Can anyone help me?

PsoRaven

I am trying to build an item database for a game that I play, and i wish to access it using php,i can do that fine but...

I wish to have a mode variable to deffine what is looked up in the database as part of the URL...

Eg. weapons.php?mode=Dagger

Will show all records with dagger, here is the code i have so far.

<?php 

// 
// Start of modes 
// 
if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) ) 
{ 
   $mode = ( isset($HTTP_GET_VARS['mode']) ) ? $HTTP_GET_VARS['mode'] : $HTTP_POST_VARS['mode']; 

   if ( $mode == 'arrows' ) 
   { 
      $lookup = "arrow"; 
      exit; 
   } 
   else if ( $mode == 'dagger') 
   { 
      $lookup = "dagger"; 
      exit; 
   } 
} 
else 
{ 
      $lookup = "arrow"; 
      exit; 
} 

// 
// DB access variables 
// 
$DBhost = "***"; 
$DBuser = "***"; 
$DBpass = "***"; 
$DBName = "***"; 
$table = "***"; 

mysql_connect($DBhost,$DBuser,$DBpass) or die("Unable to connect to database"); 

@mysql_select_db("$DBName") or die("Unable to select database $DBName"); 

$sqlquery = "SELECT * FROM $table WHERE type = $lookup"; 

$result = mysql_query($sqlquery); 

while($row = mysql_fetch_array($result)) { 
echo " 
  <tr valign='middle'> 
    <td width='25'><img src='Images/Databases/Weapons/". $row[type]. "/". $row[picture_url]. "'></td> 
    <td width='140'><font size='1' face='Verdana, Arial, Helvetica, sans-serif'>".$row[weapon_name] ."</font></td> 
    <td width='35' align='center'><font size='1' face='Verdana, Arial, Helvetica, sans-serif'>". $row[atk]. "</font></td> 
    <td width='50' align='center'><font size='1' face='Verdana, Arial, Helvetica, sans-serif'>". $row[type]. "</font></td> 
    <td width='35' align='center'><font size='1' face='Verdana, Arial, Helvetica, sans-serif'>". $row[weight]. "</font></td> 
    <td width='35' align='center'><font size='1' face='Verdana, Arial, Helvetica, sans-serif'>". $row[slots]. "</font></td> 
    <td width='60' align='center'><font size='1' face='Verdana, Arial, Helvetica, sans-serif'>". $row[weapon_level]. "</font></td> 
    <td width='50' align='center'><p><font size='1' face='Verdana, Arial, Helvetica, sans-serif'>". $row[required_level]. "</font></p></td> 
  </tr> 
  <tr valign='middle'> 
    <td colspan='8'><font size='1' face='Verdana, Arial, Helvetica, sans-serif'><strong>Job -</strong> ". $row[job]. "</font></td> 
  </tr> 
  <tr valign='middle'> 
    <td colspan='8'><font size='1' face='Verdana, Arial, Helvetica, sans-serif'><strong>Description -</strong> ". $row[description]. "</font></td> 
  </tr> 

"; 
} 


if(mysql_num_rows($result)<1){ 
echo "<font face=Arial size= 0><b>No 
Results!</b></font><br>"; 
} 

mysql_free_result($result); 
?>

The DBhost etc do have values in the actual script, i just won't post them here for security reasons. Is there anyway of making them more secure in the finished script?

This is one of my first scripts BTW, so if it is terrible i am sorry.

tomhath

You are doing the right thing by learning how to build security into the web site. Trying to add it in at the end is asking for trouble. The manual is a good place to start:

http://www.php.net/manual/en/security.php

Having the connection and password included into a .php file is not really a security hole if the only way to access the file is through an HTTP connection, since that will only serve the HTML produced by the script. But you do want to protect the files from being accessed via FTP. How you do that depends on you host and web server.

The code you posted seems to allow access the database with $lookup not defined (or at least not checked, read about SQL injection attacks) . What if someone passes in a value for $mode other than 'arrows' or 'dagger' ?

PsoRaven

I am going to have a dropdown menu with links, it will not be a user entered thing (there will be more once i get the code sorted out), trying to do it with the modes is just an attempt at saving time, and advancing my knowledge of php at the same time.

Also, $lookup is define in this bit of code (at least i think it is)

if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) ) 
{ 
   $mode = ( isset($HTTP_GET_VARS['mode']) ) ? $HTTP_GET_VARS['mode'] : $HTTP_POST_VARS['mode']; 

   if ( $mode == 'arrows' ) 
   { 
      $lookup = "arrow"; 
      exit; 
   } 
   else if ( $mode == 'dagger') 
   { 
      $lookup = "dagger"; 
      exit; 
   } 
} 
else 
{ 
      $lookup = "arrow"; 
      exit; 
}