MyBB

sunjava1 · 06-04-2012, 09:33 AM

I made an online form, which i planned to send to some people with email as a link to the form,

now can bots crawl that form ? how do i prevent that form from spam ?
I used id to display output from database, I used mysql real escape string and it is also displaying error page with the when i use (id='9
) to fetch data from database

how to fix it ?

Yaldaram · (This post was last modified: 06-04-2012 09:53 AM by Yaldaram.)

To deny bots access, you can use no robots , no follow meta tags in that page.

sunjava1 · 06-04-2012, 10:28 AM

and what about id='9 ?

Yaldaram · 06-04-2012, 11:07 AM

Please write the complete query you used and where the issue its showing.

**Euan T** · 06-04-2012, 01:15 PM

As Yaldaram said, it would be nice to see the full code as it would make it easier to debug.

Nathan Malcolm · 06-04-2012, 03:26 PM

(06-04-2012 09:41 AM)Yaldaram Wrote: To deny bots access, you can use no robots , no follow meta tags in that page.

I assume he means spam bots.

OP, use a system such as recaptcha. http://recaptcha.net

sunjava1 · 06-04-2012, 04:49 PM

this is test.php

PHP Code:

//$Idata=mysql_real_escape_string($_GET["id"]);
$Idata=$_GET['id'];
$temp_query="SELECT *
FROM `mytable`
WHERE `ID` =".$Idata."
LIMIT 0 , 1";

$query2 = mysql_query($temp_query) or die(mysql_error());

while($result=mysql_fetch_array($query2))
{

echo '
hi id is $result[id] and value is $result[name]
'; 

now when i enter, test.php?id=6
it works fine, when I enter test.php?id='6
I get error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'1 LIMIT 0 , 1' at line 3

when i use real escape string it simple converts single quote to a slash, and again gives the error,

pavemen · 06-04-2012, 04:53 PM

(06-04-2012 04:49 PM)sunjava1 Wrote: this is test.php

PHP Code:

//$Idata=mysql_real_escape_string($_GET["id"]); $Idata=$_GET['id']; $temp_query="SELECT * FROM `mytable` WHERE `ID` =".$Idata." LIMIT 0 , 1"; $query2 = mysql_query($temp_query) or die(mysql_error()); while($result=mysql_fetch_array($query2)) { echo ' hi id is $result[id] and value is $result[name] ';
now when i enter, test.php?id=6
it works fine, when I enter test.php?id='6
I get error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'1 LIMIT 0 , 1' at line 3

when i use real escape string it simple converts single quote to a slash, and again gives the error,

which is good, you don't want any extra code being added to your query

sunjava1 · (This post was last modified: 06-04-2012 05:03 PM by sunjava1.)

not good, i didn't see the output with real escpae string, it also gives me error

using mysql real escape string

PHP Code:

$Idata=mysql_real_escape_string($_GET["id"]);

$temp_query="SELECT *
FROM `mytable`
WHERE `ID` =".$Idata."
LIMIT 0 , 1";

$query2 = mysql_query($temp_query) or die(mysql_error());

while($result=mysql_fetch_array($query2))
{

echo '
hi id is $result[id] and value is $result[name]
'; 

this one gives me this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\'1 LIMIT 0 , 1' at line 3

Nathan Malcolm · 06-04-2012, 05:04 PM

The query should be:

PHP Code:

SELECT * FROM `mytable` WHERE `ID` ='".$Idata."' LIMIT 0 , 1 