A Flash Developer Resource Site

Results 1 to 5 of 5

Thread: [F8] NOT CLEARING mysql_query FOR NEW SEARCH, FLASH OR PHP?

  1. #1
    Senior Member
    Join Date
    Jul 2002
    Location
    Argentina
    Posts
    130

    Question [F8] NOT CLEARING mysql_query FOR NEW SEARCH, FLASH OR PHP?

    Im retrieving on a flash search field information from mysql through php & flash (location and user_id) in this case...
    it works perfect...but when i search for the 2nd, 3rd time and so on...the 1st result is stored and if the 2nd result are for example two users and the 1st search had 5 users as a result...then this time the search will show me 7 users...

    Here's the relevant flash code:

    Code:
    //btnDownload = download and display user information from mysql! NAME / EMAIL / LOCATION  
    btnDownload.onRelease = function() {
    	//checks if there is something to search for
    	if (txtName.length | txtLocation.length) {
    //CLEANING WHAT COULD BE STORED FROM PREVIOUS SEARCH
    		myData.user_id = "";
    		myData.location = "";
    		//DOWNLOAD THE SEARCH INFORMATION:
    		myData.load("http://localhost/Test/phpAndMysql/flash%20user%20admin%201.4/login.php");
    		myData.action = "searchInfo";
    		myData.onLoad = function(succes) {
    			if (succes) {
    				//
    				for (var i = 0; i<this.cant; i++) {
    					_root["txtName"+i].text = this["user_id"+i];
    					_root["txtEmail"+i].text = this["email"+i];
    					_root["txtLocation"+i].text = this["location"+i];
    				}
    			} else {
    				trace("Error loading data");
    			}
    		};
    		myData.user_id = txtName.text;
    		myData.location = txtLocation.text;
    		myData.sendAndLoad("http://localhost/Test/phpAndMysql/flash%20user%20admin%201.4/login.php", myData, "POST");
    	}
    };
    PHP CODE:

    PHP Code:
    if ($action == "searchInfo")
        {

        
    $location "";
        
    $user_id "";
        
    //retreive data from flash
        
    $location=$_POST['location'];
        
    $user_id=$_POST['user_id'];

            
    $connect mysql_connect("localhost""root"""); 
            
    mysql_select_db("learning"$connect); 
            
    $result mysql_query("SELECT user_id, email, location FROM tbl_auth_user where location = '$location' OR user_id = '$user_id'"); 
            
    $cant 0
            while(
    $row=mysql_fetch_array($result)){ 
                echo 
    "user_id$cant=$row[user_id]&email$cant=$row[email]&location$cant=$row[location]&"
                
    $cant++; 
            } 
            echo 
    "cant=$cant"
    Any ideas what I may be missing?
    Thanx in advance!

  2. #2
    Senior Member
    Join Date
    Jul 2002
    Location
    Argentina
    Posts
    130

    resolved

    Nevermind i found the solution...

    Code:
    		//CLEAR 100 SEARCH RESULTS asi no queda la data del anterior search
    		for (var i = 0; i<100; i++) {
    			myData["user_id"+i] = undefined;
    		}

  3. #3
    Heli Attack! iopred's Avatar
    Join Date
    Jun 2003
    Location
    Sydney, Australia
    Posts
    923
    Just chiming in to say you have a nice SQL Injection attack waiting to happen there, make sure you mysql_real_escape_string the data from $_POST, or you'll find some smartass will drop your entire Database.
    Christopher Rhodes
    squarecircleco.

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Location
    Argentina
    Posts
    130
    Hey Iopred, thanx for the data

    Can u give me an example of implementing mysql_real_escape_string in this case on my submitted code, just for example purposes

    Thanx a lot!
    Cheers,

  5. #5
    Senior Member webgeek's Avatar
    Join Date
    Sep 2000
    Posts
    1,356
    Iopred is totally correct. SQL injection attacks are easy and common. I wrote a blog post about em last year that helps:

    http://mikegrundvig.blogspot.com/200...n-attacks.html

    Personally, I'd use prepared statements (aka parameterized queries) rather than the mysql_real_escape_string command but either will protect you.

    Another easy thing that will help is to make sure the account used by your PHP code to access MySQL doesn't have permissions it doesnt need. For instance, don't let it add/remove database objects or access the wrong tables.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center