Web Analytics Made Easy -
StatCounter Having problem retrieving a row - CodingForum

Announcement

Collapse
No announcement yet.

Having problem retrieving a row

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Having problem retrieving a row

    Greetings again experts,

    I think I am doing something really stupid here.

    I have a few field names I am querying from my database and I would like to retrieve some rows and assign them to variables so I can use them later.

    So far, my attempt to do so using sqlsrv_get_field is not returning anything.

    Maybe there is a better way to do this?

    Below, for instance, I am trying to retrieve firstname

    Thanks as always for your assistance.

    PHP Code:
       $strSQL "SELECT Username, firstname FROM users WHERE USERNAME = '".ms_escape_string($_POST['user'])."'
        and PASSWORD = '"
    .ms_escape_string($pass)."' ";
        
    //echo $strSQL;
        
    $sqll sqlsrv_query($con$strSQL);
        
    $firstname sqlsrv_get_field$sqll1);

        
    $objResult sqlsrv_fetch_array($sqllSQLSRV_FETCH_ASSOC);
        if(
    $objResult)
        {
            
    header("location:results.php?user=".ms_escape_string($firstname)." ");
        }
        else
        {
            
    header("location:done.php");
        }

        
    sqlsrv_close($con); 

  • #2
    So far, my attempt to do so using sqlsrv_get_field is not returning anything.
    according to the manual, you must use sqlsrv_fetch() before you can use this function.
    Last edited by Dormilich; Sep 13, 2016, 10:21 AM.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

    Comment


    • #3
      Hi Dormilich,

      Thanks for the response.

      I am sure you meant this line:

      Code:
      $objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC);
      I should have pointed out that I had the function after sqlsrv_fetch like this:

      Code:
      	$objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC);
      	$firstname = sqlsrv_get_field( $sqll, 1);
      But same issue - nothing was showing

      Comment


      • #4
        First off, if you are passing user data to your query you should NOT be screwing around with ms_real_escape_string like it's still 2003. You're using sqlsrv, so USE IT; specifically use prepare and bindparam methodologies. In that same way ms_real_escape_string has no business being used for any of the things you are using it for. Prepare/execute should be handling your query values, and you don't ms_real_escape_string values for a url, that's urlencode's job!

        Second, sqlsrv_get_field retrieves one field from the current row and advances the pointer. If you call BOTH _get_field and _fetch_array you're trying to pull two separate records, not one unified one!

        As such regardless of the order you put them in, one of them is likely to fail!

        Finally, are you SURE you've got all your field names right? SQL is usually case sensitive, backups can screw up upper-case fields, so it's usually best to keep your field names all lower-case.

        I'm guessing wildly, but I suspect what you are trying to do should read more like this:

        Code:
        $user = $_POST['user'];
        $stmt = sqlsrv_prepare($con, '
        	SELECT username, firstname
        	FROM users
        	WHERE username = ?
        	AND password = ?
        ', [&$user, &$pass]);
        
        sqlsrv_execute($stmt);
        
        if ($row = sqlsrv_fetch_array($stmt, SQLSRV_FETCH_ASSOC)) {
        	$firstName = $row['firstname'];
        	header('location:results.php?user=' . urlencode($firstname)); 
        } else header('location:done.php'); 
        
        sqlsrv_close($con);
        Though I hope you're hashing your passwords... and I wouldn't be screwing around with that header redirection nonsense since it just makes extra work for the server for no good reason.

        But really, this is 2016 - if you are blindly pasting variables into your query strings, you're doing something wrong.
        Walk the dark path, sleep with angels, call the past for help.
        https://cutcodedown.com
        https://medium.com/@deathshadow

        Comment


        • #5
          Thank you for your help. It does work very well.

          I do want to point out that the ms_real_escape_string is custom code:

          Code:
          function ms_escape_string($data) {
                  if ( !isset($data) or empty($data) ) return '';
                  if ( is_numeric($data) ) return $data;
          
                  $non_displayables = array(
                      '/%0[0-8bcef]/',            // url encoded 00-08, 11, 12, 14, 15
                      '/%1[0-9a-f]/',             // url encoded 16-31
                      '/[\x00-\x08]/',            // 00-08
                      '/\x0b/',                   // 11
                      '/\x0c/',                   // 12
                      '/[\x0e-\x1f]/'             // 14-31
                  );
                  foreach ( $non_displayables as $regex )
                      $data = preg_replace( $regex, '', $data );
                  $data = str_replace("'", "''", $data );
                  return $data;
              }

          Comment


          • #6
            Originally posted by simflex View Post
            I do want to point out that the ms_real_escape_string is custom code
            Pointless code then since it doesn't clean for either database or URI's properly, and PHP has functions to do that.

            Though I do often see people brute force things like sanitization/escaping for no reason... prepare/execute more than handles it for the database, urlencode more than handles it for URL's... and in fact doesn't corrupt the data the user enters which yours just might.

            That's the problem when people separate escaping from preparation, it's corrupting the data the user entered. If it's not valid, spit it back at the user and say so and do not press on as if nothing is wrong "sanitizing" it. That's just asking for it to blow up in your face.
            Walk the dark path, sleep with angels, call the past for help.
            https://cutcodedown.com
            https://medium.com/@deathshadow

            Comment

            Working...
            X