what is wrong here?

Discussion in 'PHP' started by baris22, Feb 25, 2010.

0
  1. #1
    hello,

    If i put in the form "1 2" (1 space 2) I get the user 1. Why am i getting result i do not know. What is wrong here?

    

if (isset($_POST['get_customer_details']) && ($_POST['customer_id'] != "")) 
{
$id = trim($_POST['customer_id']);
 
$gUser = mysql_query("SELECT * FROM customer WHERE customer_id='".$id."' LIMIT 1") or die(mysql_error());
    PHP:
     
    baris22, Feb 25, 2010 IP
  2. danx10

    danx10 Peon

    Messages:
    1,179
    Likes Received:
    44
    Best Answers:
    2
    Trophy Points:
    0
    #2 
    <?php
error_reporting(E_ALL);
if (isset($_POST['get_customer_details']) && !$_POST['customer_id']){
$_POST = array_map("mysql_real_escape_string", $_POST);
$id = trim($_POST['customer_id']);

echo $id;

$gUser = mysql_query("SELECT * FROM customer WHERE customer_id='$id' LIMIT 1") or die(mysql_error());

}
?>
    PHP:
    Please reply with the echo'd $id when you submit 1 2 within the customer_id field via the form, along with any errors.

    Also is the customer_id column auto_increment or user submitted?
     
    Last edited: Feb 25, 2010
    danx10, Feb 25, 2010 IP
  3. baris22

    baris22 Active Member

    Messages:
    543
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    60
    #3
    hello,

    i get this error: Parse error: syntax error, unexpected ')'

    customer_id column is set to auto_increment.
     
    baris22, Feb 25, 2010 IP
  4. danx10

    danx10 Peon

    Messages:
    1,179
    Likes Received:
    44
    Best Answers:
    2
    Trophy Points:
    0
    #4
    Ok your problem is you can't have a space within an auto_increment! Heres the fix:

    <?php
error_reporting(E_ALL);
if (isset($_POST['get_customer_details']) && !$_POST['customer_id']){
$_POST = array_map("mysql_real_escape_string", $_POST);
$id = (int) trim($_POST['customer_id']);

$gUser = mysql_query("SELECT * FROM customer WHERE customer_id='$id' LIMIT 1") or die(mysql_error());

//proceed...
}
?>
    PHP:
     
    Last edited: Feb 25, 2010
    danx10, Feb 25, 2010 IP
  5. baris22

    baris22 Active Member

    Messages:
    543
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    60
    #5
    i think you get me wrong. I am trying to get user`s info. I have got a form. I put user`s id into field to search. if i search for 12, i get the user 12`s info but if i put 1 2 into field, i get user 1`s info. I tought you do not suppose to get any result because there is no id called 1 2.

    i changed my code. now if there is space between numbers it does not show anything

    
if (isset($_POST['get_customer_details']) && ($_POST ['customer_id'] != "") && filter_var($_POST ['customer_id'],FILTER_VALIDATE_INT)) {
    PHP:
     
    baris22, Feb 25, 2010 IP
  6. Silver89

    Silver89 Notable Member

    Messages:
    2,243
    Likes Received:
    72
    Best Answers:
    0
    Trophy Points:
    205
    #6
    On a side note you should never input raw form data into a mysql_query, you should always first use mysql_escape_string

    This removes any malicious code that stops your database from being messed around with.
     
    Silver89, Feb 25, 2010 IP
  7. Kirill120

    Kirill120 Greenhorn

    Messages:
    86
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    16
    #7
    +1 .

    it can easily be hacked without that string.
     
    Kirill120, Feb 25, 2010 IP