Having probs with this display script

dougvcd · February 8, 2010, 4:13pm

this is the first script

Echo "<b>Description:</b> ".$info['desc'] . " <br>";
Echo "<b>Area:</b> ".$info['area'] . " <br>";
Echo "<b>City:</b> ".$info['city'] . " <br>";
Echo "<b>Tel:</b> ".$info['tel'] . " <br>";
Echo "<b>Date of listing:</b> ".$info['date'] . " <br>";
Echo "<b>ID:</b> ".$info['id'] . " <br>";
Echo "<b>Poster:</b><a href=poster.php?id=".$info['id'].">View Poster</a><hr>";

this should pass id to next page and show record with that id

here is the display code

$data = mysql_query("SELECT * FROM register where id ='id'") or die(mysql_error()); 
 //Puts it into an array 
 while($info = mysql_fetch_array( $data ))
  {
   //Outputs the image and other data
    Echo "<b>ID:</b> ".$info['id'] . " <br>"; 
    Echo "<b>Type:</b> ".$info['type'] . " <br>"; 
    Echo "<b>State:</b> ".$info['state'] . " <br>"; 
    Echo "<b>Area:</b> ".$info['area'] . " <br>"; 
    Echo "<b>Description:</b> ".$info['desc'] . " <br>"; 
    Echo "<b>Name:</b> ".$info['name'] . " <br>"; 
    Echo "<b>Email:</b> ".$info['email'] . " <br>"; 
    Echo "<b>Tel:</b> ".$info['tel'] . " <br>"; 
    Echo "<b>Date of listing:</b> ".$info['date'] . " <br>";  
    Echo "<hr>";
     }
      mysql_close();  
      ?>

all i get is a blank display page
cheers
Doug

DarthGuido · February 8, 2010, 4:18pm

Because I guess there’s no row in your database where id = ‘id’

Try


$data = mysql_query("
  SELECT * 
  FROM register 
  WHERE id = " . mysql_real_escape_string($_GET['id'])
) or die(mysql_error());

I also guess that the id is a numeric value, so I eliminated the quotes around the value. If it isn’t, use this


$data = mysql_query("
  SELECT * 
  FROM register 
  WHERE id = '" . mysql_real_escape_string($_GET['id']) . "'"
) or die(mysql_error());

system · February 8, 2010, 4:35pm

Hey Guido, first one has no sense. mysql_real_escape_string without quotes is useless.

Hey Doug.
Do you see that id in the address bar of your browser?
If yes, the problem in the 2nd script, if no - in the 1st.

dougvcd · February 8, 2010, 4:37pm

yes show the id number
cheers
Doug

DarthGuido · February 8, 2010, 4:44pm

It’s never useless, because you never know what is passed to the script. Of course, it’s not always the best thing to do. If the value should always be numeric, for example, you can check it with (int) to force it to be numeric.

system · February 8, 2010, 4:54pm

Guido, you just don’t understand what this function do.
It’s terrible mistake and I am sure you will learn the right way.

because you never know what is passed to the script

Right.

It’s never useless,

Wrong.
Without quotes it is nothing. The key word is “without quotes”. Escaping and quotes are 2 parts of one mechanism. mysql_real_escape_string without quotes as useless as quotes without mysql_real_escape_string.

Hey Doug, try second one Guido’s code.
For the mysql_error() function in it.

Or just add these lines at the bottom of your code:

echo mysql_error();
echo mysql_num_rows($data);

DarthGuido · February 8, 2010, 5:00pm

Teach me. Give me an example please.

system · February 8, 2010, 5:19pm

Oh. As simple injection as
id=1 or 1
mysql_real_escape string will not harm this text.
But id=‘1 or 1’ will be cast to id=‘0’
When we assume incoming data as string, both quotes and escaping must be used.
mysql_real_escape_string alone can help nothing

DarthGuido · February 8, 2010, 5:27pm

Thanks
I guess I never thought this through . A very important lesson learnt today.

dougvcd · February 8, 2010, 5:37pm

ok put the error code in and came back with 0
cheers
Doug

system · February 8, 2010, 5:40pm

oh, what’s the error code?
Copy and paste it here.
Or read it and recover what it says.

dougvcd · February 8, 2010, 5:51pm

ok my mistake all seems to be ok now
thank god
many thanks to you for all help and 2004
cheers
Doug