Hi there,

I've got a little script that gets the userid from the url then displays scores for that user. I'm not sure if the script is being run, but I basically get everything apart from the echo of php script (hope that makes sense).

I've took a screenshot of what I seen.
http://www.hamesy.com/images/php_problem.JPG

This is the code:

PHP Code:

<?php
 //connect to database
 $conn = mysql_connect("localhost", "something", "something")
     or die(mysql_error());
 mysql_select_db("something",$conn) or die(mysql_error());
  //create the sql statement
//validate item
 $sql = "select * from highscores where userid = $_GET[userid]";
 
  //execute the sql statement
 $result = mysql_query($sql, $conn) or die(mysql_error());
  //go through each row in result set and display data


    //echo the results on screen
     while ($newArray = mysql_fetch_array($result)) {
      //give a name to the fields
    $userid = $newArray['userid'];
    
 $result = mysql_query($sql, $conn) or die(mysql_error());
  //go through each row in result set and display data
//echo the results on screen
    echo "  Your scores are as follows:<br><table width=200 border=1>
    <tr>
      <td>Score</td>
    </tr> ";
     while ($newArray = mysql_fetch_array($result)) {
      //give a name to the fields
    $score = $newArray['score'];
    echo "
    <tr>
      <td>$score</td>
    </tr>"; }
    echo "  </table>";
}
    ?>

Anyone have any ideas?

Hmmm, just wondering, why are you running your query twice ?

You run it once, and extract the username from every rows in it. But in the while() loop, you run it again.
It's useless, remove the second mysql_query().

Appart from that, you totally mixed thing inside and outside the loop, and you where closing a block that was never opened (the last } )

Try this code:

PHP Code:

<?php
  //connect to database
  $conn = mysql_connect("localhost", "something", "something") or die(mysql_error());
  mysql_select_db("something",$conn) or die(mysql_error());
  
  //create the sql statement
  $sql = "select * from highscores where userid = $_GET[userid]";
 
  //execute the sql statement
  $result = mysql_query($sql, $conn) or die(mysql_error());
  
  //go through each row in result set and display data
  
  /*
  tripy
  First, output your header
  */
  echo "  Your scores are as follows:<br><table width=200 border=1>
    <tr>
      <td>Score</td>
    </tr> ";
  
  /*
  tripy
  now parse the results...
  */
  while ($newArray = mysql_fetch_array($result)) {
    $userid = $newArray['userid'];
    $score = $newArray['score'];
    echo "
    <tr>
      <td>$score</td>
    </tr>"; 
  }
  
  /*
  tripy
  And finally, close your table.
  */
  echo "</table>";
?>

Also, do not forget to protect against SQL injections.

show_scores.php?userid=;

Would procedure a MySQL error telling us that you are using a field named 'userid', then we can add it to our GET superglobal like:

show_scores.php?userid=userid

To get all results. Basically we can do a lot more worse than that.

To learn more about SQL injections, see my article.

Protecting Against SQL Injections

True, I totally bypassed that issue, but you (hamesy) should protect your pages against such attacks.

Quote:

Originally Posted by tripy

True, I totally bypassed that issue, but you (hamesy) should protect your pages against such attacks.

No, you just answerred to his question as he wanted. You never needed to tell anything about SQL injections. I just mentioned about these kind of attacks on a side note.

Quote:

Originally Posted by kaisellgren

Also, do not forget to protect against SQL injections.

show_scores.php?userid=;

Would procedure a MySQL error telling us that you are using a field named 'userid', then we can add it to our GET superglobal like:

show_scores.php?userid=userid

To get all results. Basically we can do a lot more worse than that.

To learn more about SQL injections, see my article.

Protecting Against SQL Injections

I personally also use type casting a lot myself, mainly when comparing integer id's