9 Replies - 1035 Views - Last Post: 08 January 2012 - 05:09 PM Rate Topic: -----

#1 acenario   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 5
  • Joined: 08-January 12

Help With Checking data from table

Posted 08 January 2012 - 02:08 PM

Hi,

So I'm designing a site in which you register using a username, email, and a confirmation number received from paypal. Right now I have everything working including checking the number from paypal (to an extent). The problem is that when I check my table (confirm_members) for the list of paypal codes it only works when the paypal code is all numbers. Whenever there is a letter in the code I get <b>Unknown column '12345A' in 'where clause'</b> error. (12345A is a sample code I entered). I have looked around quite a bit, but I cannot understand the problem. If someone could please help I would deeply appreciate it.

Thanks,
Arjun

Here is part of the code I think is the problem:

$confirm = $_POST[confirmnumber]
    //$match = "SELECT number FROM confirm_members WHERE number=$_POST[confirmnumber]";
    $match = "SELECT number FROM confirm_members WHERE number=$_POST[confirmnumber]";
    $result = mysql_query($match) or die(mysql_error());
    if(mysql_num_rows($result)==0)
	{
		$err[]='Confirmation number does not exist!';
	}








Here is the whole part of that code:

else if($_POST['submit']=='Register')
{
	// If the Register form has been submitted
	
	$err = array();
	
	if(strlen($_POST['username'])<4 || strlen($_POST['username'])>32)
	{
		$err[]='Your username must be between 3 and 32 characters!';
	}
	
	if(preg_match('/[^a-z0-9\-\_\.]+/i',$_POST['username']))
	{
		$err[]='Your username contains invalid characters!';
	}
	
	if(!checkEmail($_POST['email']))
	{
		$err[]='Your email is not valid!';
	}
    if(strlen($_POST['confirmnumber'])<1)
	{
		$err[]='You did not include your confirmation number!';
	}
    $confirm = $_POST[confirmnumber]
    //$match = "SELECT number FROM confirm_members WHERE number=$_POST[confirmnumber]";
    $match = "SELECT number FROM confirm_members WHERE number=$_POST[confirmnumber]";
    $result = mysql_query($match) or die(mysql_error());
    if(mysql_num_rows($result)==0)
	{
		$err[]='Confirmation number does not exist!';
	}

	if(!count($err))
	{
		// If there are no errors
		
		$pass = substr(md5($_SERVER['REMOTE_ADDR'].microtime().rand(1,100000)),0,6);
		// Generate a random password
		
		$_POST['email'] = mysql_real_escape_string($_POST['email']);
		$_POST['username'] = mysql_real_escape_string($_POST['username']);
        $_POST['confirmnumber'] = mysql_real_escape_string($_POST['confirmnumber']);
		// Escape the input data
		
		mysql_query("	INSERT INTO siri_members(username,password,email,confirmnumber,regIP,dt)
						VALUES(
						
							'".$_POST['username']."',
							'".md5($pass)."',
							'".$_POST['email']."',
                            '".$_POST['confirmnumber']."',
							'".$_SERVER['REMOTE_ADDR']."',
							NOW()
							
						)");
		
		if(mysql_affected_rows($link)==1)
		{
			send_mail(	'[email protected]',
						$_POST['email'],
						'Registration System Demo - Your New Password',
						'Your password is: '.$pass);

			$_SESSION['msg']['reg-success']='We sent you an email with your new password!';
		}
		else $err[]='This username or email is already taken!';
	}

	if(count($err))
	{
		$_SESSION['msg']['reg-err'] = implode('<br />',$err);
	}	
	
	header("Location: index.php");
	exit;
}






Ignore the <b> tag. I was trying to make the error bold.

Is This A Good Question/Topic? 0
  • +

Replies To: Help With Checking data from table

#2 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4224
  • View blog
  • Posts: 13,389
  • Joined: 08-June 10

Re: Help With Checking data from table

Posted 08 January 2012 - 02:24 PM

if you pass a string to SQL, it needs to be quoted* by ' (single quote).




* - would not happen with Prepared Statements, as they pass the data type separately.
Was This Post Helpful? 0
  • +
  • -

#3 acenario   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 5
  • Joined: 08-January 12

Re: Help With Checking data from table

Posted 08 January 2012 - 02:27 PM

View PostDormilich, on 08 January 2012 - 02:24 PM, said:

if you pass a string to SQL, it needs to be quoted* by ' (single quote).




* - would not happen with Prepared Statements, as they pass the data type separately.



When I include single quotes I get a syntax error. Why is that?
Was This Post Helpful? 0
  • +
  • -

#4 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4224
  • View blog
  • Posts: 13,389
  • Joined: 08-June 10

Re: Help With Checking data from table

Posted 08 January 2012 - 02:38 PM

where do you include the single quotes?
Was This Post Helpful? 0
  • +
  • -

#5 acenario   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 5
  • Joined: 08-January 12

Re: Help With Checking data from table

Posted 08 January 2012 - 02:43 PM

View PostDormilich, on 08 January 2012 - 02:38 PM, said:

where do you include the single quotes?


I included them within ['confirmnumber'].

Thanks so much for your responses.
Was This Post Helpful? 0
  • +
  • -

#6 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4224
  • View blog
  • Posts: 13,389
  • Joined: 08-June 10

Re: Help With Checking data from table

Posted 08 January 2012 - 03:09 PM

that would be quoting the array key, not quoting the SQL value.
Was This Post Helpful? 0
  • +
  • -

#7 acenario   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 5
  • Joined: 08-January 12

Re: Help With Checking data from table

Posted 08 January 2012 - 03:13 PM

View PostDormilich, on 08 January 2012 - 03:09 PM, said:

that would be quoting the array key, not quoting the SQL value.


Could you suggest where I put the quotes?
Do I quote the whole '$_POST[confirmnumber]'?
Was This Post Helpful? 0
  • +
  • -

#8 Dormilich   User is offline

  • 痛覚残留
  • member icon

Reputation: 4224
  • View blog
  • Posts: 13,389
  • Joined: 08-June 10

Re: Help With Checking data from table

Posted 08 January 2012 - 03:15 PM

yes. ex. SELECT WHERE col = 'value'

unless your number field is defined as INTEGER, which would make the value 12345A invalid anyways.
Was This Post Helpful? 1
  • +
  • -

#9 acenario   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 5
  • Joined: 08-January 12

Re: Help With Checking data from table

Posted 08 January 2012 - 03:22 PM

View PostDormilich, on 08 January 2012 - 03:15 PM, said:

yes. ex. SELECT WHERE col = 'value'

unless your number field is defined as INTEGER, which would make the value 12345A invalid anyways.



No it is not integer. It worked! Thanks a lot!
Was This Post Helpful? 0
  • +
  • -

#10 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3813
  • View blog
  • Posts: 13,856
  • Joined: 08-August 08

Re: Help With Checking data from table

Posted 08 January 2012 - 05:09 PM

Great. Now fix your code so that it can no longer be hacked using SQL injection. You can either read up on sanitizing data, which is a tedious and difficult process, or you can read up on prepared statements.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1