A friend of mine needs help with a PHP script. Maybe someone could help me fix this for him.

Here's the problem:
Trying to have some control over who signs on

Typical Signon MEMBER (form), then list members name/address etc.
The second PHP does not work...
<?include("DB_Connect.php");
$result = mysql_query("Select * FROM members where Lastname = 'HLName' and Firstname = 'HFName' ");
print ('Personal Information'); ... blah blah

He then says:
Seems no matter what I put in HLNAME line it ends up with a not found condition or PHP syntax error.
So looking for a way to pass the variable LastName to the next PHP document or SQL
I've turned on register_global but it only seems to be for the one screen and does not get set on the next screen.

Anyone?

Thanks

My progammer said there's not enough information and he's doesn't understand the issue :(

Not sure exactly what you're running into.

Is it possible that you don't have short tags turned on and need to use <?php

to pass information, there are a number of ways. If it is a form submission, i.e. <form action="2ndpage.php" method="post">

You can do something like:

$result = mysql_query("Select * FROM members where Lastname = '".$_REQUEST['HLName']."' and Firstname = 'HFName' ");

or, if the quotes give you a headache:
$HLName = $_REQUEST['HLName'];
$result = mysql_query("Select * FROM members where Lastname = '$HLName' and Firstname = 'HFName' ");

if it is a mysql error that you are getting, after the result line, try:

print mysql_error(); // this will tell you what the interpreter is returning.

If you are using a header("Location: /2ndpage.php");

You can use sessions and pass the data. If you use sessions, you probably want to turn transsid on. This creates a wacky url with the hash just in case the cookie is not accepted by the surfer. The very first line of each page do:

session_start();

Then, you can set values like:
$_SESSION['HLName'] = 'birdicus';
$_SESSION['FLName'] = 'fasticus';

and read those values on the next page as:
$_SESSION['HLName'];

You can also use $_COOKIE['HLName'] if you set the cookie on the prior page with setcookie.

However, not really enough information to see what is going on based on what you posted. Maybe if you can post the error you are getting or a little more of the script.

try this:

assumes:
<form method=POST action=info.php>

EDIT: Shit, I read your question wrong. The below script was changed to get the info you want.

<?
session_start();
$con=mysql_pconnect("localhost", "db_username", "db_password");
if($_POST[firstname] and $_POST[lastname])
{
foreach($HTTP_POST_VARS as $key=>$value)
{
$_POST[$key]=trim($value);
}
$info=mysql_query("SELECT * FROM `members` WHERE `firstname`='$_POST[firstname]' AND `lastname`='$_POST[lastname]' LIMIT 1", $con) or die(mysql_error());
$info_numrows=mysql_num_rows($info);
if($info_numrows > 0)
{
// found info
$info_array=mysql_fetch_array($info);
$_SESSION[firstname]=$_POST[firstname];
$_SESSION[lastname]=$_POST[lastname];
echo "First name: $info_array[firstname]<br>\n";
echo "Last Name: $info_array[lastname]<br>\n";
echo "Address: $info_array[address]<br>\n";
}
else
{
// info not found
echo "you are not in our database<br>\n";
include('get_info.php');
}
}
else
{
// No first or last name provided
include(get_info.php);
}
?>

However, note that in both of our cases, you could enter a username of

johnny'/* and any password and get in

Barron's code looks like it should work.

When php/mysql code craps out, I usually:

1) print out the query using an echo statement, preferrably using mysql_error(); Sometimes what you think you're sending to MYSQL is not what's actually getting sent.

2) If I'm really stuck, I use phpadmin or some other mysql interface and play around with different queries to come up with a query that actually returns what I want. Then its just a matter of putting that query into the php script.

He wasnt trying to log anyone in. I changed the code to fetch the info for the user.

Ramster, there isnt any error checking, you must put that in. Malformed input from a webpage can really screw things up : )

Sorry for the delay in replying. I had to go for a couple of hours.

First off, thanks for the replys!!

As I mentioned it is not my code so I'm going to pass this info along to my friend and see if it helps. He has a regular job so I most likely won't hear back from him until tonight or tomorrow. If it does not work then I'll get more of the code from him. :)

Yup anytime you have a database query that can be changed by the user - when using $_GET $_POST $_REQUEST $_COOKIE etc always check the input..

Use the mysql_real_escape_string function in php to clean the input before you put it into the database. This will help to prevent SQL injection attacks by quoting out special characters.

so when inserting selecting etc always do this..

$query = "SELECT * FROM table WHERE user='". mysql_real_escape_string($user) ."'";

i got fed up of typing that so i made a little function to make less typing - what can i say i'm a lazy coder :)

//Escape the string for the database and add single quotes

function quote($value){
$value = "'" .mysql_real_escape_string($value) ."'";
return $value
}

So your code is now...

$query = "SELECT * FROM table WHERE user=". quote($user);

Hope this helps someone out :)

I've got this really thick book on Web Database Applications and nowhere does it mention "mysql_real_escape_string"!

This will help me, thanks :)

remember that using that actually breaks certain things if you are expecting graphics data.

Ideally, you'll turn off magic_quotes so that the behavior is completely predictable, and you can properly escape data when working with mysql.

However, most hosting companies randomly choose whether to leave magic_quotes on or off.

Yeah, I assumed it would only be used on text.

What I have never figured out is how to check for white space:

<?
function alphaNumeric($entered)
{
if(ereg("^[a-zA-Z0-9]*$", $entered))
{
return true;
}
}
$firstname="Jose";
$lastname="de la Cruz";
if($output=alphaNumeric($firstname) or $output=alphaNumeric($lastname)
{
echo "true";
}
?>

as a work around:

$lastname="de la Cruz";
$explode_lastname=explode(" ", $lastname);
$new_lastname=implode("", $explode_lastname);
if($output=alphaNumeric($new_lastname))
{
echo "true";
}

for regexp, if you wanted the first character to be alphanumeric, non-space

^[a-zA-Z0-9][a-zA-Z0-9 ]+$

of course, that will allow an ending space character, which could eliminate with something like:

^[a-zA-Z0-9][a-zA-Z0-9 ]+[a-zA-Z0-9]$

however, that still allows multi-space runs in the middle.

One thing I always tell my guys -- validate input, don't try and fix it. Running search and replace to destroy invalid string or url encoding, etc can be avoided with a decent regexp.