Entering php secure login

Question

Entering php secure login

Possible duplicate:
mysql_fetch_array () expects parameter 1 to be a resource, boolean is set to select

I need help here.

I have this query:

$order = isset($_GET['order']) ? mysql_real_escape_string($_GET['order']) : 'title';
$query = mysql_query("SELECT * FROM entry ORDER BY $order ASC");

You can either order by name, date or author.

But if someone gives $ order something else:

Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in C:\wamp\www\entries.php on line 20

How do I get rid of this error message?

thank

+3

php

Jolabero Jul 14 '10 at 15:48

source share

9 answers

- colu\'nname order by, , mysql_real_escape_string .

, $order - , .

, - :

if (!in_array($_GET['order'], array('column1', 'title', 'id', 'other_column'))) {
    // deal with the problem
    // and don't run the query
    // because $_GET['order'] is not one of the allowed values
}

+6

Pascal MARTIN 14 . '10 15:53

, . , . , .

:

switch($_GET['order']){
    case 'date' : 
         $order = 'date';
         break;
    case 'author' : 
         $order = 'author';
         break;
    default
         $order = 'title';
}

SQL-.

+1

2ndkauboy 14 . '10 15:52

$order, , . $.

0

Jan 14 . '10 15:52

$_GET ['order'] .

, ($ query), , , .

0

Fosco 14 . '10 15:52

$checker = array('title', 'date', 'author')

$order = isset($_GET['order']) ? mysql_real_escape_string($_GET['order']) : 'title';

if (in_array($_GET['order'], $checker) {
  $query = mysql_query("SELECT * FROM entry ORDER BY $order ASC");
}

0

karlw 14 . '10 15:53

, - , .

,

$valid_values = array("title", "date", "author");

if (in_array($_GET['order'], $valid_values))
{
    // Your db stuff
}
else
{
    echo "The order value you gave wasn't valid. Please try another.";
}

0

Rich Adams 14 . '10 15:54

, $_GET["order"] .
, . mysql_query() false , mysql_fetch_assoc.

-

$columns = array("id", "name", "title");
if (false === ($key = array_search($_GET["column"], $columns))) {
  $column = "title";
} else {
  $column = $columns[$key];
}
$query = "SELECT * FROM entry ORDER BY {$column};";

mysql_real_escape_string, .

0

Maerlyn 14 . '10 15:54

Check that $ order is the column name before starting the query

$order = isset($_GET['order']) ? mysql_real_escape_string($_GET['order']) : 'title';
//Run a check here, before the query
$query = mysql_query("SELECT * FROM entry ORDER BY $order ASC");

mysql_real_escape_string also looks wrong. Just a head

0

Josh k Jul 14 '10 at 15:54

source share

Bill Karwin · Accepted Answer · 2010-07-14T16:03:00+0000

You should not treat column identifiers in the same way as string literals. In your example, you can get SQL as follows:

SELECT * FROM entry ORDER BY O\'Hare ASC

This will result in a syntax error in any SQL parser.

I have some tips:

SQL , mysql_query(). , SQL, , , .

$sql = "SELECT * FROM entry ORDER BY $order ASC";
// here you can log $sql, or output to Firebug, etc.
$query = mysql_query($sql);

, . , .

$query = mysql_query($sql);
if ($query === false) {
  die(mysql_error());
}

mysql_real_escape_string() - , , SQL .. , $_GET , . , .

$ordercolumns = array(
  "t" => "title",
  "d" => "date"
);
$order = "title"; // the default
if (isset($_GET["order"]) && isset($ordercolumns[$_GET["order"]])) {
  $order = $ordercolumns[$_GET["order"]];
}
// now we know $order can only be 'title' or 'date', 
// so there no need to escape it.
$sql = "SELECT * FROM entry ORDER BY $order ASC";

Entering php secure login

More articles: