Having problems with including variables in mysql query...

maye

I've created a form page that sends the input to the script page listed here, but something is wrong since I don't get anything when I try to print the results from the query...what is wrong???

<html>

<head>

<title>Mysite</title>

</head>

<body bgcolor="white">

<?php

$nick=$POST[Nickname];
$pass=$POST[pass];

$conn=@mysql_connect("localhost", "root") or die("kunde inte ansluta");

$db=mysql_select_db("dating");

$sql="SELECT * FROM user_male WHERE Nickname=".$nick." AND losen=".$pass;

$sql2=$sql;

$result=mysql_query($sql2);

$rad = @mysql_fetch_array($result);

echo $rad[Nickname];

mysql_close($conn);

?>

</body>

</html>

I'm pretty new to php, althought I have worked with java before, so I might have missed something fundamental or basic that you can't do, or should do in php.

try to explain it in simple terms 😉

dougal85

$nick=$_POST[Nickname];
$pass=$_POST[pass];

Have you checked that the variables are getting this far?

echo $nick;
echo $pass;

That'll let you know.

Are you getting any errors?

Also just looking at the code, I wonder why you have this line;

$sql2=$sql;

why not just refer to $sql all the way through 🙂

Piranha

// You posted this:
$nick=$_POST[Nickname];
$pass=$_POST[pass];

// It should be:
$nick=$_POST['Nickname'];
$pass=$_POST['pass'];

You should also try to avoid SQL Injection attacks by using mysql_real_escape_string if you use MySQL, or a simular function if you use another database. Using sprintf() will make it easier. The code would be like this:

 <html>
<head>
<title>Mysite</title>
</head>
<body bgcolor="white">

<?php

$nick=$_POST['Nickname']; // Added '
$pass=$_POST['pass'];  // Added '

$conn=@mysql_connect("localhost", "root") or die("kunde inte ansluta");

$db=mysql_select_db("dating");

$sql= sprintf ("SELECT * FROM user_male WHERE Nickname='%s' AND losen='%s';", mysql_real_escape_string($nick), mysql_real_escape_string($pass)); // Changed to sprintf and escaping the strings

$sql2=$sql;
$result=mysql_query($sql2);
$rad = @mysql_fetch_array($result);
echo $rad['Nickname']; // Added '

mysql_close($conn);

?>
</body>
</html>

Lycka till 🙂

Edit: Noticed that 2 variables were wrong, corrected them.

maye

well, the reason for the x-tra referal was that I thought that you couldn't refer them throught since I was incorporating variables directly into the sql command, so I set up an extra variable to get the string produced from $sql.

yes I have checked if it gets throught which it does, and third - no I'm not getting any errors.

maye

hmm, have checked what you recomended - nothing...I even tried copy and paste straight throught...still nothing....the post function works allright, but somewhere on the way it gets lost...:mad:

Piranha

Try to echo the SQL string and run the query in a way that you know works with queries, for example PHPmyadmin.

dougal85

yeah, or show us the query if your not sure about it.

Piranha

I looked at my query once more, and it seems like I forgot the '. The query should be like this:

$sql= sprintf ("SELECT * FROM user_male WHERE Nickname='%s' AND losen='%s';", mysql_real_escape_string($nick), mysql_real_escape_string($pass));

maye

sweet...now it works...thx a bunch guys...

maye

here's another question for all you people out there, I added another mysql_real_escape_string to the script since I wanted the sql query to choose between two different databases depending on what the user choose in the form, but once again I get the same results as before, what is wrong? once again, no errors, nothing...the info requested from the db just doesnt show...:mad:

<html>

<head>

<title>Mysite</title>

</head>

<body bgcolor="white">

<?php

$gender=$POST['gender'];
$nick=$POST['Nickname'];
$pass=$_POST['pass'];

$conn=@mysql_connect("localhost", "root") or die("kunde inte ansluta");

$db=mysql_select_db("dating");

$sql= sprintf ("SELECT * FROM '%s' WHERE Nickname='%s' AND losen='%s';",mysql_real_escape_string($gender), mysql_real_escape_string($nick), mysql_real_escape_string($pass));

$sql2=$sql;

$result=mysql_query($sql2);

while($rad = @mysql_fetch_array($result))

{

echo "Nickname: ".$rad['Nickname']."<br>Age: ".$rad['age']."<br>Gender: ".$rad['gender']."<br>Location: ".$rad['location'];

}

mysql_close($conn);

?>

</body>

</html>

dougal85

hmm.. I notice you have a capital in Nickname and not in age or gender, is this the same as the db?

tbh... I cant see whats wrong, but i'm tired.

pop this after your line with the mysql_query and see if it sheds any light.

if (!$result) {
   die('Invalid query: ' . mysql_error());
}

Piranha

The error is in this row:

$sql= sprintf ("SELECT * FROM '%s' WHERE Nickname='%s' AND losen='%s';",mysql_real_escape_string($gender), mysql_real_escape_string($nick), mysql_real_escape_string($pass));

You should only use the ' sign in a SQL query for strings. The table name is not considered a string, so you should not use the ' sign there. Instead you can leave it out.

As I said in an earlier post, try to echo the SQL string and use it from PHPMyAdmin. There you will see much better what error you get and where the fault might be. When you have used SQL some time you might even be able to see the problem by just echoing the string out.

Edit: I am curious, why do you use different tables for males and females?

maye

well, my intent with this entire thing is to create a dating site, or at least im trying.

with my experience in online dating i've noticed a couple of serious errors the companies have made in order to get the most out of online dating and I'm trying to correct those, since I believe that guys and girls could benefit a great deal from it, and if you've ever tried it, you know that the problems for guys is to GET responses, and contrary to women is that they get too great responses.

Im trying to fix this problem by experimenting with different settings for women and men, and in order to make that easier, im separating the databases.