Re: Double query form, result of 1st query drops anything after a space

From: Theo (invalid_at_noemail.com)
Date: 10/26/04 

Date: Tue, 26 Oct 2004 00:39:16 -0000

dogu <dfinnerathome@netscape.net> wrote in
news:dcKdnTrmGZERG-DcRVn-oQ@metrocastcablevision.com:

> Theo wrote:
>> dogu <dfinnerathome@netscape.net> wrote in news:gbudnWqdxpwKLefcRVn-
>> sQ@metrocastcablevision.com:
>>
>>
>>><html>
>>><body>
>>>Select the site name from the list below<br>
>>>Note - if you start typing the name, you don't have to scroll to the
>>>name.<br>
>>></body>
>>><br>
>>><form>
>>><?php
>>>
>>>// Define variables
>>>$server = 'localhost';
>>>$username = 'web';
>>>$password = 'user';
>>>$database = 'HomeData';
>>>
>>>//$query = "Select site, username, password from sitelogins where
>>>site
>>
>> =
>>
>>>'$site'";
>>>$query = "Select site from sitelogins order by site";
>>>
>>>// connect to mysql
>>>$db = mysql_connect($server, $username, $password);
>>>
>>>// connect to db
>>>mysql_select_db($database, $db);
>>>
>>>// >>>>> run query and populate the select box - this bit works
>>
>> great.
>>
>>>// >>>>> note, if I use \"$site\" below, I get nothing. using site
>>>as the name seems to work.
>>>
>>>$result = mysql_query($query, $db);
>>>echo "<select name=\"site\">";
>>>if(!$result) die ("query failed");
>>> while($row = mysql_fetch_row($result)) {
>>>echo "<OPTION VALUE=".$row[0].">".$row[0]."</OPTION>";
>>>}
>>>echo "</select>";
>>>
>>>// >>>>> next line - if the value of $site is something like 'fred
>>
>> joe',
>>
>>>the echo $site prints as 'fred' and the 2nd query returns null
>>>
>>>echo "<br><br>The requested site is $site <br><br>";
>>>echo "<table border=1>\n";
>>>echo "<tr><td>The username is:</td><td>The password is:</td>";
>>>
>>>
>>>$query2 = "Select * from sitelogins where site = '$site'";
>>>$result2 = mysql_query($query2, $db);
>>>if(!$result2) die ("query failed");
>>> while($row = mysql_fetch_row($result2)) {
>>> echo "<tr><td>$row[1]</td><td>$row[2]</td></tr>";
>>> }
>>>
>>>echo "</table>";
>>>
>>>// close connnection
>>>mysql_close($db);
>>>?>
>>><br>
>>><input type="submit" value = "Get Password">
>>></form>
>>></html>
>>>
>>
>> Two things, where do you assign $site a value before you actually use
>> it?
>
> Lost again...
>
> What I thought I was doing was creating the variable in the line that
> creates the drop down select box, echo "<select name=\"site\">";
> That's where I thought the variable name was created. If it gets
> created somewhere else, I don't have a clue where.
>
>>
>> second, you are using the $db link instead of the connect link for
>> your querys (chose something other than result so you dont overwrite
>> it).
>>
>> And no I didnt catch that immediately :P
> Still lost. Every example of php connecting to MySQL uses the same
> format as my code.
>
> $db = mysql_connect($server, $username, $password);
> mysql_select_db($database, $db);
> Isn't $db the connect link? Can't I use it throughout the code?
> Are you referring to my $result2? Do I need to create something like
> a second connect als $db2 = mysql_connect($server, $username,
> $password)?
>
> I know I'm getting trapped in some kind of circular logic hell.
> Everything I've used for references either has good HTML examples with
> no PHP/MySQL, or good PHP with limited HTML or simple HTML form
> creation with no clever modifications (ie programmatic population of
> lists) or... but never a fully built example of the whole thing.
>
> Once all the pieces come together, this'll be easy. I'm just not
> seeing the solution. Sorry for my slowness and thank you for your
> patience.
>
> Doug
>

ok... first

you are submitting a query before you assign $site a value. if you do a
value check before submitting the query you will see that it is a null
value.

The line you commented out...

//$query = "Select site, username, password from sitelogins where site =
'$site'";

wont work because $site is null. So the question is, what value do you
want to assign to it, and where is it coming from... assuming its not the
same every time? 

----
when checking values add a line like 
print "my value is $value"; exit();
before you use it. so you can see what the value is at that point. If you 
get something unexpected, or get 'my value is' and then nothing 
afterwards, you need to check how you are assigning your values.
---
for the other point, youre right I got that backwards. Sorry bout that. 
:-)

Relevant Pages

  • Re: PSP
    ... % Suciu and Pusztai ... Furthermore, if a query fails, it does not ... look like it allows the programmer to directly mix the Prolog and HTML. ...
    (comp.lang.prolog)
  • [NEWS] IBM Informix Web DataBlade Vulnerability Allows SQL Injection
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... When a user makes a page request, webdriver executes a query that will ... This query is vulnerable to SQL injection ... returns some processed HTML. ...
    (Securiteam)
  • IBM Informix Web DataBlade: SQL injection
    ... SQL code is executed under the uid that webdriver connects as. ... This query is vulnerable to SQL ... processed HTML. ...
    (Bugtraq)
  • IBM Informix Web DataBlade: Auto-decoding HTML entities
    ... IBM Informix Web DataBlade: Auto-decoding HTML entities ... IDS and WDB versions seem to be irrelevant). ... Malicious user may insert SQL code in form input and have it ... $'ed it should thus be safe to use it in an SQL query, ...
    (Bugtraq)
  • Re: Converting Perl Web Report to Python
    ... by allowing the user to pass in an SQL query parameter to the sql ...
    (comp.lang.python)