|
PHP help
Hello all!
I have been using PHP on my server and have a problem; I am writing an Admin tool for my server, at the moment I am only writing the "View" part, not the edit part. I can view the data by doing: displayAccounts() and here is the code: Code:
// define url varfile.php?account=Admin and (as you see) it would change results and add the varable.. this is not working. Please help me.. Also, I think I messed up the: if(!$sort... etc please help!!! |
well, you may want to use if ( empty($sort) || empty($account) ), or at least put in some check for non-existance, like $sort = ( isset($_GET['sort']) ) ? $_GET['sort'] : false;. I don't see anything wrong with your MySQL statement, but if MySQL throws an internal error (because you typed a variable wrong, or it can't find a row where login='Admin', or etc.) PHP will simply return false and go on processing the script.
|
alright...
i found my problem... i changed it to this and it worked: Code:
/* variable result */ |
Although it's fine for now, your queries will quickly become unreadable if you stir in more variables. Try this way instead:
Code:
$query = sprintf("SELECT acct,login,password,gm,email,lastip ". |
ok then.. lets try this
that seems confusing....
%s?? %d?? may i ask what the "addslashes" does? also, this is my new code: Code:
// define url varif you could explain how to add yours to my code, then it might be easyer for me to understand... |
aww.. ok i am now working on a edit page..
idk if anyone can help, but if you can PLEASE do. I get this error: "Parse error: syntax error, unexpected $end in /Library/WebServer/Documents/adminpanel/admin/files/editcopy.php" here is my FULL code: Code:
<?phpthanks so much!! |
well, if nothing else
displayEdit() needs to be displayEdit(); And addslashes is documented with ALL php functions at php.net http://us3.php.net/addslashes If you're embedding php code in html or if you're taking data from a form and putting it into a database you'll need to know it and know it well. |
To expand on what navaho said, addslashes makes it a lot harder for someone to type "drop database *;" into a form field and nuke your system.
And an "Unexpected $end" can also mean that you are missing a } somewhere. Quote:
printf ("%s fish, %s fish, % fish, %s fish.", "one", $numbernames[2], (if($result) ? "red" : "no"), chr(98).chr(108).chr(117).chr(101) ) one fish, two fish, red fish, blue fish. |
Your code above has 12 { but only 10 }. Hence the "Unexpected $end".
And a code tidy-up: Code:
printf( '<tr><td><input type="text" name="acct" value="%s"></td> |
Quote:
here are my files: http://pastebin.com/f2f47c57a --edit page http://pastebin.com/f1fae5aa7 --- edit process page http://pastebin.com/f215eae5f ---search page ____________ i figured out the '}' thing... yes, i added them (in the right place) and its fixed.. could someone please help me add the "addslashes"-- it kinda scares me that someone could do "drop table *" in a form, and the way i wrote it, i think they can... thanks so much |
actually, this somewhat depends on which version of PHP you're using, but I'd use mysql_real_escape_string() rather than addslashes(). does the same thing, but a little better.
the worry here is that someone will enter something into a text field that will play off of MySQL's liberal interpretation of quotes and commands. basically you trick php into adding extra quotes into a MySQL command. the example they have on the php.net page - which is down at the moment, so I can't get a direct link - runs like this: you want to sent this sql command to MySQL "select * from tableA where name='$name' and pass='$pass'" so if someone puts george and gumbo into the name and pass fields in the webpage, this command becomes "select * from tableA where name='george' and pass='gumbo'" but, if someone types george and ' or ' '=' , the command sent to MySQL is "select * from tableA where name='george' and pass='' or ' '=' '" which will return all the data in tableA, because ' '=' ' is always true. escaping the quotes using addslashes or mysql_real_escape_string() means that MySQL will see the quote marks in the text field as text rather than as part of the command syntax. to use it, just add in the line $myText = mysql_real_escape_string($myText) before you send anything via a mysql_query() |
so it would be like this:
Code:
$query = "SELECT * from accounts"; |
this is what i have... no errors, but it just dont work....
Code:
<?php |
Quote:
Code:
$user_name = $_POST['user_name']you might also look into the strip_tags() function of PHP. that's not as vital for security - it just removes html tags from anything people type intoforms (you'll sometimes get people trying to slip links to their webpages into form elements if they think the text is going to get written straight back out to the browser |
you did see my code?? right??
it shows what i am doing.. it just dont work |
Quote:
with modifications... Code:
"UPDATE accounts SET login='$loginsafe', email='$emailsafe' WHERE acct='$acctsafe'" |
Quote:
|
ok... i see what i did wrong.. will post in a bit
|
thanks guys!!!
(tw) and others!! now I got a new project-- puting all these files in a login system (using the accounts table that i allready have).. my goal is this: make a login system for the admin area.. where anyone in the accounts table can login but only people who have a "z" in the "GM" collumn can see the "admin" area... the rest of the users can only edit their account... anyone wanna help? I dont have an idea where to start... |
Code:
$result = mysql_query($query); |
ok.. I think i would use a echo instead that, like this:
--regular member pages Code:
$mmquery = "SELECT * from accounts WHERE login='$name' && password='$password'";Code:
$pagequery = "SELECT * from accounts WHERE login='$name' && password='$password'"; |
am i using the '&&' right?
|
What's this?
Quote:
Quote:
|
Quote:
|
alright, will do..
and i wont have to do double the work.. what you mean? |
Quote:
Quote:
However, if you include a page fragment after authentication you not only hide the code, you hide the code's location as the file name never has to be presented to the user. |
no.. i could use the same system that allows the user to see the link...
anyways i am kinda new at php... i wouldnt know about using the cookies... thanks ryans |
Quote:
|
And here I thought universities were supposed to be at the leading edge of everything - technology, knowledge, drinking contests etc.
|
Quote:
|
no.. i need the %z%
because its WILDCARD |
% is a SQL wildcard, it is not stored in the database that way. And you've used it in a PHP function, not a database context. The PHP == operator will treat what you typed as literal text. You need to read the PHP manual section on string functions. And if you use it in SQL as a wildcard you can't use the equality operator. Read the SQL manual section on string functions too.
|
so, even though i need the wild card, i dont put it in?
Weird.. I will give it a try though.. |
You are trying to use a SQL wildcard in a PHP operation. Won't work.
This: Code:
$pagethisrow = mysql_fetch_array($pageresult, MYSQL_ASSOC);This: Code:
$mmresult = mysql_query($mmquery);Code:
if( false !== strpos($mmthisrow['GM'], 'z') ) {The proper use of '%' as a wildcard is in the SELECT query, for example Code:
SELECT * from accounts WHERE login='$name' && password='$password' && GM LIKE '%z%' |
alright thanks
|
| All times are GMT -5. The time now is 06:13 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.