Ugggh. Help with mysql and php!! It wont work!

[Alex1646]

Here is the code:

<?php
$db = mysql_query("
SELECT story_id
FROM story_info
WHERE story='$story_form' AND user='$username'
")or die(mysql_error());
$rows = mysql_fetch_assoc($db);

$id = $rows['story_id'];
?>

All of the variables are defined earlier in the code.

[kenrbnsn]

Define "it won't work". What doesn't work? Errors? What do you expect to happen?

 

Ken

[Alex1646]

Well, the ID variable is simply not getting defined. When I insert the

$rows = mysql_fetch_assoc($db) or die(mysql_error());

code, It does DIE but there is no message from mysql_error()

[Alex1646]

Here is the whole code if you need it.

<?php

if(isset($_POST['hidden']))
{

die('SPAM BOT!');
}
if (
!isset($_POST['title']) 
&& !isset($_POST['summary'])
&& !isset($_POST['story'])
&& !isset($_POST['rating'])
&& !isset($_POST['cat'])
)
{
	die("<div id='impor'>You forgot to enter one(or more) of the following fields <br /> 
	1. Title <br />
	2. Summary <br />
	3. Story<br />
	 </div>
	 ");

}


mysqlConnect();
//put notes in story if they are set
if(isset($_POST['notes']))
{
$notes_form = mysql_real_escape_string($_POST['notes']);
$notes_final = bb($notes_form);
mysql_query("
INSERT INTO story_info(notes)
VALUES ('$notes_final')
");
}
//put other in array. Use while loop to put link code. Then but it back into one non array variable
if(isset($_POST['u_id']))
{
$uid = mysql_real_escape_string($_POST['u_id']);
$uid_db = str_replace(' ','_', $uid);
$blerg = "
INSERT INTO story_info(series_id)
VALUES('$uid_db')
";
mysql_query($blerg);

}
//take data from form an\ put them in variable
$title_form = bb(mysql_real_escape_string($_POST['title'])); //required 
$summ_form = bb(mysql_real_escape_string($_POST['summary']));// required
$story_form = bb(mysql_real_escape_string($_POST['story'])); 
$cat_form = $_POST['cat'];
$rating_form = $_POST['rating'];
$username = $_SESSION['user'];
// Make the other var into a list of links




mysql_query("
INSERT INTO story_info (title, sum, story, user, cat, rating)
VALUES('$title_form','$summ_form', '$story_form,', '$username', '$cat_form','$rating_form')
");
echo "<h1> Your Story Has Been Posted! Thanks for posting $username .   </h1>";
echo "Please review the post below <br />";
echo "<h2> $title_form </h2>";
echo "<strong> <h2> Summary: </h2> </strong> $summ_form";
echo "<h4> Story: </h4>";
echo "$story_form";
if(isset($notes))
{
echo "<h4> Author's Notes: </h4> ";
echo "$notes_final";


}
if (isset($uid_db))
{
echo '<h3> Unique Series ID </h3>';
echo '<p> Make sure to write down this! <br />' .$uid_db .'</p> ';	
}

$db = mysql_query("
SELECT story_id
FROM story_info
WHERE story='$story_form' AND user='$username'
")or die(mysql_error());
$rows = mysql_fetch_assoc($db);

$id = $rows['story_id'];




echo "Catagory: $cat_form <br />
Rating: $rating_form  <br />
";
echo "<a href='?p=page&id=$id'> Click here to view your story! </a>'";
?>

[kenrbnsn]

What prints when you do

<?php
$q = "SELECT story_id FROM story_info WHERE story='$story_form' AND user='$username'";
$db = mysql_query($q)or die("Problem with the query: $q<br>" . mysql_error());
if (mysql_numrows($db) > 0) {
$rows = mysql_fetch_assoc($db);
$id = $rows['story_id'];
} else {
echo "No rows found";
}
?>

 

Ken

[Alex1646]

I ended up getting no rows found, but this confuses me. I thought I just inserted the data.

[kenrbnsn]

Since you don't check to see that the insert queries executed successfully, how do you know they worked?

 

Ken

[trinaryoc]

two things... one, for your own safty filter your user input:

 

foreach($_POST as $key => $value) {$data[$key] = filter($value);}

 

most every hosting service has a filter installed.

dont just use

mysql_real_escape_string

 

two: add a die() at the end of your input statements just to make sure that they are working correctly. not knowing how you have your DB_ setup, cant really tell if they're working correctly.

 

mysql_query(" -- insert query here--") or die(mysql_error());

[Pikachu2000]

Why would you loop through the entire $_POST array with the same 'filter', when not all data needs the same sanitization, and some, such as values that will be hashed, needs none at all?

What filter would it be that most hosting companies have installed?

What exactly do you feel is wrong with mysql_real_escape_string()?

Using or die( mysql_error() ) is a bad idea, especially on a live, production server.

[trinaryoc]

Why would you loop through the entire $_POST array with the same 'filter', when not all data needs the same sanitization, and some, such as values that will be hashed, needs none at all? and as it appears, each of OP's $_POST variables are user entered data.

Because it's a single line of very simple code. simpler then singling out each $_POST variable that need filtering. you can design the function however you wish.

 

a simple filter finction for this application could be something like this:

 

function filter($data) {
$data = trim(htmlentities(strip_tags($data)));

if (get_magic_quotes_gpc())
	$data = stripslashes($data);

$data = mysql_real_escape_string($data);

return $data;
}

 

What filter would it be that most hosting companies have installed?

Pre PHP 5.2 you would have had to have installed PECL extention. Post 5.2 it was included within PHP.

 

What exactly do you feel is wrong with mysql_real_escape_string()?

mysql_real_escape_string only alters for escape charactors, doesnt touch any code that might have been inserted in the text area. and i didnt say not to use it, i daid not ONLY use it.

 

Using or die( mysql_error() ) is a bad idea, especially on a live, production server.

This was for diagnostics... OP thought he was having issues on his INSERTS

[Pikachu2000]

Ease and simplicity is a poor reason. Just because it's simple doesn't mean it's the right way to do it. Every piece of date may not need the same handling, and should be dealt with according to the data type it's expected to be. I suppose you could still use the values from the original $_POST array, but I can see that causing more confusion than it's worth.

 

Some of the filter() functions aren't nearly up to par, IMO.

 

If the string is properly escaped using mysql_real_escape_string() any SQL syntax in the string won't be executed.

 

Fair enough, but it's really not that much more work to add the proper logic to handle the errors rather than use a hack like or die(). I'd say that's especially true on an INSERT/UPDATE, when mysql_error() may be only give you half of the story and you'd need mysql_affected_rows() to present the other half.

[trinaryoc]

Some of the filter() functions aren't nearly up to par, IMO.

 

Not to hijack the thread, but could clatify that a little, you've peeked my curiosity.

[Alex1646]

Ok. I never did get my insert question answered. But I did figure out whats wrong, when I use another insert statement it creates a new row. I tryed using UPDATE but it doesnt seem to work. Im going to start a new thread  on this.