1

Ok, maybe I'm a bit overtired, but I can't understand why this isn't working! I have a comments box on my website, with profiles for people who post. I want to show just their posts in the profile. Their profile page is userinfo.php?user=(whatever)

This query is failing:

$query = "SELECT message,`date`,ip,name,website,id 
          FROM `guestbook_message`
          WHERE name=" . intval($_GET['user']) . "
          AND deleted=0
          ORDER BY `date` DESC";
Improve this question
6
  • How is it failing? Can you post the query on multiple lines? Commented Feb 17, 2011 at 21:59
  • 1
    This query is fine, there's something else bugging you. Commented Feb 17, 2011 at 22:02
  • Have you tried to run your final query into phpMyAdmin or whatever system that you use to administrate your DB? Commented Feb 17, 2011 at 22:04
  • Ok but what error gives you? in query syntax or just doesn't return any record? Commented Feb 17, 2011 at 22:09
  • $name = intval($_GET['user']); $query = "SELECT message,date,ip,name,website,id,hits FROM guestbook_message WHERE name='".$name."' AND deleted=0 ORDER BY date DESC"; $total = mysql_num_rows(mysql_query($query)); This shows no results. Commented Feb 17, 2011 at 22:16

4 Answers 4

Reset to default
5

You are getting the name of the user and casting it directly to integer and then comparing it with name. This does not make sense.

If the $_GET['user'] is the ID of the user, then compare it with the ID and not with the name.

If $_GET['user'] is the username of the user, then you have to put the quotes around the username value. As UserName value is a string, you need to encapsulate it in quotes and remove the intval. Do it like this:

 $query = "SELECT message,`date`,ip,name,website,id
           FROM `guestbook_message`
           WHERE name='" . mysql_real_escape_string($_GET['user']) . "'
               AND deleted=0
           ORDER BY `date` DESC";
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I think you mean "If the $_GET['user']..." :)
$_GET['user'] is the username of the account.
@tom If its the username of the account, intval() is not correct. use mysql_real_escape_string($_GET['user']) instead. Docs
2

try this:

$name = intval($_GET['user']);

$query = "SELECT message,date,ip,name,website,id 
          FROM guestbook_message 
          WHERE name='" .$name. "' 
          AND deleted=0 
          ORDER BY date DESC";
$result = mysql_query($query) or die(mysql_error());
Improve this answer

Comments

0

Assuming you're using mysql_query() to execute the query, have you checked if the query succeeded?

$query = "SELECT ...";
$result = mysql_query($query) or die(mysql_error());

Doing this will force the script to abort if the query fails and tell you why the query failed.

Improve this answer

Comments

0

One thing to note that using $_GET directly in your query leaves you open to SQL injection attacks.

Consider cleaning your input prior to building your SQL statement, or use PDO / Prepared statements.

Improve this answer

2 Comments

1) This should be a comment not an answer. 2) It's technically not being used DIRECTLY in the query since it's being passed into the intval() function which should convert it to an int or die() trying. That said however, intval is not a legitimate way of sanitizing that variable for use in a SQL query. So I definitely agree with you. :)
I'm not using the $_GET directly in the query.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.