Here's a situation, i have a list of support tickets that when you click the title of the ticket takes you to a page that displays the ticket in more detail. If uses URL GET variables to query the database. I've taken SQL injection into account but what if someone modifies the url to an id that doesn't exist? whats the best way to deal with that?
Thanks,
Jonesy
If the ID does not exist, send a 404 - Not Found header along with a nice error page telling the user that it wasn't found.
You probably have to make a page handling unsuccessful searches anyway; just route it in there. Then you can help the user to find what (s)he searches in a consistent way, provide cues and "most-searched-after" and what not.
This may seem too simple, but you should always validate your GET (or POST) variable before doing anything with them. In your case, just verify that the ID exists in the database. If it doesn't, inform the user.
You should always check if your query returned anything. If it returned 0 rows, the ID doesn't exist.
<?php
$result = mysql_db_query("your query", $link);
$num_rows = mysql_num_rows($result);
if($num_rows < 1) {
// row with that id doesnt exist
// do whatever you want
} elseif($num_rows > 1) {
// you have problem with your ids in db
} else {
// everything went fine
// do your thing here
}
?>
Check if the ticket exists; if not, react accordingly. What "react accordingly" means is determined by your business logic: create a new ticket? raise an error? take the user to a list of available tickets?
An example using the old mysql extension for brevity:
$sanitized_numeric_id = (int) $_GET['ticket_id']; // assuming id is numeric
$query_resource = mysql_query('SELECT `somecolumn`, `column2`, `othercolumn`
FROM `tickets`
WHERE `id`= ' . $sanitized_numeric_id);
if (mysql_num_rows($query_resource) > 0) {
// the ticket exists, do something with it
} else {
// the ticket doesn't exist, react accordingly
}
Related
I'm writing an hour registration system for my projectteam at school. Everything is pretty much working, but I can't seem to get the validation of user rights to work.
Validation is done in the acctype field within the user table. If 0 (guest), you can only view the list of hours, if 1 (specialist) you can add your own hours and if 2 (project-manager), you can review the hours users have submitted.
At first I was only using the $account query but instead of selecting them all I selected acctype only.
Does anyone have any idea what am I doing wrong?
$cookie = $_COOKIE['user'];
$account = mysqli_query($conn, "SELECT * FROM user WHERE user = '" . $cookie . "'");
$acctype = mysqli_fetch_assoc($account->acctype);
if(isset($cookie) && $acctype >= 1) {
} else {
}
Jonathan
I believe there's a few things wrong here:
You're reading the cookie before checking if it's set. That's a mistake. You should see if there's a cookie, and THEN read it in. You also don't need to assign it a separate variable.
Note: As I said in my comment, user data should be in a session, not a cookie.
I don't know what your DB schema looks like, but your query is SELECT * FROM user, meaning that if you have an ID, a user name, an access level, and some other things, you're going to get ALL that into the var $acctype, which obviously isn't an integer.
I think the fix is to execute your query, get your results, and then compare the row(s) returned and only check the acctype part:
if ($row['acctype'] >= 1){
}
Documentation: http://us1.php.net/mysqli_fetch_assoc
I have a bit of an issue with my code.
I'm making an administrative panel for users to add things to the database. On occasion, they might try to save data without changing it (open a dialog, click save without changing anything). This, of course, will make mysql_affected_rows() return '0' when checking to see if the UPDATE query worked.
Is there another query to make that will always UPDATE regardless of whether the data is the same or not (or can I modify a simple UPDATE query to always update)?
EDIT
This is for users who don't have programming experience. Of course you wouldn't want to update if there's no reason to, but when a user tries to update and it doesn't happen I end up showing a failure message. Rather than there being something wrong, its just it doesn't need to be updated. I need a way to show the user that, instead of a generic 'failure' message. If it failed for another reason, I still need to know.
From the MySQL Documentation:
If you set a column to the value it currently has, MySQL notices this
and does not update it.
Instead of checking mysql_affected_rows, just check to see if the query was successful:
if(!mysql_query("UPDATE ..."))
{
//failure
}
else
{
$verification = mysql_query("SELECT ROW_COUNT() as rows_affected");
$row = mysql_fetch_row($verification);
$rows_affected = $row[0];
if ($rows_affected > 0)
{
//update was performed
}
else
{
//no update was needed
}
}
Hey guys,
PHP and MySQL newguy here. Wrote this php file which display the content of a row relative to the ID stated in the URL ( eg row 3 is file.php?id=3 ), heres the source: http://pastie.org/1437017
If I goto an id to which the relative row does not exist (eg .php?id=99999999999999), what do I put to in to get it to redirect to another page or echo 'FAIL'. I though about using the if command, but couldn't figure out the syntax. I also looked around the web, but no avail.
Thanks guys
You have the following line:
$name=mysql_result($result,$id,"name");
If there is no row with the id $id, $name will be false. You could therefore do the following:
if (!$name) {
header('Location: http://yoururl.com');
die();
}
Better yet would be to modify your query to this:
$query="SELECT * FROM likes where id=$id";
and then do
if (!$num) {
header('Location: http://yoururl.com');
die();
}
where $num is the number of row returned, as set in your existing code.
Edit As noted elsewhere in this question, it is probably better to serve a 404 Not Found page with appropriate content, rather than redirecting to another page. I can just about imagine a situation where redirection is appropriate, but if your redirection page says "item not found", this is the wrong approach.
I'd redesign your query to something like
SELECT * FROM table WHERE id = $id;
where $id is the $_GET value - sanitised of course.
if that query returns any results (mysql_num_rows($result)==1)
then you know a valid record has been found. If not, the id doesn't exist, so you can throw an error/redirect.
mysql_num_rows() gives you the number of rows in your select, so if that value is 0, you know there isnt any row with that given id.
if (mysql_num_rows($result)==0){
echo "There are no rows with this id";
}else{
// Your normal code
}
let say I have a post that can be found on page post.php?pid=60 but if the user changes the url to post.php?pid=95 the page is displayed all weird is
there a way I can have them redirected to another page that says post dosn't exist or something? If so how would I do this? And is this the best way to handle none existent pages? If not what is preferred?
I'm using PHP & MySQL if that helps.
get the post from DB by the given $_GET["pid"]
if a post is found (ie. given pid existed)
then display it normally
else include the error page content / use header to redirect to the error page, etc.
Hope the logic helps you
well, you could try to select the post from the database, and if the query brings nothing you redirect to the page that shows all posts. it makes more sense to me than exhibiting a "page not found" message (in this case). the idea is something like this:
$result = query('SELECT * FROM posts WHERE id=60');
if( ! $result)
redir('all_posts.php');
this is just for picturing the problem. i'm assuming that the query function returns false, null or even an empty array if no rows are returned, instead of the usual mysql resource.
just remember to add an exit; (could be in the redirect function) to not let the page renders all weird.
You should be checking if there is data being returned in the database, if there is not then you display the error message.
Do you have any supporting code? Here is a mock-up:
$pid = isset($_GET['pid'])?(int)$_GET['pid']:0; // use the ternary operator to set a default value
if (!empty($pid) {
$res = mysql_query("SELECT columns FROM table_name WHERE pid = $pid") or trigger_error('MySQL Returned: ' . mysql_error());
$rows = mysql_num_rows($res);
if ($rows > 0) {
// display the data
}else {
// There is no data so display the no-data page
}
}
It may not work exactly for you, as you will have to tweak it, but should give you a rough idea.
I have a tabled view in a while loop, where a user can view information on books.
For example, book ISBN, book name, read status...
Basically, when the user sets their 'readstatus' to 'complete' I want that specific table row to become grey! The logic is very straight forward, however I can't get my IF statement to recognise this:
if ($readstatus == 'complete') {
echo '<tr class="completed">';
}
else if ($readstatus != 'complete') {
echo '<tr class="reading">';
}
I'm obviously doing something wrong here, table content to change if the value of 'readstatus' = 'complete', if not, then output is the default
Why are you using $_GET? Does this information come from an HTML form or a URL etc... ?
I suspect you meant to change $readstatus = $_GET['readstatus']; to $readstatus = $row['readstatus'];.
$_GET is an aray of GET parameters which come from the query string.
$row is a row in your database, so if the information is in the database - which I suspect it is - you want to use $row instead of $_GET.
Try changing $readstatus = $_GET['readstatus']; to $readstatus = $row['readstatus'];
The $_GET function relies on the value being contained in the query string of the URL, and it has nothing to do with the database. I have a hunch you're trying to get the value from the database here and you're using the wrong function to do it.
$_GET['readstatus'] says the value is coming from the browser.
$row['readstatus'] says the value is coming from the database.
You need to decide which should take precedence-- probably the $_GET['readstatus']` because it's what the user wants to change. If that's the case, you need to update your database with the new readstatus before you requery the db for the dataset.