Jump to content

mysql_query(); returns nothing

Mobil-D

By Mobil-D
in PHP Coding Help

 Share

Recommended Posts

Mobil-D Newbie

Mobil-D

Posted
Posted

I'm hoping someone can help me cos my hair's going white with this one. I'm trying to put together a script that acts as web-based interface to an SQL server. There are actually two parts, admin.htm and admin.php. The first part is just a form that passes login credentials to the PHP file. That part seems to work fine, but I'll post the source anyway: -

 

<!DOCTYPE HTML>

<html lang="en">

<head>

<title>SQL admin login</title>

<meta charset="iso-8859-1" />

</head>

<body>

<form action="admin.php" method="post">
<label for="username">Username: -</label>
<br />
<input type="text" name="username" id="username" />
<br />
<br />
<label for="password">Password: -</label>
<br />
<input type="password" name="password" id="password" />
<br />
<br />
<label for="server">Server: -</label>
<br />
<input type="text" name="server" id="server" />
<br />
<br />
<label for="database">Database: -</label>
<br />
<input type="text" name="database" id="database" />
<br />
<br />
<input type="submit" value="Login" />
<input type="reset" value="Reset" />
</form>

</body>

</html>

 

Following is the content of admin.php. By this point I can see the connection in MySQL Workbench, and when I submit the query 'SELECT * FROM subscribers' it's being stored in '$_POST['query']', but 'mysql_query($_POST['query'],$_SESSION['con']);' is returning nothing. There is definitely a record in that table, and the user I'm logging on with has permission to run the 'SELECT' command against this database, so I can't figure out why mysql_query(); is returning nothing: -

 

<!DOCTYPE HTML>

<?php

session_start();

if(!$_SESSION['con'])
{
   if(!($_POST['username'] || $_POST['password']))
   {
      if(!($_SESSION['username'] || $_SESSION['password']))
      {
      $error="Username and password variables empty.";
      }
   }
   else
   {
      $_SESSION['username']=mysql_real_escape_string($_POST['username']);
      $_SESSION['password']=mysql_real_escape_string($_POST['password']);
      $_SESSION['server']=mysql_real_escape_string($_POST['server']);
      $_SESSION['database']=mysql_real_escape_string($_POST['database']);
      $_SESSION['con']=mysql_pconnect($_SESSION['server'],$_SESSION['username'],$_SESSION['password']);
      if(!$_SESSION['con'])
      {
         $error="Failed to connect to server.";
      }
      else
      {
         $database=mysql_select_db($_SESSION['database'],$_SESSION['con']);
         if(!$database)
         {
            $error="Failed to connect to database.";
         }
      }
   }
}

if(!$_POST['query'])
{
   $error="No query submitted.";
}
else
{
   $result=mysql_query($_POST['query'],$_SESSION['con']);
   if(!$result)
   {
      $error="Query returned nothing.";
   }
}

?>

<html lang="en">

<head>

<title>SQL admin interface</title>

<meta charset="iso-8859-1" />

</head>

<body>

<form action="admin.php" method="post">
<textarea name="query" rows="10" cols="50">SELECT * FROM subscribers</textarea>
<br />
<br />
<input type="submit" value="Submit query" />
</form>

<?php

if($error)
{
   echo $_POST['query']."<br /><br />".$result."<br /><br />".$error;
   die();
}
else
{
   while($row=mysql_fetch_assoc($result))
      {
         echo $row['name']." ".$row['email'];
         echo "<br />";
      }
}

?>

</body>

</html>

 

Can anyone help? :confused:

 

MOD EDIT: 

 . . .

tags added.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

You would NEVER execute a query statement that comes entirely from outside your code, in your case a form, because a hacker will quickly take over your database.

 

Also, since you cannot store a database connection in a session and have it persist between pages, using $_SESSION['con'] is pointless.

 

Your logic is testing if the query executed with or without an error. That is not the same as a query that executes but matches zero rows in your database. You can use mysql_error() to find out why your query is failing.

Link to comment
Share on other sites
Mobil-D Newbie

Mobil-D

Posted
  • Author
Posted

Thanks for the reply PFMaBiSmAd (and sorry about the oversight Pikachu2000). I'll definitely follow your security advice whenever I start working on production networks. Right now I'm working purely locally and all I want is for the thing to work.

 

I hear what you're saying about '$_SESSION['con']', I've replaced that with '$con'.

 

But mysql_error() returns nothing when I try to execute a query.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.