Jump to content

  • Log In with Google      Sign In   
  • Create Account

[solved]Errors: a little bit of php/sql?


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
2 replies to this topic

#1 JinixVomitorium   Members   -  Reputation: 151

Like
0Likes
Like

Posted 11 January 2013 - 06:47 PM

$sql=mysql_query("SELECT * FROM player WHERE player_name=".$POST['char_name']."");
if( mysql_num_rows($sql) == 0 ) {
$sql=mysql_query("INSERT INTO player(account_id, player_name) VALUES(".$_SESSION['id'].", ".$_POST['char_name']." ) " ) or die (mysql_error() );
exit();
} else { 
echo 'Character Name is taken, please try another...';
}
 
 
Im getting these errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in/www/zymichost.com/g/a/l/galaxy-star-games/htdocs/play.php on line 9
Unknown column 'vortex' in 'field list'
 
Im not too sure the sql query is correct, i get confused when combining the string and such with different quotations. Unknown column i believe is referring to the insert of $_POST['player_name'] but not sure.
 
if anyone can shed some light on these errors, i would be appreciated!

add me on skype, i need some new associates for coding.

skype: daniel.lamonds

c++, Visual basic, fortran, html/5, css, php,java script, sql, others......


Sponsor:

#2 Brother Bob   Moderators   -  Reputation: 8606

Like
1Likes
Like

Posted 11 January 2013 - 08:43 PM

The value you query has to be in quotes. Your query currently expands to SELECT * FROM player WHERE player_name=vortex (from what I understand from the error, the posted character name expands to vortex; if not, just pretend it is for the sake of the example), and so the query searches the table for rows where the player_name field has the same value as the vortex field.

 

What you want is quotes around the character name so it expands to a string and not a field name in the query.

$sql=mysql_query("SELECT * FROM player WHERE player_name='$POST[char_name]'");

But you should also strongly consider sanitizing the input and not just stick it directly from an untrusted user's browser into the query string; clicky. Check out mysql_escape_string(), or even better: prepared statements.



#3 JinixVomitorium   Members   -  Reputation: 151

Like
0Likes
Like

Posted 12 January 2013 - 06:10 AM

Thanks, I will use that in the future. I actually went back and assigned the form values to variables to make it easier, and stripped it of all non valid characters, I just wanted to get it working before adding protection to sql injection. Thank you again! :)


add me on skype, i need some new associates for coding.

skype: daniel.lamonds

c++, Visual basic, fortran, html/5, css, php,java script, sql, others......





Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS