Prints out "$table" instead of the table name

PHP
1

hi

Can someone take a look as this script for me and tell me what is wrong?


<?php
$dbuser = "dbo313524883"; // REPLACE db_user with the username used to connect to your database
$dbpass = "password"; // REPLACE db_pass with the password used to connect to your database
$database = "db348831352"; // REPLACE database with the name of your database
mysql_pconnect("db2678.perfora.net",$dbuser,$dbpass);
mysql_select_db($database);
$keywords = strip_tags(trim($_GET['q']));
$keywords = preg_replace("/\\-/", " ", $keywords);
$table = "visitors";
$db_visitor_date = time();
$db_ip = "'".$_SERVER['REMOTE_ADDR']."'";
$db_keyword = "'".$keywords."'";
$sql = "INSERT INTO $table SET visitor_date = $db_visitor_date, ip = $db_ip, keyword = $db_keyword";
$query = mysql_query($sql);
$keyword_array = explode(" ", $keywords);
foreach ($keyword_array as $keyword) {
    if (!empty($keyword)) {
        $extra .= "Name LIKE '%".$keyword."%' || ";
    }
}
$extra = trim($extra, "|| ");
$table = "firesuits";
$sql = 'SELECT * FROM $table WHERE $extra ORDER BY ABS(Price) DESC';
$query = mysql_query($sql) or die(mysql_error());
while ($row = mysql_fetch_array($query)) {
    $product_id = $row['ProductID'];
    $name = $row['Name'];
    $bigimage = $row['BigImage'];
    $price = $row['Price'];
    $description = $row['Description'];
    $results .= "<tr>\
<td valign=\\"top\\"><a href=\\"go.php?n=".$product_id."&k=".urlencode($keywords)."\\"><img src =\\"".$bigimage."\\" title=\\"".$name."\\" / border=\\"0\\"></a></td>\
<td valign=\\"top\\"><strong>".$name."</strong><br />".$description."<br />".$price."</td>\
</tr>\
";
    $count++;
    if ($count > 30) break;
}
if ($count < 1) {
    $extra = preg_replace("/Name/", "Description", $extra);
    $sql = "SELECT * FROM $table WHERE $extra";
    $query = mysql_query($sql) or die(mysql_error());
    while ($row = mysql_fetch_array($query)) {
        $product_id = $row['ProductID'];
        $name = $row['Name'];
        $bigimage = $row['BigImage'];
        $price = $row['Price'];
        $description = $row['Description'];
        $results .= "<tr>\
<td valign=\\"top\\"><a href=\\"go.php?n=".$product_id."&k=".urlencode($keywords)."\\"><img src =\\"".$bigimage."\\" title=\\"".$name."\\" / border=\\"0\\"></a></td>\
<td valign=\\"top\\"><strong>".$name."</strong><br />".$description."<br />".$price."</td>\
</tr>\
";
        $count++;
        if ($count > 30) break;
    }
}
$results = "<table>\
".$results."</table>\
";
echo $results;
?>

I keep getting this result: Table ‘db348831352.$table’ doesn’t exist
when ever I go to the page. It prints out “$table” instead of the table name.

I’m not sure how to search out the problem.

Thanks

2

Use double quotes instead of single quotes.

$sql = “SELECT * FROM $table WHERE $extra ORDER BY ABS(Price) DESC”;

3

I tried that and get this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘ORDER BY ABS(Price) DESC’ at line 1

4

replace

$sql = “INSERT INTO $table SET visitor_date = $db_visitor_date, ip = $db_ip, keyword = $db_keyword”;

with this:

$sql = 'INSERT INTO ’ . $table . ’ SET visitor_date = ’ . $db_visitor_date . ', ip = ’ . $db_ip . ', keyword = ’ . $db_keyword;

replace this:

$sql = ‘SELECT * FROM $table WHERE $extra ORDER BY ABS(Price) DESC’;

with this:

$sql = ‘SELECT * FROM ’ . $table . ’ WHERE ’ . $extra . ’ ORDER BY ABS(Price) DESC’;

I hope it helps

if above doesn’t help, before the line below:

$sql = ‘SELECT * FROM $table WHERE $extra ORDER BY ABS(Price) DESC’;

add this:

print_r($extra);
die;

and give us the output

5

thanks

I just tried that and get the same error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘ORDER BY ABS(Price) DESC’ at line 1

6

if above doesn’t help, replace this:

$sql = ‘SELECT * FROM $table WHERE $extra ORDER BY ABS(Price) DESC’;

with this:

print_r($extra);
die;
$sql = 'SELECT * FROM ’ . $table;

and give us the output

7

To my knowledge variables need to be defined before concatenating to them ($extra).

8

You can concatenate even if you do not define that variable first… it generates a warning but works.

9

Ok, the reformulations are testimony of how unsure I was about that :slight_smile: .

Anyhow, certainly if there is a syntax error do print the query.

10

I don’t agree with Alle’s advice to use a double-quoted string with the simple variable syntax, or with drctaccess’s advice to replace the double-quoted strings with concatenation and single-quoted strings. Concatenation is unnecessarily ugly, and by using single quoted strings, if you need to include a literal quote in the SQL statement – it would be a single quote – you’d have to escape it. If you make sure that your variables are appropriately escaped, which you’re not, a double-quoted string with the “complex” syntax is the best bet, e.g.:


$sql = "INSERT INTO {$table} SET visitor_date = {$db_visitor_date}, ip = {$db_ip}, keyword = {$db_keyword}";

$sql = "SELECT * FROM {$table} WHERE {$extra} ORDER BY ABS(Price) DESC";

For example, you’re not properly escaping the value that you eventually put into the query as $db_keyword, leaving you vulnerable to SQL injection.

It’s probably not a good idea to post your MySQL hostname, db name, and username here. I hope that “password” is a dummy value and not your actual password.

Like drctaccess said, you should echo the resulting query that’s generating the error and see what the problem is / post it here if you can’t figure it out.

11

I just tried that and get a white screen.

here is how the code looks at this point:


<?php
$dbuser = "dbo313524883"; // REPLACE db_user with the username used to connect to your database
$dbpass = "password"; // REPLACE db_pass with the password used to connect to your database
$database = "db348831352"; // REPLACE database with the name of your database
mysql_pconnect("db2678.perfora.net",$dbuser,$dbpass);
mysql_select_db($database);
$keywords = strip_tags(trim($_GET['q']));
$keywords = preg_replace("/\\-/", " ", $keywords);
$table = "visitors";
$db_visitor_date = time();
$db_ip = "'".$_SERVER['REMOTE_ADDR']."'";
$db_keyword = "'".$keywords."'";
$sql = 'INSERT INTO ' . $table . ' SET visitor_date = ' . $db_visitor_date . ', ip = ' . $db_ip . ', keyword = ' . $db_keyword;
$query = mysql_query($sql);
$keyword_array = explode(" ", $keywords);
foreach ($keyword_array as $keyword) {
    if (!empty($keyword)) {
        $extra .= "Name LIKE '%".$keyword."%' || ";
    }
}
$extra = trim($extra, "|| ");
$table = "firesuits";
print_r($extra);
die;
$sql = 'SELECT * FROM ' . $table;
$query = mysql_query($sql) or die(mysql_error());
while ($row = mysql_fetch_array($query)) {
    $product_id = $row['ProductID'];
    $name = $row['Name'];
    $bigimage = $row['BigImage'];
    $price = $row['Price'];
    $description = $row['Description'];
    $results .= "<tr>\
<td valign=\\"top\\"><a href=\\"go.php?n=".$product_id."&k=".urlencode($keywords)."\\"><img src =\\"".$bigimage."\\" title=\\"".$name."\\" / border=\\"0\\"></a></td>\
<td valign=\\"top\\"><strong>".$name."</strong><br />".$description."<br />".$price."</td>\
</tr>\
";
    $count++;
    if ($count > 30) break;
}
if ($count < 1) {
    $extra = preg_replace("/Name/", "Description", $extra);
    $sql = "SELECT * FROM $table WHERE $extra";
    $query = mysql_query($sql) or die(mysql_error());
    while ($row = mysql_fetch_array($query)) {
        $product_id = $row['ProductID'];
        $name = $row['Name'];
        $bigimage = $row['BigImage'];
        $price = $row['Price'];
        $description = $row['Description'];
        $results .= "<tr>\
<td valign=\\"top\\"><a href=\\"go.php?n=".$product_id."&k=".urlencode($keywords)."\\"><img src =\\"".$bigimage."\\" title=\\"".$name."\\" / border=\\"0\\"></a></td>\
<td valign=\\"top\\"><strong>".$name."</strong><br />".$description."<br />".$price."</td>\
</tr>\
";
        $count++;
        if ($count > 30) break;
    }
}
$results = "<table>\
".$results."</table>\
";
echo $results;
?>
12

Beaumont,

I hope that “password” is a dummy value

Yes there all dummy names :slight_smile:

13

That indicates that $extra is empty. Try var_dump( $extra ) to confirm.

It looks like you took that out of one of the queries anyway though? If you need $extra to have a value, backtrack from there to find out why it doesn’t have the expected value.

Yes there all dummy names

Oh, ok, that’s good.

14

the resulting page can’t be a blank screen because that would mean that $extra variable should be empty … and in this case the query is right so the script should work … please take a careful look at the page … maybe $extra variable contains a single quote character … something like this ’

Alternatively … replace this line:

print_r($extra);

with this code :

echo ‘<pre>’;
print_r($extra);
echo ‘</pre>’;

take a look at the output again and let us know the results

var_dump($extra);

is an even better solution to see what that variable contains… as Beaumont already suggested.

15

Still a white screen. Here how I added your code:

$extra = trim($extra, "|| ");
$table = "naturehills";
var_dump($extra);
die;
$sql = 'SELECT * FROM ' . $table;
$query = mysql_query($sql) or die(mysql_error());
while ($row = mysql_fetch_array($query)) {
    $product_id = $row['ProductID'];
    $name = $row['Name'];
    $bigimage = $row['BigImage'];

I hope that is correct

16

That looks correct. You should be getting some output from var_dump(), if only “NULL”. The fact that you’re not makes me think you have a syntax error in your script. Do you have error reporting enabled?

17

can you provide structure of your database tables visitors and firesuits ?
I will replicate the problem on my server and give you an working script.

18

In phpinfo.php I looked and it says this:

error_reporting no value no value

is that what you mean?

19

no I am talking about your database structure (mysql database called db348831352) in your script.

If you have phpmyadmin installed you just can export structure(I don;t need data) of those two tables

20 

-- 

-- --------------------------------------------------------

-- 
-- Table structure for table `naturehills`
-- 

CREATE TABLE `naturehills` (
  `ProductID` int(11) NOT NULL default '0',
  `Name` varchar(255) collate latin1_general_ci NOT NULL default '',
  `MerchantID` varchar(50) collate latin1_general_ci NOT NULL default '',
  `Merchant` varchar(50) collate latin1_general_ci NOT NULL default '',
  `Link` text collate latin1_general_ci NOT NULL,
  `Thumbnail` text collate latin1_general_ci NOT NULL,
  `BigImage` text collate latin1_general_ci NOT NULL,
  `Price` varchar(50) collate latin1_general_ci NOT NULL default '',
  `RetailPrice` varchar(50) collate latin1_general_ci NOT NULL default '',
  `Category` varchar(50) collate latin1_general_ci NOT NULL default '',
  `SubCategory` varchar(50) collate latin1_general_ci NOT NULL default '',
  `Description` longtext collate latin1_general_ci NOT NULL,
  `Custom1` text collate latin1_general_ci NOT NULL,
  `Custom2` text collate latin1_general_ci NOT NULL,
  `Custom3` text collate latin1_general_ci NOT NULL,
  `Custom4` text collate latin1_general_ci NOT NULL,
  `Custom5` text collate latin1_general_ci NOT NULL,
  `LastUpdated` varchar(100) collate latin1_general_ci NOT NULL default '',
  `status` varchar(50) collate latin1_general_ci NOT NULL default '',
  PRIMARY KEY  (`ProductID`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;

-- 
-- Dumping data for table `naturehills`
--

Is this what you need?
I guess I’m not giving away secert information:)