MySQL error when selecting fields using HTML form

by 9 replies
11
I get the below error. Please help me to solve this.


While the code is as below.
#programming #error #fields #mysql #selecting
  • you should use $_POST['....'] in where clause not in select clause

    so query will look like
    select column1, column2, ... from persons where column1 = $_POST['col1']

    column1, column2 are the columns in table.

    also in these forums do not share 000webhost.com db passwords directly. There is a chance of your db getting hacked.
  • ^^ change your details above ASAP as above poster said and modify your post. Nice catch BPplaza
    • [1] reply
    • can you explain plz, why were you asking me to modify the post? and why my post has been modified by someone?
  • Oh god he's signed off too. Hopefully it won't be too late by the time he gets back to reading the thread and edits the OP.
  • Im surprised no one mentioned this .. but you should NOT just take the input variables and put them into your query like you are doing. You need to sanitize them first. At the very least use
    mysql_real_escape_string();
  • Among other things, before calling mysql_fetch_array be sure to trap the data for errors. Do something like this:

    $result = mysql_query("SELECT $col1, $col2, $col3 FROM Persons");

    if (!$result) {
    die('Invalid query: ' . mysql_error());

    } else {

    // do stuff here

    }

    Most likely your query isn't returning a valid result. Use a WHERE clause. You don't have an expression that matches anything. If you continue to have trouble, echo out your query string as a test and use phpmyadmin to test it. Get the query string right using phpmyadmin, then code it in php.

    One last thing, consider using a connect script. Don't put your connection details in the php page. Include an external file in your page that connects to the database. Put that connect script in a non public section of your server. If php ever goes down on your site with the way you have it, everyone who visits your webpage will see your connection info.

    And like others have said, if the connection info you posted above is real, change it asap. If you have any other passwords that match the one above, change them as well.
  • post #2 is like the worst advise ever! NEVER NEVER NEVER do this.
    If you want to loose ALL your business loose your reputation and more then use mysql the way as in that example. That is the perfect way to very easily get hacked and give hackers full access to your database.

    You should always sanetize your user input. One very basic rule with programmer:
    - NEVER trust ANY 3rd party input into your own system-

    This includes user input (incl order data), API communications, partner input (e.g. hired people content writers etc )
  • It's because you had your database name, username and password in your code for anyone to see. That could have been used to delete everything from your DB.
  • maybe the script wasn't connected to the database when it tried to select data

Next Topics on Trending Feed