• PHP strings, resources and arrays
    19 replies, posted
Hi, I am making a script which sets the value of a variable equal to the value of a particular record in a mysql table, but I'm having some problems. [php] $scorequery = mysql_query("SELECT count FROM count WHERE username = '$username'"); $results = mysql_query($scorequery); $arr = mysql_fetch_row($results); $score = $arr[0];[/php] $score is the variable I want to set, but I'm getting the error: Warning: mysql_query() expects parameter 1 to be string, resource given How do I solve this? Thanks
Why are you trying to query a query
[QUOTE=TehWhale;26161502]Why are you trying to query a query[/QUOTE] Oh god, yeah thanks for pointing that out it works now
what is $username I sure hope it isn't $_REQUEST['username']
[QUOTE=Catdaemon;26175564]what is $username I sure hope it isn't $_REQUEST['username'][/QUOTE] Oh Catdaemon, you're on Facepunch's Web Development forum, not on some other crappy webdev forum where members don't know what they're doing. Don't be silly, Catdaemon, that never happens here. Silly.
What the hell is $_REQUEST? Never seen it before.
[QUOTE=Catdaemon;26175564]$_REQUEST[/QUOTE] :psyboom:
$_REQUEST holds the values from $_GET, $_POST, $_COOKIE and...I think that's it..yep. Values are set in this order, from left to right: GET, POST, COOKIE. Newer values override older values. (This order can be changed by modifying request_order in your PHP.ini) It's useful when you don't really care where the input comes from. [editline]20th November 2010[/editline] Remember, per the HTTP spec, GET requests should only be used to retrieve data without causing any data changes on the server (excluding logging and such, obviously), keep this in mind when using $_REQUEST. (src: [url]http://stackoverflow.com/questions/46585/when-do-you-use-post-and-when-do-you-use-get[/url], [url]http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html[/url] )
$username is $_COOKIE['username']
[QUOTE=Alcapwne;26180373]$username is $_COOKIE['username'][/QUOTE] Are you sanitizing it? Cookies are as valid injection points as GET and POST data.
I hope you don't store a logged in cookie as well. :psyboom:
[QUOTE=Torekk;26195287]I hope you don't store a logged in cookie as well. :psyboom:[/QUOTE] what What's wrong with cookies all of a sudden :(
[QUOTE=Alcapwne;26208352]what What's wrong with cookies all of a sudden :([/QUOTE] Cookies are stored on the client. It takes just a bit of effort, but anyone can modify them - do you seriously want to trust the user when you ask him if he's logged in? The only thing you keep on the client is the session ID, everything else should be on the server.
[QUOTE=StankyJoe;26208419]Cookies are stored on the client. It takes just a bit of effort, but anyone can modify them - do you seriously want to trust the user when you ask him if he's logged in? The only thing you keep on the client is the session ID, everything else should be on the server.[/QUOTE] Cookies can be fine for login, just have a auth key & username/id, and when required check against MySQL. The advantage of this is you can store 'displayed' info (username, links to login-functions like edit/etc) within the cookie, and thus have pages with 0 user-based queries, and on other-wise static pages no queries. Then when actually doing something, check against the database.
What can a user actually do if they can edit a cookie?
[QUOTE=Alcapwne;26233250]What can a user actually do if they can edit a cookie?[/QUOTE] Depends on what you're using cookies for, and how - imagine you set a cookie: [code] user-is-admin: false [/code] If you don't do any other checks, the user can simply change that to [b]true[/b], and voila, he is now an admin. This example is highly hyperbolic, but there's alot of ways small mistakes can come back to bite you in the ass if you aren't careful - cookies should be treated with as much care as any other form of user input.
Sessions > cookies
[QUOTE=Ortzinator;26234773]Sessions > cookies[/QUOTE] But sessions don't last forever do they?
Best way to handle it: Use sessions and store them in the database versus the PHP default temporary location. Then store the session key in a cookie. When a user without a session comes to the site, check for a cookie and if they have one then look in the database for the session that matches. Then delete the past session and make a new one (or alternatively, based on your config you could just renew the old session). Also, for MySQL use a PDO object. It's built into PHP 5 and it's fantastic. Make's everything simpler and sanitizes everything for you. Plus, its OOP!
[QUOTE=adamjon858;26253177]Best way to handle it: Use sessions and store them in the database versus the PHP default temporary location. Then store the session key in a cookie. When a user without a session comes to the site, check for a cookie and if they have one then look in the database for the session that matches. Then delete the past session and make a new one (or alternatively, based on your config you could just renew the old session). Also, for MySQL use a PDO object. It's built into PHP 5 and it's fantastic. Make's everything simpler and sanitizes everything for you. Plus, its OOP![/QUOTE] I'm still new to this, what exactly does that mean? Thanks
Sorry, you need to Log In to post a reply to this thread.