Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>You have a few issues in your code, not all are errors as such, some code is unneeded, other code is potentially dangerous.</p> <pre><code>$name = stripslashes($name); &lt;&lt;-- delete this line. $name = mysql_real_escape_string($name); &lt;&lt;-- this is all you need. </code></pre> <p><code>mysql_real_escape_string()</code> is all you need. No other escaping is need to protect against SQL-injection.<br> A few caveats apply, which I will discuss below. </p> <pre><code>$sql="SELECT * FROM $tbl_name WHERE name='$name'"; $result=mysql_query($sql); </code></pre> <p><code>Select *</code> is an anti-pattern, never use it in production code. Explicitly select the fields you need.<br> You are using dynamic tablenames, I fail to see the need for this and it's also a dangerous SQL-injection hole.<br> Never use it but if you must, see this question how to secure your code: <a href="https://stackoverflow.com/questions/5811834/how-to-prevent-sql-injection-with-dynamic-tablenames">How to prevent SQL injection with dynamic tablenames?</a><br> You do the query, but you don't test if it succeeds, put a test in there:</p> <pre><code>$sql = "SELECT id FROM users WHERE name='$name' "; $result = mysql_query($sql); if ($result) { $row = mysql_fetch_array($result); $user_id = $row['id']; } else { do stuff to handle failure } </code></pre> <p>You are trying to get data out of the database, but this is not the way to do it: </p> <pre><code>$players = mysql_query("SELECT MAX (id) FROM $tbl_name"); $chooserand = rand(1,$players); $callee = mysql_query("SELECT name FROM $tbl_name WHERE id=$chooserand"); echo "$callee"; </code></pre> <p>But I see a few issues:<br> Please stop using dyname tablenames, it is a really bad idea.<br> The return value of mysql_query is a query_handle, not the actual data you're quering.<br> I would suggest escaping all values, whether from outside or inside your code; I know this is paranoid, but that way, if you code design changes, you cannot forget to put the escaping in.<br> Never ever ever echo unsanitized data in an echo statement.<br> If you echo a <code>$var</code>, always sanitize it using <code>htmlentities</code>. If you don't XSS security holes will be your fate.<br> See: <a href="https://stackoverflow.com/questions/71328/what-are-the-best-practices-for-avoiding-xss-attacks-in-a-php-site">What are the best practices for avoiding xss attacks in a PHP site</a> </p> <p>rewrite the code to:</p> <pre><code>$result = mysql_query("SELECT MAX (id) as player_id FROM users"); $row = mysql_fetch_array($result); $max_player = $row['player_id']; $chooserand = mysql_real_escape_string(rand(1,$max_player)); //not needed here, but if you change the code, the escaping will already be there. //this also makes code review trivial for people who are not hep to SQL-injection. $result = mysql_query("SELECT name FROM users WHERE id = '$chooserand' "); $row = mysql_fetch_array($result); $callee = $row['name']; echo "callee is ".htmlentities($callee); </code></pre> <p>Finally you are deleting rows from a table, this looks like a very strange thing to do, but it is possible, however your code does not work:</p> <pre><code>$drop_name = mysql_query("DELETE FROM $tbl_name WHERE name=$name"); </code></pre> <p>As discussed <code>mysql_query</code> does not return values.<br> On top of that <strong>only</strong> a <code>SELECT</code> query returns a resultset, a <code>DELETE</code> just returns success or failure.<br> All $vars must be quoted, this is a syntax error at best and an SQL-injection hole at worst.<br> <em>Technically integers don't have to be, but I insist on quoting and escaping them anyway, because it makes your code consistent and thus much easier to check for correctness and it elimiates the chance of making errors when changing code</em><br> Rewrite the code to: </p> <pre><code>$drop_name = $name; $result = mysql_query("DELETE FROM users WHERE id = '$user_id' "); //user_id (see above) is unique, username might not be. //better to use unique id's when deleting. $deleted_row_count = mysql_affected_rows($result); if ($deleted_row_count == 0) { echo "no user deleted"; } else { echo "user: ".htmlentities($drop_name)." has been deleted"; } </code></pre>
    singulars
    1. This table or related slice is empty.
    1. PODisplay usernames at random
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USCommunity
    1. USJohan
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PODisplay usernames at random
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. COthankyou very much, i will accept your answer if you can help me with my main problem which is being able to show a random user without ever showing a blank page due to the rows being dropped from the database. it is essential that usernames are removed from the system
      singulars
      1. PO
      1. USDingleNutZ
    2. COI disagree with the stripslashes; if magic_quotes_gpc is enabled, stripslashes would remove the erroneously inserted backslashes before inserting into the database. Yes, turning off magic_quotes_gpc is the preferred solution, but stripslashes is a good second contender.
      singulars
      1. PO
      1. USBerry Langerak
    3. CO@BerryLangerak, I see your point, but the issue is that magic_quotes should never be enabled. Using stripslashes just hides the fact that it is enabled. Better to remove it and debug the issue.
      singulars
      1. PO
      1. USJohan
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload