-1

I'm back once again, trying to create a "custom" blog system. Or a CMS, as people call it. This is my current code:

<?php
//include stuff here
$pid = $_GET['pageid'];
$data = mysql_query("SELECT * FROM entries WHERE id='$pid'") or die("MySQL died.");
mysql_real_escape_string($pid);
while($info = mysql_fetch_array( $data )) 
{
if (!empty($info)) {
echo $info['data'];
}
else {
echo 'This page no existo.';
}
}
?>

What's happening is that it's not showing "This page no existo." as the '404' text. Lets say someone is trying to go to my site directly typing it but make a mistake: localhost/blog/?pageid=10 It doesn't show the 404 text!

I have a row named "data" in MySQL. It consists of the-- um... data of the blog post. I also have a row called ID which is an auto increment ID system. The "real", working page ID is 1.

Thanks, RBLXDev.

EDIT: Vardump of $info: The vardump:

array (size=10)
0 => string '1' (length=1)
'id' => string '1' (length=1)
1 => string 'Testing potatoCMS... and the title.' (length=35)
'title' => string 'Testing potatoCMS... and the title.' (length=35)
2 => string 'This is a test.
This is a new line.
This is a cookie.
You are getting fat.
FAT.<br />lol' (length=88)
'data' => string 'This is a test.
This is a new line.
This is a cookie.
You are getting fat.
FAT.<br />lol' (length=88)
3 => string '2013-02-02' (length=10)
'date' => string '2013-02-02' (length=10)
4 => string 'Unspecified' (length=11)
'author' => string 'Unspecified' (length=11)

Yeah, um... I have weird placeholders.

Raymonf
  • 114
  • 1
  • 16

3 Answers3

1

Id try something like this....

<?php

        $pid = $_GET['pageid'];
        mysql_real_escape_string($pid);

        $data = mysql_query("SELECT * FROM entries WHERE id='$pid'") or die("MySQL died.");

        $num_rows = mysql_num_rows($data);

        if ($num_rows == NULL) {

              echo 'This page no existo.';

        } else {

                  $info = mysql_fetch_array( $data );
                  echo $info['data'];
        }
?>

NOT tested

UPDATED!!

afro360
  • 620
  • 3
  • 9
  • 22
1

First, let's start with what you came here for:

If the record doesn't exist, mysql_fetch_array( $data ) will return false, and so, it won't even enter the while block anymore. So, your logic is wrong.

Secondly, you are using mysql_real_escape_string() wrong. You need to call it before executing the SQL query, and you need to capture its output in the variable you are going to inject into the SQL query:

$pid = mysql_real_escape_string($pid);
$data = mysql_query("SELECT * FROM entries WHERE id='$pid'") or die("MySQL died.");

Thirdly, you may want to consider ditching mysql_* functions altogether, as that library is in the process of being deprecated, because it offers poor abilities to mitigate SQL injection. Consider using the improved mysqli_* library functions, or PDO.

Decent Dabbler
  • 22,532
  • 8
  • 74
  • 106
0

  1. Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

  2. You have to escape your data before you use it in your query.

  3. mysql_num_rows() is the best way to tell if there are any results from your query.

  4. If you're expecting only row from your query you don't need to loop through all of the results.

  5. If $_GET['pageid'] will always be a number you should cast it to an integer to reduce opportunities for SQL injections

.

<?php
//include stuff here
$pid = $_GET['pageid'];
mysql_real_escape_string($pid);
$data = mysql_query("SELECT * FROM entries WHERE id='$pid'") or die("MySQL died.");
if (mysql_num_rows() > 0) {

    $info = mysql_fetch_array( $data );
    echo $info['data'];
}
else {
    echo 'This page no existo.';
}
?>
Zoe
  • 27,060
  • 21
  • 118
  • 148
John Conde
  • 217,595
  • 99
  • 455
  • 496