-
[F8] NOT CLEARING mysql_query FOR NEW SEARCH, FLASH OR PHP?
Im retrieving on a flash search field information from mysql through php & flash (location and user_id) in this case...
it works perfect...but when i search for the 2nd, 3rd time and so on...the 1st result is stored and if the 2nd result are for example two users and the 1st search had 5 users as a result...then this time the search will show me 7 users...
Here's the relevant flash code:
Code:
//btnDownload = download and display user information from mysql! NAME / EMAIL / LOCATION
btnDownload.onRelease = function() {
//checks if there is something to search for
if (txtName.length | txtLocation.length) {
//CLEANING WHAT COULD BE STORED FROM PREVIOUS SEARCH
myData.user_id = "";
myData.location = "";
//DOWNLOAD THE SEARCH INFORMATION:
myData.load("http://localhost/Test/phpAndMysql/flash%20user%20admin%201.4/login.php");
myData.action = "searchInfo";
myData.onLoad = function(succes) {
if (succes) {
//
for (var i = 0; i<this.cant; i++) {
_root["txtName"+i].text = this["user_id"+i];
_root["txtEmail"+i].text = this["email"+i];
_root["txtLocation"+i].text = this["location"+i];
}
} else {
trace("Error loading data");
}
};
myData.user_id = txtName.text;
myData.location = txtLocation.text;
myData.sendAndLoad("http://localhost/Test/phpAndMysql/flash%20user%20admin%201.4/login.php", myData, "POST");
}
};
PHP CODE:
PHP Code:
if ($action == "searchInfo")
{
$location = "";
$user_id = "";
//retreive data from flash
$location=$_POST['location'];
$user_id=$_POST['user_id'];
$connect = mysql_connect("localhost", "root", "");
mysql_select_db("learning", $connect);
$result = mysql_query("SELECT user_id, email, location FROM tbl_auth_user where location = '$location' OR user_id = '$user_id'");
$cant = 0;
while($row=mysql_fetch_array($result)){
echo "user_id$cant=$row[user_id]&email$cant=$row[email]&location$cant=$row[location]&";
$cant++;
}
echo "cant=$cant";
Any ideas what I may be missing?
Thanx in advance!
-
Nevermind i found the solution...
Code:
//CLEAR 100 SEARCH RESULTS asi no queda la data del anterior search
for (var i = 0; i<100; i++) {
myData["user_id"+i] = undefined;
}
-
Heli Attack!
Just chiming in to say you have a nice SQL Injection attack waiting to happen there, make sure you mysql_real_escape_string the data from $_POST, or you'll find some smartass will drop your entire Database.
-
Hey Iopred, thanx for the data
Can u give me an example of implementing mysql_real_escape_string in this case on my submitted code, just for example purposes
Thanx a lot!
Cheers,
-
Senior Member
Iopred is totally correct. SQL injection attacks are easy and common. I wrote a blog post about em last year that helps:
http://mikegrundvig.blogspot.com/200...n-attacks.html
Personally, I'd use prepared statements (aka parameterized queries) rather than the mysql_real_escape_string command but either will protect you.
Another easy thing that will help is to make sure the account used by your PHP code to access MySQL doesn't have permissions it doesnt need. For instance, don't let it add/remove database objects or access the wrong tables.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|