0

Got setup simple database for learning. Got data inserted. Now im trying make show that data that fulfills criterion is only displayed. Like i select in forms age 33 and male. Then only male that age are 33 are showed. i managed get working script that works only with one criterion.

 <?php
$rass = $_POST["rass"];
$rinnad = $_POST["rinnad"];
$connect = @mysql_connect ("localhost", "root", "") or die("Fail!!!! :D:D:D");
mysql_select_db("tibid") or die("selline andmebaas puudub");
$query = mysql_query("SELECT * from test where rass = '{$rass}'");
$num_rows = mysql_num_rows($query);
if($num_rows > 0){
    {while($row = mysql_fetch_assoc($query))        
        echo 
        $row['rinnad']. "<br>"
        .$row['juuksed']."<br>"
        .$row['silmad']."<br>"
        .$row['rass']."<br>"
        .$kood['kood']."<br>
        <hr>
        ";}
    }else{ 
echo "Andmebaas on tühi";
    }
?>

Thank you.

hammar
  • 134,089
  • 17
  • 290
  • 377
rookie
  • 7
  • 3
  • The code you are using is vulnerable to [SQL injection](http://stackoverflow.com/questions/601300/what-is-sql-injection). In general, I think you should work through a fundamental PHP/database tutorial first. Most of the questions you ask are covered by the basic learning materials. This question links to some that look good: http://stackoverflow.com/questions/3166644 – Pekka May 01 '11 at 08:07
  • also [Material to learn PHP](http://stackoverflow.com/questions/4179141/material-to-learn-php) – Pekka May 01 '11 at 08:08

1 Answers1

0

Take a look at the top two examples here:

http://php.net/manual/en/function.mysql-real-escape-string.php

The first example shows you how to use two conditions separated by 'AND' in an SQL statement.

Importantly, the second example will show you the perils of using unsanitised/unsafe strings in your database queries and how to avoid SQL injection attacks.

Thirdly, have a laugh:

http://xkcd.com/327/

:D

jsw
  • 2,013
  • 2
  • 12
  • 14