Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 06-20-2008, 08:00 PM
MessiAz MessiAz is offline
 
Join Date: Jun 2008
Posts: 8
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default read custom profile field.

i coded a php file to read a member's custom profile field.
do you see something bad in my code? is it safe to upload this file to my forum ?

PHP Code:
request
http
://xxxxxxxxxxx.com/forum/test.php?user=Tester


$username $_GET['user'];

$query  "SELECT userid FROM vb_user WHERE username='" $username "'";
$result mysql_query($query);
if(
mysql_num_rows($result) > 0)
{
    
$row mysql_fetch_row($result);
    
$userid $row[0];

    
$query "SELECT usergroupid FROM vb_user WHERE userid='" $userid "'";
    
$result mysql_query($query);

    if(
mysql_num_rows($result) > 0)
    {
        
$row mysql_fetch_row($result);
        
$group $row[0];

        
$query "SELECT field6 FROM vb_userfield WHERE userid='" $userid "'";
        
$result mysql_query($query);

        if(
mysql_num_rows($result) > 0)
        {
            
$row mysql_fetch_row($result);
            
$serial $row[0];

            echo 
"Username: " $username "<br>";
            echo 
"Userid: " $userid "<br>";
            echo 
"group: " $group "<br>";
            echo 
"programid: " $serial "<br>";
        }

    }

}

else {

echo 
"Username: Invalid";

Reply With Quote
  #2  
Old 06-20-2008, 08:50 PM
MoT3rror MoT3rror is offline
 
Join Date: Mar 2007
Posts: 423
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

PHP Code:
$username $_GET['user'];

/*
I suggest changing this query to, then you will only need 1 query then 3

SELECT user.userid, user.usergroupid, userfield.field6
FROM vb_user AS user
LEFT JOIN vb_userfield AS userfield ON (userfield.userid = user.userid)
WHERE user.username = '" . mysql_escape_string($username) . "'"
*/

//added mysql_escape_string to protect against sql injection
$query  "SELECT userid FROM vb_user WHERE username='" mysql_escape_string($username) . "'";
$result mysql_query($query);
if(
mysql_num_rows($result) > 0)
{
    
$row mysql_fetch_row($result);
    
//this should be userid not 0, you can var_dump for debug if you aren't getting the value you want
    
$userid $row['userid'];

    
//why not just select usergroupid from your first query?
    
$query "SELECT usergroupid FROM vb_user WHERE userid='" $userid "'";
    
$result mysql_query($query);

    if(
mysql_num_rows($result) > 0)
    {
        
$row mysql_fetch_row($result);
        
$group $row[0];

        
//you can use a left join with your first query to get this value also
        
$query "SELECT field6 FROM vb_userfield WHERE userid='" $userid "'";
        
$result mysql_query($query);

        if(
mysql_num_rows($result) > 0)
        {
            
$row mysql_fetch_row($result);
            
$serial $row[0];

            echo 
"Username: " $username "<br>";
            echo 
"Userid: " $userid "<br>";
            echo 
"group: " $group "<br>";
            echo 
"programid: " $serial "<br>";
        }

    }

}

else {

echo 
"Username: Invalid";

Reply With Quote
  #3  
Old 06-20-2008, 09:22 PM
Opserty Opserty is offline
 
Join Date: Apr 2007
Posts: 4,103
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

As MoT3rror suggested, you can cover everything in the single query so you have:
PHP Code:
$username $_GET['user'];

$sql "SELECT user.userid, user.usergroupid, userfield.field6
FROM vb_user AS user
LEFT JOIN vb_userfield AS userfield ON (userfield.userid = user.userid)
WHERE user.username = '" 
mysql_escape_string($username) . "' LIMIT 1";

$query mysql_query($sql);
// Do our error checking first...
if(!$query)
{
    echo 
'Username: Invalid';
}
else
{
    
// Use mysql_fetch_assoc to return [field] => [value] array result
    
$data mysql_fetch_assoc($query);
    
    
// Use single quotes if there are no variables in strings
    
echo 'Username: ' $username .'<br>';
    echo 
'Userid: ' $data['userid'] . '<br>';
    echo 
'Group: ' $data['usergroupid'] . '<br>';
    echo 
'programid: ' $data['field6'] . '<br>';

(Credit to MoT3rror for SQL)
Reply With Quote
  #4  
Old 06-21-2008, 03:35 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Using mysql_real_escape_string() is preferable to mysql_escape_string().
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:00 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03966 seconds
  • Memory Usage 2,224KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (4)post_thanks_box
  • (4)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (4)post_thanks_postbit_info
  • (4)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete