[Scottish] php and my sql

Paul Millar scottish at mailman.lug.org.uk
Tue Feb 11 16:48:01 2003


On 11 Feb 2003, Graeme Chambers wrote:
> Suggest you include email address from form into SELECT query and decide
> what to do on basis of number of records returned.

Good idea, but bear in mind the usual caveats of including unchecked user
input into a SQL statement ...  suppose the user gives their email address
as:
  "paulm@astro.gla.ac.uk; DELETE FROM details"

 }:^>

Paul.


> On Tue, 2003-02-11 at 12:22, Ismail Murat Dilek wrote:
> > Hi,
> > I ve created a mysql database. Basically user fills  the form then  hits 
> > submit button and  all data posted to mysql database.This part works fine.
> > Next time user return the page enters their email address and hits 
> > submit button. my php script
> > check if email address exist in our database if exist takes user to 
> > download page, if not exist takes them to registration page.
> > Some strange reason this comparasing is not working properly. it works 
> > for some email addresses,
> > e.g. my email address olive@zoom.co.uk is registered in mysql database 
> > so script should take to download page but it is taking me registration 
> > page instead
> > any ideas
> > <?
> > //Author: Ismail Murat Dilek
> > 
> > require("conn.php");
> > /// ========================================================
> > // following part read values of entered details and prepares them for 
> > mysql data input format
> > 
> > $email = $HTTP_POST_VARS["email"];
> > ///========================================================
> > 
> > 
> > $query ="Select email from details"; // selects email field from details 
> > table
> > $result = mysql_query($query); //executes sql select query
> > $num_result = mysql_num_rows($result);
> > /* searches database for email, if email dosent exist writes details to
> > database,then redirects user to download page
> > */
> > for ($i=0; $i<$num_result; $i++)
> > {
> >     $row= mysql_fetch_array($result);
> >     $eml = stripslashes($row[email]);
> >     $email = trim($email);
> >     $eml = trim($eml);
> >     $eq = strcmp($email,$eml);
> >     if ($eq != 0)
> >     {
> >     header("Location:register.php");
> >    
> >     }
> >     else
> >     {
> >     header("Location:download.php");
> >     }
> >    
> >    
> >    
> > }//end for
> > 
> > ?>
> > 
> 
> 
> 
> _______________________________________________
> Scottish mailing list
> Scottish@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/scottish
> 

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
Particle Physics (Theory & Experimental) Groups                Dr Paul Millar 
Department of Physics and Astronomy                     paulm@astro.gla.ac.uk
University of Glasgow                                 paulm@physics.gla.ac.uk
Glasgow, G12 8QQ, Scotland             http://www.astro.gla.ac.uk/users/paulm 
+44 (0)141 330 4717        A54C A9FC 6A77 1664 2E4E  90E3 FFD2 704B BF0F 03E9
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --