$_GET over to isset

TheCase

Hi,

This is my code

<?php

require_once('./forum/SSI.php');

require_once('./mysql_connect.php');

$username = $context['user']['name'];

$query_value=empty($_GET["common"])?"":$_GET["common"];

$userteamcheck = "SELECT * FROM smf_members WHERE memberName='$username'" or trigger_error("Query: $userteamcheck\n<br />MySQL Error: ". mysql_error());
$userteamcheck2 = mysql_query ($userteamcheck);
while ($userteamcheck3 = mysql_fetch_assoc($userteamcheck2)) {
$teamnamme = $userteamcheck3['team']; 

$currentpointsp = "{$query_value}p";
$a = "a{$query_value}";

$fetchpoints = "SELECT * FROM aacl_team WHERE teamname='$teamnamme'" or trigger_error("Query: $fetchpoints\n<br />MySQL Error: ". mysql_error());
$fetchpoints2 = mysql_query ($fetchpoints);
while ($fetchpoints3 = mysql_fetch_assoc($fetchpoints2)) {
$currentpoints = $fetchpoints3["$currentpointsp"]; 
}

$fetchmorepoints = "SELECT * FROM aacl_team WHERE $query_value!='0' AND $a='0' AND $currentpointsp <= $currentpoints AND teamname != '$teamnamme' LIMIT 1" or trigger_error("Query: $fetchmorepoints\n<br />MySQL Error: ". mysql_error());
$fetchmorepoints2 = mysql_query ($fetchmorepoints);
    while ($fetchmorepoints3 = mysql_fetch_assoc($fetchmorepoints2)) {
    $morepointteam = $fetchmorepoints3['teamname'];
    $morepointteamid = $fetchmorepoints3['id'];

}
$fetchlesspoints = "SELECT * FROM aacl_team WHERE $query_value!='0' AND $a='0' AND $currentpointsp >= $currentpoints AND teamname != '$teamnamme'" or trigger_error("Query: $fetchlesspoints\n<br />MySQL Error: ". mysql_error());
$fetchlesspoints2 = mysql_query ($fetchlesspoints);
    while ($fetchlesspoints3 = mysql_fetch_assoc($fetchlesspoints2)) {
    $lesspointteam = $fetchlesspoints3['teamname'];
    $lesspointteamid = $fetchlesspoints3['id'];

echo "

<form action=\"test_query.php\" method=\"post\">

<select name=\"cteam\">

  <option value='" . $morepointteamid . "'>" . $morepointteam . "</option>

  <option value='" . $lesspointteamid . "'>" . $lesspointteam . "</option>

</select><div align='center'> <input type='submit' name='challengeteamsubmit' value='Challenge' /> </div>
<input type=\"hidden\" name=\"challengeteamsubmit2\" value=\"TRUE\" /></form>";

}}

if(isset($_POST['challengeteamsubmit2'])){

include 'query_test.php';

srand((double)microtime()*1000000); 
$arry_txt=preg_split("/--NEXT--/",join('',file("times.txt"))); 
$randomtime = $arry_txt[rand(0,sizeof($arry_txt)-1)];

$randomdate = date('l j F Y', strtotime('+' . rand(7,14) . ' days')); 

$teamid = $_POST['cteam'];

$query1 = "INSERT INTO aacl_match (`team`, `ladder`, `time`, `date`, `teamchallenged`) VALUES ('$teamnamme', '$query_value', '$randomtime', '$randomdate', '$teamid')";		
		$result1 = mysql_query ($query1) or trigger_error("Query: $query1\n<br />MySQL Error: " . mysql_error());


}
?>

The query bellow
if(isset($_POST['challengeteamsubmit2'])){

has the variable $query_value but its coming out blank bellow the isset and its outputting above, why not bellow

Thanks

Weedpacket

TheCase wrote:
has the variable $query_value but its coming out blank bellow the isset and its outputting above, why not bellow

If I understand that smear of words correctly, you're saying that when you're building the string $query1 at the bottom of the posted code, $query_value is always an empty string.

That would happen if $_GET['common'] is an empty string, or is not set at all.

That line only runs if $_POST['challengeteamsubmit2'] is set.

So:
When $POST['challengeteamsubmit2'] is set, does $GET['common'] contain anything?

Incidentally, you could consider tidying up the formatting of your code: the idea of source code is that it should be readable.

TheCase

$_GET['common']; does output above the isset, it does contain data (from another page). Once put bellow the isset it outputs blank

Thanks

Weedpacket

Is that a yes to my question? Does $query1 contain nothing where the value of $_GET['common'] should appear?

What do you get if you put

echo 'Checking values:';
echo '$_GET["common"] = ',$_GET['common'],'<br>';
echo '$query_value = ',$query_value,'<br>';
echo $query1;
exit;

immediately after you set $query1 (which, incidentally, you never use)?

Have you looked in query_test.php to see if it's doing anything to $query_value?

TheCase

This is the result when putting your code bellow the isset

Checking values:$_GET["common"] =
$query_value =

When I put it above the isset I get

Checking values:$_GET["common"] = fsr
$query_value = fsr

As you can see for some reason the $_GET is only defining above the isset and not bellow. Hope this is clearer. Any ideas?

Thanks

Weedpacket

TheCase wrote:
Any ideas?

Yes: more basic debugging (come on, you have to be able to do this yourself if you want to be a programmer).

Leaving the other debugging code there, add this immediately after you set $query_value:

echo 'Checking values:';
echo '$_GET["common"] = ',$_GET['common'],'<br>';
echo '$query_value = ',$query_value,'<br>';

Now what do you get?

TheCase

Weedpacket;10886085 wrote:
Leaving the other debugging code there, add this immediately after you set $query_value:
echo 'Checking values:';
echo '$_GET["common"] = ',$_GET['common'],'<br>';
echo '$query_value = ',$query_value,'<br>'; 
Now what do you get?

I get

Checking values:$_GET["common"] = fsr
$query_value = fsr

The values are no longer blank. So its working above the isset not bellow. I have done this allready thats why I put in my first page it works above not bellow ... I want to be a good programmer :p This one is tricky though

Thanks

Weedpacket

I said "leaving the other debugging code there". I expected to see both sets of debugging lines.

TheCase

After $query_value is set

Checking values:$_GET["common"] = fsr
$query_value = fsr

After $query1 is set

Checking values:$_GET["common"] =
$query_value =

The query does not echo here, but submits the data (apart from $query_value) to the correct fields

Thanks

Weedpacket

Nothing in that code modifies the $_GET array; so if that array is changing partway through the script it must be because of something that is not in the code posted. The only place that could be is in the query_test.php file. So what is that doing?

TheCase

test_query.php is the code in the first page. The $query_value is coming from another page here is the code

<script>
// Create the AJAX xmlHttpRequest object
function createRequest()
{
 var xmlhttp = false;
 try {xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){try {xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(E){xmlhttp = false;}}
 if(!xmlhttp && typeof XMLHttpRequest!='undefined'){try{xmlhttp = new XMLHttpRequest();}catch(e){xmlhttp=false;}}
 if(!xmlhttp && window.createRequest){try{xmlhttp = window.createRequest();}catch(e){xmlhttp=false;}}
 return xmlhttp;
 }

// Make an AJAX xmlHttpRequest to test_query.php
function show_value(v)
{
 /* Change test_query.php to the name of your PHP page. */
 var php_page = "test_query.php";
 var url = php_page+"?common="+v;
 var con=createRequest();
 con.open("GET",url,true);
 con.onreadystatechange=function()
 {
  if(con.readyState==4 && con.status==200)
  {
   document.getElementById("showValue").innerHTML=con.responseText;
   }
  }
 con.send(null);
 }
</script>

<table align="center" border="2" bordercolor="005DB3">
<tr>
	<td background="untitled.gif"><center>Challenge Team</center></td>
</tr>
<tr>
	<td bgcolor="FFFFFF">Ladder:
 <select onchange="show_value(this.value)">
  <option value="">Make a Selection</option>
  <option value="fsr">FS Rounds</option>
  <option value="fsta">FS Time Attack</option>
  <option value="tr">Tech Rounds</option>
  <option value="tta">Tech Time Attack</option>
  </select>
  <div id="showValue"></div>
    </td>
</tr>
</table>
</form>

Weedpacket

TheCase wrote:
The $query_value is coming from another page

No, you're making less sense than ever, now.

Try and explain the whole process. It shouldn't be too difficult to explain it clearly; you've already tried to explain the whole process to the computer, and the computer is a lot more thick than I am. So if I can't understand what you're saying, how can you expect a computer to?

TheCase

Ok so the user goes to my script called team.php wich is this code

<script>
// Create the AJAX xmlHttpRequest object
function createRequest()
{
var xmlhttp = false;
try {xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){try {xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(E){xmlhttp = false;}}
if(!xmlhttp && typeof XMLHttpRequest!='undefined'){try{xmlhttp = new XMLHttpRequest();}catch(e){xmlhttp=false;}}
if(!xmlhttp && window.createRequest){try{xmlhttp = window.createRequest();}catch(e){xmlhttp=false;}}
return xmlhttp;
}

// Make an AJAX xmlHttpRequest to test_query.php
function show_value(v)
{
/* Change test_query.php to the name of your PHP page. */
var php_page = "test_query.php";
var url = php_page+"?common="+v;
var con=createRequest();
con.open("GET",url,true);
con.onreadystatechange=function()
{
  if(con.readyState==4 && con.status==200)
  {
   document.getElementById("showValue").innerHTML=con.responseText;
   }
  }
con.send(null);
}
</script>

<table align="center" border="2" bordercolor="005DB3">
<tr>
    <td background="untitled.gif"><center>Challenge Team</center></td>
</tr>
<tr>
    <td bgcolor="FFFFFF">Ladder:
<select onchange="show_value(this.value)">
  <option value="">Make a Selection</option>
  <option value="fsr">FS Rounds</option>
  <option value="fsta">FS Time Attack</option>
  <option value="tr">Tech Rounds</option>
  <option value="tta">Tech Time Attack</option>
  </select>
  <div id="showValue"></div>
    </td>
</tr>
</table>
</form>

You there is no submit button because based on there selection test_query.php comes along and adds another dropdown, submit button then submits a query. Here is test_query.php

<?php

require_once('./forum/SSI.php');

require_once('./mysql_connect.php');

$username = $context['user']['name'];

$query_value=empty($_GET["common"])?"":$_GET["common"];

$userteamcheck = "SELECT * FROM smf_members WHERE memberName='$username'" or trigger_error("Query: $userteamcheck\n<br />MySQL Error: ". mysql_error());
$userteamcheck2 = mysql_query ($userteamcheck);
while ($userteamcheck3 = mysql_fetch_assoc($userteamcheck2)) {
$teamnamme = $userteamcheck3['team'];

$currentpointsp = "{$query_value}p";
$a = "a{$query_value}";

$fetchpoints = "SELECT * FROM aacl_team WHERE teamname='$teamnamme'" or trigger_error("Query: $fetchpoints\n<br />MySQL Error: ". mysql_error());
$fetchpoints2 = mysql_query ($fetchpoints);
while ($fetchpoints3 = mysql_fetch_assoc($fetchpoints2)) {
$currentpoints = $fetchpoints3["$currentpointsp"];
}

$fetchmorepoints = "SELECT * FROM aacl_team WHERE $query_value!='0' AND $a='0' AND $currentpointsp <= $currentpoints AND teamname != '$teamnamme' LIMIT 1" or trigger_error("Query: $fetchmorepoints\n<br />MySQL Error: ". mysql_error());
$fetchmorepoints2 = mysql_query ($fetchmorepoints);
    while ($fetchmorepoints3 = mysql_fetch_assoc($fetchmorepoints2)) {
    $morepointteam = $fetchmorepoints3['teamname'];
    $morepointteamid = $fetchmorepoints3['id'];

}
$fetchlesspoints = "SELECT * FROM aacl_team WHERE $query_value!='0' AND $a='0' AND $currentpointsp >= $currentpoints AND teamname != '$teamnamme'" or trigger_error("Query: $fetchlesspoints\n<br />MySQL Error: ". mysql_error());
$fetchlesspoints2 = mysql_query ($fetchlesspoints);
    while ($fetchlesspoints3 = mysql_fetch_assoc($fetchlesspoints2)) {
    $lesspointteam = $fetchlesspoints3['teamname'];
    $lesspointteamid = $fetchlesspoints3['id'];

echo "

<form action=\"test_query.php\" method=\"post\">

<select name=\"cteam\">

  <option value='" . $morepointteamid . "'>" . $morepointteam . "</option>

  <option value='" . $lesspointteamid . "'>" . $lesspointteam . "</option>

</select><div align='center'> <input type='submit' name='challengeteamsubmit' value='Challenge' /> </div>
<input type=\"hidden\" name=\"challengeteamsubmit2\" value=\"TRUE\" /></form>";

}}

if(isset($_POST['challengeteamsubmit2'])){

srand((double)microtime()*1000000);
$arry_txt=preg_split("/--NEXT--/",join('',file("times.txt")));
$randomtime = $arry_txt[rand(0,sizeof($arry_txt)-1)];

$randomdate = date('l j F Y', strtotime('+' . rand(7,14) . ' days'));

$teamid = $_POST['cteam'];

$query1 = "INSERT INTO aacl_match (`team`, `ladder`, `time`, `date`, `teamchallenged`) VALUES ('$teamnamme', '$query_value', '$randomtime', '$randomdate', '$teamid')";        

        $result1 = mysql_query ($query1) or trigger_error("Query: $query1\n<br />MySQL Error: " . mysql_error());


}
?>

Now you know where the $query_value comes from this is the problem. In test_query.php if do

echo "$query_value";

above the line

if(isset($_POST['challengeteamsubmit2'])){

It will echo a result out based on the dropdown. But if I do it bellow it echos blank how do I get it to echo the result even underneath the if/isset.

Hope this is clear. Thanks

igorlopez

Sorry for jumping in but I believe Weedpacket were referring to your first code section where you had an include statement:

if(isset($_POST['challengeteamsubmit2'])){

include 'query_test.php';

and I would also like to stress Weedpackets point in trying to explain the process in a few lines, trying to grasp your code even if it is formatted with PHP tags is not very easily done.
One way i try to troubleshoot is to remove all parts not relevant to the problem and more then often does the problem disappear... then it is just a matter of putting back the pieces until the fault is there.

TheCase

Im sorry but the

include 'query_test.php';

Was not ment to be in my code that I posted. The correct code is in my last post. Hope it clears my fault up

cahva

Well I think this is very clear(with a quick glance 😉 ). When you submit your form, $_GET['common'] is not set because its not there anymore.

You can either:

echo " 
<form action=\"test_query.php?common={$query_value}\" method=\"post\"> 
...

..or add a hidden field to the form and access it with $POST:

echo " 
<form action=\"test_query.php\" method=\"post\"> 
<input type=\"hidden\" name=\"common\" value=\"{$query_value}\" />

Now after isset the $query_value can be found in $_POST['common'] variable. Latter is the way to go.

BTW, if this site really is going online, it has sql inject possibilites. Dont EVER trust content coming from the user via form or url. This has been discussed here and elsewhere so many times so search how to make your queries safer.

TheCase

This is what I was looking for thanks, but something weird has happend I get this now

Notice: Undefined index: p in test_query.php on line 22

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in test_query.php on line 27

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in test_query.php on line 34

All the SQL queries are named correct, do you see anything other wrong with the file? If I turn error reporting off, it doesnt help, its not doing anything bellow the isset not echoing or submitting queries, any ideas?

<?php

require_once('./forum/SSI.php');

require_once('./mysql_connect.php');

$username = $context['user']['name'];

$query_value=empty($_GET["common"])?"":$_GET["common"];

$userteamcheck = "SELECT * FROM smf_members WHERE memberName='$username'" or trigger_error("Query: $userteamcheck\n<br />MySQL Error: ". mysql_error());
$userteamcheck2 = mysql_query ($userteamcheck);
while ($userteamcheck3 = mysql_fetch_assoc($userteamcheck2)) {
$teamnamme = $userteamcheck3['team']; 

$currentpointsp = "{$query_value}p";
$a = "a{$query_value}";

$fetchpoints = "SELECT * FROM aacl_team WHERE teamname='$teamnamme'" or trigger_error("Query: $fetchpoints\n<br />MySQL Error: ". mysql_error());
$fetchpoints2 = mysql_query ($fetchpoints);
while ($fetchpoints3 = mysql_fetch_assoc($fetchpoints2)) {
$currentpoints = $fetchpoints3["$currentpointsp"]; 
}

$fetchmorepoints = "SELECT * FROM aacl_team WHERE $query_value!='0' AND $a='0' AND $currentpointsp <= $currentpoints AND teamname != '$teamnamme' LIMIT 1" or trigger_error("Query: $fetchmorepoints\n<br />MySQL Error: ". mysql_error());
$fetchmorepoints2 = mysql_query ($fetchmorepoints);
    while ($fetchmorepoints3 = mysql_fetch_assoc($fetchmorepoints2)) {
    $morepointteam = $fetchmorepoints3['teamname'];
    $morepointteamid = $fetchmorepoints3['id'];

}
$fetchlesspoints = "SELECT * FROM aacl_team WHERE $query_value!='0' AND $a='0' AND $currentpointsp >= $currentpoints AND teamname != '$teamnamme'" or trigger_error("Query: $fetchlesspoints\n<br />MySQL Error: ". mysql_error());
$fetchlesspoints2 = mysql_query ($fetchlesspoints);
    while ($fetchlesspoints3 = mysql_fetch_assoc($fetchlesspoints2)) {
    $lesspointteam = $fetchlesspoints3['teamname'];
    $lesspointteamid = $fetchlesspoints3['id'];

echo "

<form action=\"test_query.php\" method=\"post\">
<input type=\"hidden\" name=\"common\" value=\"{$query_value}\" /> 
<select name=\"cteam\">

  <option value='" . $morepointteamid . "'>" . $morepointteam . "</option>

  <option value='" . $lesspointteamid . "'>" . $lesspointteam . "</option>

</select><div align='center'> <input type='submit' name='challengeteamsubmit' value='Challenge' /> </div>
<input type=\"hidden\" name=\"challengeteamsubmit2\" value=\"TRUE\" /></form>";


if(isset($_POST['challengeteamsubmit2'])){

srand((double)microtime()*1000000); 
$arry_txt=preg_split("/--NEXT--/",join('',file("times.txt"))); 
$randomtime = $arry_txt[rand(0,sizeof($arry_txt)-1)];

$randomdate = date('l j F Y', strtotime('+' . rand(7,14) . ' days')); 

$teamid = $_POST['cteam'];
$query_value = $_POST['common'];

echo "Completed";

$query1 = "INSERT INTO aacl_match (`team`, `ladder`, `time`, `date`, `teamchallenged`) VALUES ('$teamnamme', '$query_value', '$randomtime', '$randomdate', '$teamid')";		
		$result1 = mysql_query ($query1) or trigger_error("Query: $query1\n<br />MySQL Error: " . mysql_error());

}}}
?>

Thanks

cahva

Well now you dont have $_GET['common'] so $query_value is empty. Now when you assign:

$currentpointsp = "{$query_value}p";

..it will have a value of "p" and you dont have a field with that name so the query will not work.

if the $query_value should not be empty in any case, you could just exit the script if theres now value:

if (isset($_POST['common'])) {
	$query_value = $_POST['common'];
}

if (!isset($query_value)) {
	if (empty($_GET['common'])) {
		exit;
	} else {
		$query_value = $_GET['common'];
	}
}

TheCase

Thanks alot. All working