In my program, I am trying to get the value submitted by a form and use in a sql query to retrive results and then again use the $_GET["name"] value for feeding data to the database. The following code is not propagating value inside while loop $_GET["name"]
<?php
session_start();
$id = $_GET["name"];
echo "<h2> Hello ".$id." </h2>" ;
if((isset( $_POST['dept'])))
{
echo "<h2><center>You have sected ". $_POST['dept'] ." !!</center></h2>";
$dept_ = $_POST['dept'];
$options = $_POST['course'];
foreach($options as $option) //loop through the checkboxes
{
$uid="root";
$pass="root";
$db = mysql_connect("localhost:3036",$uid,$pass);
if(!$db) die("Error connecting to MySQL database.");
mysql_select_db("sync" ,$db);
$result = mysql_query("SELECT DISTINCT `name`,`password`,INET_NTOA( `ip` ) FROM detail Where id = '$_GET["name"]' ;") or die(mysql_error());
if(mysql_num_rows($result) > 0):
while($row = mysql_fetch_assoc($result)):
$name = $row['name'];
$password = $row['password'];
$ip = $row['INET_NTOA( `ip` )'];
echo $name ; // NOT PRINTING ANYTHING
echo $password ; // NOT PRINTING ANYTHING
echo $_GET["name"] ; // NOT PRINTING ANYTHING
$sql1_Qu = "INSERT INTO registration (id,password,ip,name,course) VALUES ('$_GET["name"]','$password',INET_ATON('$ip'),'$name','$option')";
//$sql1_Qu = "INSERT INTO registration (id,password,ip,name,course) VALUES ('$id','$password',INET_ATON('$ip'),'$name','$option')";
$resu = mysql_query($sql1_Qu) or die('Could not connect: ' . mysql_error());
endwhile;
endif;
}
}
?>
This is only printing at the 4th line but not propagating the value inside while loop, which contains database query.
Please suggest some way to solve the issue ... Thanks in advance
Change:
FROM detail Where id = '$_GET["name"]' ;")
to
FROM detail Where id = '" . $id . "';")
I think you have a problem in escaping your double quote for your $_GET["name"]. Also is not clear to me if you have a $_GET or $_POST form since you used them both and this is could be an error.
$result = mysql_query("SELECT DISTINCT `name`,`password`,INET_NTOA( `ip` ) FROM detail Where id = '".$id."' ;") or die(mysql_error());
Furthermore your code is higly vurnerable to sql injections, please have a look at this post
Then I would like you to remember that mysql_* functions are deprecated so i would advise you to switch to mysqli or PDO
You should be happy about that because your site is screaming for what people call SQL injection. http://en.wikipedia.org/wiki/SQL_injection
Basically a user of your site could just add ?name=<some sql code> to your url and manipulate your database (ie change passwords). ALWAYS VALIDATE INPUT! NEVER USE $_GET OR $_POST in sql queries.
Read more here to learn how to prevent SQL injections: http://php.net/manual/en/security.database.sql-injection.php
As for your answer. You are concatting your string incorrectly (or acually.. not at all).
Try to build your string this way: "INSERT INTO registration (id,password,ip,name,course) VALUES ('" . $_GET["name"] . "','$password',INET_ATON('$ip'),'$name','$option')"
This line:
$result = mysql_query("SELECT DISTINCT `name`,`password`,INET_NTOA( `ip` ) FROM detail Where id = '$_GET["name"]' ;") or die(mysql_error());
Has wrong escaping and is vulnerable to injection. Fix the escaping and use safe functions at the same time:
$result = mysql_query(
sprintf("
SELECT
DISTINCT `name`,
`password`,
INET_NTOA( `ip` )
FROM
detail
WHERE
id = '%s'
", mysql_real_escape_string($id))
) or die(mysql_error());