Power By 专否社区

SQL and PHP need to get query working

Go To StackoverFlow.com

0

   <?php
// Inialize session
session_start();
// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
}
$online = rand(12,200);
if($_GET['pass'] == "changethis"){
?>
<font color="00c000">
<html>
<head>
<title>Premium Girls ~ Logged in</title>
</head>
<body>

<p align="right">Online Users:<?php echo "$online"; ?></p><br>

<body bgcolor="#004000">
<center><img src="/logo.gif"></img>

<p>Welcome to the Admin Panel, <?php echo $_SESSION['username']; ?>.

<br>
<form method="post" action="newuser.php"><br>
<center>Create a new user:<br></center>
Username:<input type="text" name="username"><br>
Password:<input type="password" name="password"><br>
<input type=submit value="Create new user">
</form>
<br><br>
<div id=footer align=center>Please note we are currently under setup.</div>
</body>
</html></font>

<?php
}else{
?>
<font color="00c000">
<html>
<head>
<title>Premium Girls ~ Payment Processor</title>
</head>
<body>

<p align="right">Online Users:<?php echo "$online"; ?></p><br>

<body bgcolor="#004000">
<center><img src="/logo.gif"></img>

<p>Welcome to the Logged in screen, <?php echo $_SESSION['username']; ?>. Below you will see all the payments linked to your model name.</p>

<?php

$con = mysql_connect("localhost","devacc_yourmum","changeme123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("devacc_models", $con);

$uid = $_SESSION['username'];
$result = mysql_query("SELECT * FROM payments WHERE model = {$_SESSION['username']}");

echo "<table border='1'>
<tr>
<th>Name</th>
<th>Payment ID</th>
<th>Address</th>
<th>Nickname</th>
<th>Email</th>
<th>Skype</th>
<th>CardType</th>
<th>Model Name</th>
<th>Country</th>
</tr>";

while($row = mysql_fetch_array($result))
  {
  echo "<tr>";
  echo "<td>" . $row['Name'] . "</td>";
  echo "<td>" . $row['Payment ID'] . "</td>";
  echo "<td>" . $row['Address'] . "</td>";
  echo "<td>" . $row['Nickname'] . "</td>";
  echo "<td>" . $row['Email'] . "</td>";
  echo "<td>" . $row['Skype'] . "</td>";
  echo "<td>" . $row['cardtype'] . "</td>";
  echo "<td>" . $row['model'] . "</td>";
  echo "<td>" . $row['country'] . "</td>";
  echo "</tr>";
  }
echo "</table>";

mysql_close($con);
?>

<br><br><br><br><br><br>
<div id=footer align=center>Please note we are currently under setup.</div>
</body>
</html></font>


<?php
}
?>

Above is my code which unfortunately gives me an error. It is supposed to pull all information from the payments table in the database with the models username so if I'm logged in with the username "Bradandrews4" and someone purchased a show from me, it would be the SELECT * FROM payments WHERE model = bradandrews4 it would be bradandrews4 because that's the username I'm logged in with. To output my username I could do either $uid or $_SESSION['username'] however I'm not sure how to get that into the query and then put it through the table. Any help would be much appreciated :)

-Brad

2012-04-04 07:31
by Brad Andrews
And what error are you getting - deceze 2012-04-04 07:32
What error are you getting? Copy/paste i - Bono 2012-04-04 07:32
try "SELECT * FROM payments WHERE model = \'{$_SESSION['username']}\'"Milan Halada 2012-04-04 07:35
separate html code from php code should perhaps be a good idea - Billy McNuggets 2012-04-04 07:35
@Uriel_SVK: That's not sufficient escaping... what if the username is O'Reilly? Why are people so scared of PDO - DCoder 2012-04-04 07:36
@DCoder: I am actually using only PDO :), just tired of explaining it to everyone, so yeah, as Dcoder said using PDO and parameters would be much, much better, not only for names like O'Reilly, but for SQL injection prevention too - Milan Halada 2012-04-04 07:39

2

Replace your query with this:

mysql_query("SELECT * FROM payments WHERE model = '" . mysql_real_escape_string($_SESSION['username']) . "'");
2012-04-04 07:33
by Mircea Soaica
You probably mean mysql_real_escape_string - DCoder 2012-04-04 07:34
Yes. Thank you. mysqlescapestring is deprecated as of php 5. - Mircea Soaica 2012-04-04 07:36
Thank you, I've actually managed to sort it out myself and I'll post my fixed code as my answer to help anyone else out :) I think your answer probably would have fixed it too though : - Brad Andrews 2012-04-05 18:32

2

just place the '' around your input..?

SELECT * FROM payments WHERE model = '{$_SESSION['username']}'

would be easier to assign the value to another variable

$un = mysql_real_escape_string($_SESSION['username']); SELECT * FROM payments WHERE model = '$un'

2012-04-04 07:35
by snaderss
If you read my original post I did say that I had already assigned another variable to it the variable being $uid but thanks anyway : - Brad Andrews 2012-04-05 18:33

1

just write

$result = mysql_query("SELECT * FROM payments WHERE model ='".$uid."'");
2012-04-04 07:56
by Dhruvisha
Thank you, I've actually managed to sort it out myself and I'll post my fixed code as my answer to help anyone else out :) I think your answer probably would have fixed it too though : - Brad Andrews 2012-04-05 18:35
I didn't use you're answer. I answered it myself - Brad Andrews 2012-04-07 16:33

0

Use quotes around your values like in the answer from snaderss.

Alo there is security vulnerability in your session validate.

if (!isset($_SESSION['username'])) {
    header('Location: index.php');
}

if someones browser ignores the location header, the user will see your premium content. same if someone access your site via curl() or something similar.

Always use exit(); or die(); after you redirect.

fixed code:

if (!isset($_SESSION['username'])) {
    header('Location: index.php');
    exit();
}

now the script stops when the redirect fails

2012-04-04 08:05
by Slemgrim
Woops, didn't think about that, thanks for correcting the vulnerability, adding "exit();" now : - Brad Andrews 2012-04-05 18:34

0

    $sql = "SELECT * FROM cards WHERE model = '".$uid."' "; 
$result = mysql_query($sql);

Thanks everyone, above I posted the 2 lines I have changed in order to get it working... I'm sure all of you're posts would have fixed the problem too but I ended up fixing it myself... :)

-Brad

2012-04-05 18:37
by Brad Andrews

0

You could just use this query as it is easier to remember.

mysql_query("SELECT * FROM payments WHERE model = '{$_SESSION['user']}'");
2013-04-04 00:16
by Tim Tattsy
Ads