|
| PORTAIL | ANNUAIRE | ARTICLES | COMPARATEUR HÉBERGEURS | DEVIS | FORUMS | RÉDUCTEUR D'URL |
|
17/07/2007, 03h42
|
#1 |
Messages: n/a
Hébergeur: |
Update fails
The following code seems to be failing. Can you check my logic?
I am using this //>> notation in the body of the code to indicate my questions and comments $check = mysql_query("SELECT * FROM user WHERE id = '$userID'")or die("query failed!"); //>> Gives error if user dosen't exist //>> this should read if($check2==0) but it dosen't work?? //>>I always get the die message that user does not exist in the db //>>I checked the db and the user is in the db $check2 = mysql_num_rows($check); if ($check2 == 0) { die('That user does not exist in our database. '); } while($info = mysql_fetch_array( $check )){ $dbSecureID = stripslashes($info['secureID']); $fName = stripslashes($info['fName']); $lName = stripslashes($info['lName']); //gives error if the password is wrong } if ($secureID != $dbSecureID) { //>>this works but I can't figure how my userId fails and this passes? die('This user has not registered yet!'); } else{ //>> why would this code fail it looks basic enough?? mysql_query("UPDATE user SET confirmIDFlag=1 WHERE id=$userID"); insight appreciated thank you Kevin Raleigh |
|
|
17/07/2007, 03h51
|
#2 |
|
Messages: n/a
Hébergeur: |
Re: Update fails
On Tue, 17 Jul 2007 04:42:30 +0200, Kevin Raleigh <kraleigh@sbcglobal.net>
wrote: > The following code seems to be failing. Can you check my logic? > I am using this //>> notation in the body of the code to indicate my > questions and > comments > $check = mysql_query("SELECT * FROM user WHERE id = '$userID'")or > die("query > failed!"); What is in $userID? Try to echo the query before performing it. -- Rik Wasmus |
|
|
|
17/07/2007, 04h25
|
#3 |
|
Messages: n/a
Hébergeur: |
Re: Update fails
I have user id from the url string. sorry forgot to mention it.
http://www.myWebSite.org/validate?id=154&code=Ogtidw $userID = $_GET["id"]; $secureID = $_GET["code"]; Why would the update fail? Did I code it correctly? Thank You Kevin Raleigh "Rik" <luiheidsgoeroe@hotmail.com> wrote in message news  p.tvk8wiczqnv3q9@metallium...On Tue, 17 Jul 2007 04:42:30 +0200, Kevin Raleigh <kraleigh@sbcglobal.net> wrote: > The following code seems to be failing. Can you check my logic? > I am using this //>> notation in the body of the code to indicate my > questions and > comments > $check = mysql_query("SELECT * FROM user WHERE id = '$userID'")or > die("query > failed!"); What is in $userID? Try to echo the query before performing it. -- Rik Wasmus |
|
|
|
17/07/2007, 05h00
|
#4 |
|
Messages: n/a
Hébergeur: |
Re: Update fails
How do you sanitize variables to prevent sql injections?
thank you Kevin Raleigh "Norman Peelman" <npeelman@cfl.rr.com> wrote in message news:469c3ba5$0$8018$4c368faf@roadrunner.com... > Kevin Raleigh wrote: > > I have user id from the url string. sorry forgot to mention it. > > http://www.myWebSite.org/validate?id=154&code=Ogtidw > > > > $userID = $_GET["id"]; > > $secureID = $_GET["code"]; > > > > Why would the update fail? > > Did I code it correctly? > > > > Thank You > > Kevin Raleigh > > > > "Rik" <luiheidsgoeroe@hotmail.com> wrote in message > > news p.tvk8wiczqnv3q9@metallium...> > On Tue, 17 Jul 2007 04:42:30 +0200, Kevin Raleigh <kraleigh@sbcglobal.net> > > wrote: > > > >> The following code seems to be failing. Can you check my logic? > >> I am using this //>> notation in the body of the code to indicate my > >> questions and > >> comments > >> $check = mysql_query("SELECT * FROM user WHERE id = '$userID'")or > >> die("query > >> failed!"); > > > > What is in $userID? Try to echo the query before performing it. > > > > > > > > Remove the quotes from around $userID in the query... you don't need > them for numbers, only strings (generally speaking). And sanitize your > variables to prevent SQL Injections. > > Norm |
|
|
|
17/07/2007, 05h11
|
#5 |
|
Messages: n/a
Hébergeur: |
Re: Update fails
I tried removing the quotes from the query:
$check = mysql_query("SELECT * FROM user WHERE id = $userID")or die("query failed!"); and it comes back with my die message "query failed"; can you advise further? Kevin Raleigh "Kevin Raleigh" <kraleigh@sbcglobal.net> wrote in message news:X6CdnaYASeZRoAHbnZ2dnUVZ_jSdnZ2d@giganews.com ... > How do you sanitize variables to prevent sql injections? > > thank you > Kevin Raleigh > > "Norman Peelman" <npeelman@cfl.rr.com> wrote in message > news:469c3ba5$0$8018$4c368faf@roadrunner.com... > > Kevin Raleigh wrote: > > > I have user id from the url string. sorry forgot to mention it. > > > http://www.myWebSite.org/validate?id=154&code=Ogtidw > > > > > > $userID = $_GET["id"]; > > > $secureID = $_GET["code"]; > > > > > > Why would the update fail? > > > Did I code it correctly? > > > > > > Thank You > > > Kevin Raleigh > > > > > > "Rik" <luiheidsgoeroe@hotmail.com> wrote in message > > > news p.tvk8wiczqnv3q9@metallium...> > > On Tue, 17 Jul 2007 04:42:30 +0200, Kevin Raleigh > <kraleigh@sbcglobal.net> > > > wrote: > > > > > >> The following code seems to be failing. Can you check my logic? > > >> I am using this //>> notation in the body of the code to indicate my > > >> questions and > > >> comments > > >> $check = mysql_query("SELECT * FROM user WHERE id = '$userID'")or > > >> die("query > > >> failed!"); > > > > > > What is in $userID? Try to echo the query before performing it. > > > > > > > > > > > > > Remove the quotes from around $userID in the query... you don't need > > them for numbers, only strings (generally speaking). And sanitize your > > variables to prevent SQL Injections. > > > > Norm > > |
|
|
 |
| Outils de la discussion | |
|
|
