help i'm new to mySQL

Re: help i'm new to mySQL

Kamil wrote:[color=blue]
> i dont know what i'm doing wrong i'm trying to get all the fields from a
> specific row by user name i'm using php and i got the connection string down
> and i made a query like this:
>
> $query = mysql_query("SE LECT * FROM <DBname> WHERE name = $_POST[user]");
>
> the variable $_POST[user] was passed to the php code from a previous html
> form i get the error:
> Unknown column '<username here>' in 'where clause'
>
> the <username here> part shows whatever i typed in my previous form as a
> user name
>
> i'm guessing i'm using the wrong syntax and i cant find any help on it
> perhaps some one could explain this to me and point me to a site or manual
> on this sort of thing. i treid php.net but they have mostly different
> functions i couldnt find this one there
>
> TIA
> ~ K.R
>[/color]
It needs to be in quotes.

Steve

Re: help i'm new to mySQL

.oO(Kamil)
[color=blue]
>i dont know what i'm doing wrong i'm trying to get all the fields from a
>specific row by user name i'm using php and i got the connection string down
>and i made a query like this:
>
>$query = mysql_query("SE LECT * FROM <DBname> WHERE name = $_POST[user]");[/color]

Some things:

1) Do a google for "PHP SQL injection" and then never use form-submitted
data directly in a query again, you're risking your db and server!

SQL Injection


2) The username is a string, it has to be single-quoted in the query.

The missing quotes are what causes error, because MySQL treats the
submitted username as a column name instead of a value.
[color=blue]
>i'm guessing i'm using the wrong syntax and i cant find any help on it
>perhaps some one could explain this to me and point me to a site or manual
>on this sort of thing. i treid php.net but they have mostly different
>functions i couldnt find this one there[/color]

The error is caused by MySQL, not PHP. Have a look at (or better
download) the MySQL manual.

10.1.1 Strings


10.2 Database, Table, Index, Column, and Alias Names


HTH
Micha

Re: help i'm new to mySQL

"Kamil" <ozzyosb1@tampa bay.rr.com> wrote in message
news:Vvr7d.4154 0$Si.41350@torn ado.tampabay.rr .com...[color=blue]
> i dont know what i'm doing wrong i'm trying to get all the fields from a
> specific row by user name i'm using php and i got the connection string[/color]
down[color=blue]
> and i made a query like this:
>
> $query = mysql_query("SE LECT * FROM <DBname> WHERE name = $_POST[user]");
>
> the variable $_POST[user] was passed to the php code from a previous html
> form i get the error:
> Unknown column '<username here>' in 'where clause'[/color]

$sql = sprintf("SELECT * FROM %s WHERE name = '%s'",
$dbname, $_POST[user]);

echo $sql;
$result = mysql_query($sq l);
if(! $result || mysql_error() || mysql_num_rows( $result) < 1)
{
echo "Unable to find records [$sql] : " . mysql_error() . "<br>\n";
}

Re: help i'm new to mySQL

*** Kamil escribió/wrote (Sat, 02 Oct 2004 06:02:29 GMT):[color=blue]
> "SELECT * FROM <DBname> WHERE name = $_POST[user]"[/color]

What I've found to be wrong:

1) FROM clause needs a table name, not a database name
2) Strings in SQL must be quoted (single quotes)
3) You must escape single quotes within strings to avoid SQL injection and syntax errors
4) Associative arrays use a string as an index, not a constant


It shold be:

"SELECT * FROM table_name WHERE name='" . mysql_escape_st ring($_POST['user']) . "'"





--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--

Re: help i'm new to mySQL

.oO(Alvaro G. Vicario)
[color=blue]
>*** Kamil escribió/wrote (Sat, 02 Oct 2004 06:02:29 GMT):[color=green]
>> "SELECT * FROM <DBname> WHERE name = $_POST[user]"[/color]
>
>What I've found to be wrong:
>
>[...]
>4) Associative arrays use a string as an index, not a constant[/color]

The above is correct (simple) PHP syntax. Quoting the index there would
cause a parse error. When using complex (curly) syntax or accessing the
array outside a string then you're right.

Micha

Re: help i'm new to mySQL


"Kamil" <ozzyosb1@tampa bay.rr.com> wrote in message
news:Vvr7d.4154 0$Si.41350@torn ado.tampabay.rr .com...[color=blue]
> i dont know what i'm doing wrong i'm trying to get all the fields from a
> specific row by user name i'm using php and i got the connection string[/color]
down[color=blue]
> and i made a query like this:
>
> $query = mysql_query("SE LECT * FROM <DBname> WHERE name = $_POST[user]");
>
> the variable $_POST[user] was passed to the php code from a previous html
> form i get the error:
> Unknown column '<username here>' in 'where clause'
>
> the <username here> part shows whatever i typed in my previous form as a
> user name
>
> i'm guessing i'm using the wrong syntax and i cant find any help on it
> perhaps some one could explain this to me and point me to a site or manual
> on this sort of thing. i treid php.net but they have mostly different
> functions i couldnt find this one there
>
> TIA
> ~ K.R[/color]

thanks for all the help i looked up all those sites an dlearned a thing or
two but it still didnt help me... i know about the risk to th server and DB
but i'm not worried, noone knows about this DB and i'm not plnin to use it
anywhere its just for my own practice. I'm still having problems but i think
i DID make some progress heres whats going on now...

what I did to test what is going on is I put my query string in an echo
satement and the literal string that comes out that is used in the query is
this:

SELECT * FROM `table` WHERE `name` = "<user>" LIMIT 1

i copied and pasted this exact string into PHPMyAdmin and replaced <user>
with a real user name in my table and it did pull the record, but now my PHP
gives this error:

Warning: Wrong parameter count for mysql_query() in <directory> on line 12

any ideas?? i'm really confused

Re: help i'm new to mySQL

I noticed that Message-ID:
<BmA7d.60752$Of 3.12971@tornado .tampabay.rr.co m> from Kamil contained the
following:
[color=blue]
>
>Warning: Wrong parameter count for mysql_query() in <directory> on line 12
>
>any ideas?? i'm really confused[/color]

Er..you don't show us that bit of code...
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Re: help i'm new to mySQL


"Kamil" <ozzyosb1@tampa bay.rr.com> wrote in message
news:BmA7d.6075 2$Of3.12971@tor nado.tampabay.r r.com...[color=blue]
>
> "Kamil" <ozzyosb1@tampa bay.rr.com> wrote in message
> news:Vvr7d.4154 0$Si.41350@torn ado.tampabay.rr .com...[color=green]
>> i dont know what i'm doing wrong i'm trying to get all the fields from a
>> specific row by user name i'm using php and i got the connection string[/color]
> down[color=green]
>> and i made a query like this:
>>
>> $query = mysql_query("SE LECT * FROM <DBname> WHERE name = $_POST[user]");
>>
>> the variable $_POST[user] was passed to the php code from a previous html
>> form i get the error:
>> Unknown column '<username here>' in 'where clause'
>>
>> the <username here> part shows whatever i typed in my previous form as a
>> user name
>>
>> i'm guessing i'm using the wrong syntax and i cant find any help on it
>> perhaps some one could explain this to me and point me to a site or
>> manual
>> on this sort of thing. i treid php.net but they have mostly different
>> functions i couldnt find this one there
>>
>> TIA
>> ~ K.R[/color]
>
> thanks for all the help i looked up all those sites an dlearned a thing or
> two but it still didnt help me... i know about the risk to th server and
> DB
> but i'm not worried, noone knows about this DB and i'm not plnin to use it
> anywhere its just for my own practice. I'm still having problems but i
> think
> i DID make some progress heres whats going on now...
>
> what I did to test what is going on is I put my query string in an echo
> satement and the literal string that comes out that is used in the query
> is
> this:
>
> SELECT * FROM `table` WHERE `name` = "<user>" LIMIT 1
>
> i copied and pasted this exact string into PHPMyAdmin and replaced <user>
> with a real user name in my table and it did pull the record, but now my
> PHP
> gives this error:
>
> Warning: Wrong parameter count for mysql_query() in <directory> on line 12
>
> any ideas?? i'm really confused[/color]

The message means what it says. The manual tells you what parameters the
mysql_query() function requires, and you have obviously gone and given it
something which is completely different. I suggest you learn to read.

--
Tony Marston