I'm trying to use $_SESSION['valid_user'] in a .php script that accesses the table "mail" under "users." $_SESSION['valid_user'] has been defined in a script which I included. Whenever I use "WHERE to=$_SESSION['valid_user']" in my SELECT statement, I get a blank page. However, if I take it out, the script runs and displays all messages in the database, not just the message that was defined to show to that particular username. Despite this, I can echo $_SESSION['valid_user'] outside of the while loop or SELECT statement. Here's my code:
<?php
include("mainmenu.php");
include("checklogin.php");
//$_SESSION['valid_user'] defined in checklogin.php
$con = mysql_connect("localhost", "root", "g00dfor#boy");
if(!$con){
die(mysql_error());
}
mysql_select_db("users", $con);
$result = mysql_query("SELECT * FROM mail WHERE to=$_SESSION['valid_user']");
//when executed with WHERE to=$_SESSION['valid_user'] it displays blank page.
while($row = mysql_fetch_array($result))
{
echo "To: " . $row['to'] . "| From: " . $row['from'] . "<br/>";
echo "Subject: " . $row['subject'] . "<br/><br/>" . "Message: " . $row['message'];
echo "<br/>";
}
mysql_close($con);
?>
Don't say, "Put $_SESSION['valid_user'] in double quotes." I've already tried that.
Change to $result = mysql_query("SELECT * FROM mail WHERE to='".$_SESSION['valid_user']."'");
You need to put brackets around the SESSION variable in your query.
change
$result = mysql_query("SELECT * FROM mail WHERE to=$_SESSION['valid_user']")
to
$result = mysql_query("SELECT * FROM mail WHERE to='{$_SESSION['valid_user']}'")
EDIT
You need to change
while($row = mysql_fetch_array($result))
to
while($row = mysql_fetch_assoc($result))
because you are referencing the columns by their names rather than by their index value.
Try
$result = mysql_query("SELECT * FROM mail WHERE to='".$_SESSION['valid_user']."'");
or
$result = mysql_query("SELECT * FROM mail WHERE to='$_SESSION[valid_user]'");
Both should not be valid queries;
Try capturing your query in a variable and printing it out to see what you get.
$query = "SELECT * FROM mail WHERE to=$_SESSION['valid_user']";
If the $_SESSION['valid_user'] contains any spaces you will need to wrap it in some form of single or double quotes other wise MySQL won't know what you really want.
Presumably user_name is a variable, originally provided by a user of your site? In that case you absolutely must escape it when embedding it in an SQL query, or you will be prone to injection attacks:
$result = mysql_query("SELECT * FROM mail WHERE to='".mysql_escape_string($_SESSION['valid_user'])."'");
Related
I want to take the value of a single MySQL cell and use it as a string inside PHP code - I already know the cell exists, where it is, and nothing else is needed. What's the easiest way to do this? All the examples I've found focus on using a loop to output multiple rows into a table, which seems needlessly complicated for my purposes.
Basically what I want to do is this:
require_once 'login.php'; // Connects to MySQL
$sql = "SELECT name FROM users WHERE id='1'"; // id is determined elsewhere
$result = mysqli_query($connect, $sql);
echo "Your name is " . $result;
But I get an error message that it's not a valid string.
You forgot to fetch record from $result using mysqli_fetch_assoc().
So you can fix your code this way:
$result = mysqli_query($connect, $sql);
while ($row = mysqli_fetch_assoc($result)) {
echo "Your name is " . $row['name'];
}
<?php $r = mysql_query("select * from tbl_student_master where email='#$_SESSION[email]'") or die(mysql_error());
There seems to be a problem with that. How do I properly enter the session variable within apostrophes?
First off, make sure that your $_SESSION variable is safe - I have no reason to assume that it isn't, but if you are initially getting it from $_GET or $_POST or $_REQUEST, you need to do this differently.
<?php $r = mysql_query("select * from tbl_student_master where email='" . $_SESSION["email"] . "'") or die(mysql_error());
That being said, mysql_query is deprecated, you should really look into either mysqli or PDO. I strongly recommend PDO.
If you are using the # because it is sometimes not set, you should wrap it in
if (isset($_SESSION["email"])) {
$r = mysql_query("select * from tbl_student_master where email='" . $_SESSION["email"] . "'") or die(mysql_error());
}
else {
//what to do if there is no session email
}
I really got a problem now. I tried for decades and I can't find why it is not working. I want to get the user that is logged in to see their email on a specific page. I tried a new code now and i get this error: Notice: Undefined variable: row in
The code I use is:
<?
$username = $_SESSION['username'];
$sql = "select * from users where username=" . $username . "";
echo $sql;
$query = mysql_query($sql);
while ($row = mysql_fetch_array($query)) {
}
?>
AND
<?php echo $row['email']; ?>
<?php
$username = $_SESSION['username'];
$query = mysql_query("select * from users where username='".$username."'");
while ($row = mysql_fetch_array($query)) {
$email=$row["email"];
}
echo $email;
?>
try this.
don't use mysql_* functions
I think... Problem is in SQL query. I propose your column "username" is something like VARCHAR(50). So you have to add quote.
$sql = "select * from users where username='" . $username . "'";
I see a bug, and a design problem.
You've designed your script so that you're printing whatever was last assigned to $row in the condition of your while loop.
You're getting the error because the query is not returning anything and the loop is not running. Therefore, $row is never assigned. That being said, you probably don't want to use a while-loop if all you're trying to do is display the value of the "email" column in the first record returned. If you did want to, then stop it.
Call mysql_fetch_assoc() on your $result (doesn't return as much data), and check that it doesn't return FALSE (one or more records weren't found).
if((row = mysql_fetch_assoc($result)) === false)
die("Error.");
?>
Email:
The code below is supposed to check if there is a person in the database with a row in the database with the username it gets from the cookie login.And if there is it is supposed to include a page and if there isn't a person in the database with this user_id it is supposed to echo.Here is my code so far please tell me how I would do this.I also already know before someone tells me that mySQL statements like I have it are becoming depreciated.Here is My code:
<?php
include("dbconnect.php");
mysql_select_db("maxgee_close2");
$username = $_COOKIE['maxgee_me_user'];
$result = mysql_query("select user_id from users where username = '$username'");
$row = mysql_fetch_array($result);
mysql_free_result($result);
$check = mysql_query("SELECT * FROM events_main WHERE user_id ='$row['user_id']'") or die(mysql_error());
if(1==1){
if (mysql_num_rows($check)>0)
{
include("example.php");
}
else
{
echo "example";
}
}
?>
In the double-quoted string, your array variable $row['user_id'] is being incorrectly parsed due to the fact that you have quoted the array key without surrounding the whole thing in {}. It is permissible to omit the {} in a double-quoted string if you don't quote the array key, but the {} adds readability.
check = mysql_query("SELECT * FROM events_main WHERE user_id ='{$row['user_id']}'") or die(mysql_error());
//-------------------------------------------------------------^^^^^^^^^^^^^^^^^^
// Also acceptable, but not as tidy, and troublesome with multidimensional
// or variable keys - unquoted array key
check = mysql_query("SELECT * FROM events_main WHERE user_id ='$row[user_id]'") or die(mysql_error());
//-------------------------------------------------------------^^^^^^^^^^^^^^^^^^
As mentioned above, $_COOKIE is never considered a safe value. You must escape its values against SQL injection if you continue to use the old mysql_*() API:
$username = mysql_real_escape_string($_COOKIE['maxgee_me_user']);
2 Things right off the bat, like Waleed said you're open to SQL injection, not very nice thing to have happen to you. I would look into reading tutorials about MySQLi and PDOs, from there try and dive into a better way or running queries.
Also you are choosing to use cookies instead of sessions to store the username? Cookies can be modified client-side to say anything a smart user with firebug would want them to be. Sessions are stored server-side and the client (end-user) is only given an id of the session. They cannot modify the username if you send it as a session. (They could try and change the session id to another random bunch of numbers but thats like pissing into the wind, pardon my french.
Heres some pseduo code that will get you on your way I think
<?php
include("dbconnect.php");
$database = "maxgee_close2"; //Set the database you want to connect to
mysql_select_db($database); //Select database
$username = $_SESSION['maxgee_me_user']; //Grab the username from a server-side stored session, not a cookie!
$query = "SELECT user_id FROM `users` WHERE `username` = '" . mysql_real_escape_string($username) . "' LIMIT 1"; //Note the user of mysql_real_escape_string on the $username, we want to clean the variable of anything that could harm the database.
$result = mysql_query($query);
if ($row = mysql_fetch_array($result)) {
//Query was ran and returned a result, grab the ID
$userId = $row["user_id"];
mysql_free_result($result); //We can free the result now after we have grabbed everything we need
$query_check = "SELECT * FROM `events_main` WHERE `user_id` = '" . mysql_real_escape_string($userId) . "'";
$check = mysql_query($query_check);
if (mysql_num_rows($check)>0) {
include("example.php");
}
else {
echo "example";
}
}
?>
That code may/may not work but the real key change is that fact that you were running
mysql_free_result($result);
before your script had a chance to grab the user id from the database.
All in all, I would really go back and read some more tutorials.
I have some PHP code that calls MySQL that works in Firefox and other browsers, but IE doesn't seem to handle it.
<?php include "casti/mysql_connect.php";
$result = mysql_query("SELECT * FROM ".$_POST['table']." WHERE id='".$_POST['id']."'");
$row = mysql_fetch_array( $result ); // Line 60 !
echo $row['title'];
?>
And here is what shows up in IE...
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /httpd/html/prohuntingcz/www/cms.php on line 60
Thanks for any help.
PHP and MySQL are completely separate from the browser. Most likely there's something in your HTML or JavaScript that sends the table and id variables correctly from Firefox etc., but wrong from IE. Please show us that code instead.
PHP is processed at the server side so it has nothing to do with the browser. What can be causing your problem could be some javascript that processes the form fields before submitting them to the server - that's the part that is browser dependent.
Most likely IE is caching the page from a previous version of the script when you had that error, to stop browsers from caching the results of your php code add
header("Cache-Control: no-store, no-cache, must-revalidate");
to the beginning of every php script which you're displaying the results of. Also, do not allow the posted variable to be used directly in an sql query as this just opens you up to attack, instead you must sanitize it first using something like
$user_table = $_POST['table'];
$user_id = $_POST['id'];
$user_table = mysql_real_escape_string($user_table);
$user_id = mysql_real_escape_string($user_id)
$query = "SELECT * FROM ".$user_table." WHERE id='".$_user_id."'";
echo "<div>The query is: " . htmlentities($query). "</div>";
Try echoing the query back to the browser to see the results of the variable substitutions - you should see pretty quickly what has gone wrong.
<?php include "casti/mysql_connect.php";
$query = "SELECT * FROM ".$_POST['table']." WHERE id='".$_POST['id']."'";
echo "<div>The query is: " . htmlentities($query). "</div>";
$result = mysql_query($query);
$row = mysql_fetch_array( $result ); // Line 60 !
echo $row['title'];
?>
that code is very hackable.
Try changing the
$result = mysql_query("SELECT * FROM ".$_POST['table']." WHERE id='".$_POST['id']."'");
to
$result = mysql_query("SELECT * FROM " . mysql_real_escape_string($_POST['table']) ." WHERE id='" . mysql_real_escape_string($_POST['id']) . "'");
Also in your HTML make sure your form elements have name="table" for the table element and name="id" for the id element. If you you already have id="table" and id="id" then just add name="table" and name="id" also