslashes($_POST[pass]);

// if not already connected to db, do it now
// do the query as normal

// if login fails, $attempts = $attempts + 1;
// include form again or if login successful send to another page or display the goodies
}

true, good spoting bat man,

Dragon of Ice, add this to the top of your page
<?
$db = @mysql_connect("localhost", "root", "");
if (!db)
{
echo ("Unable to connect to database server");
exit();
}

if (!@mysql_select_db("???????"))
{
echo ("Unable to connect to database");
exit();
}
?>
replace the ???????? with your database table name
and remove the $db = mysql_connect("localhost", "root", ""); you have there now

I understand all the security things I'm doing wrong, but right now I'm just trying to get the database to work. It works, but now the only thing is that it's outputting the query.

Here's the revised code:

whoops just found it
It was during debugging. gotta take out "echo $query"

Also, I got it to work with GET, so that means it should work with POST. Now on to the security, but first, I have to finish some layout things for the page (namely the entire site).

WOOT!

From all the help and info I got here, the database is in operation! Thanks alot guys!

The site's at:
http://www.zapgraphics.no-ip.com/zap/php/

Abhi, were you able to access the site? Because I can't off any other computer than the host it self.

Ah, no, I wasn't able to. Nor can I now.

I get time out error.

Dragon of Ice, can you get to a non server side page (only has html) ?
If you can the blockage could be caused by a run away loop (while 1=1 .... )

no. I can't access anything.

Probably a network blockage if you can access it locally. Go over network configs, routers, firewalls, ISP blocks, etc.