unable to get correct output after compare and replace

Question

blueguy777 0 Newbie Poster

11 Years Ago

my actual code is:

$agent_id=mysql_real_escape_string($_GET['memberid']);

$result = mysql_query("SELECT id,ac_no,agent_name FROM ankali_slabpay WHERE agent_id=$agent_id ORDER BY id DESC LIMIT 1");
$row = mysql_fetch_array($result);
$ac_number=$row['ac_no'];
$agent_name=$row['agent_name'];
?>
<?php 
$b = array(000350,000400,000450); //pre-defined installment amount values
$replacement = "000000";
$cust_mast = '$C21';
$bank_name = 'KISAN SWARAJ';
$dfile = "READ ME CUSTOMERS.txt";
$fo = fopen($dfile, 'w') or die("can't open file");
$stringData1 =str_pad($cust_mast, 0, STR_PAD_LEFT).",".str_pad($bank_name, 20, ' ',STR_PAD_RIGHT).",".str_pad($agent_id, 2, STR_PAD_LEFT).",".str_pad($agent_name, 24, ' ',STR_PAD_RIGHT).","."123456".",".str_pad('123456', 69, ' ', STR_PAD_RIGHT)."@"."\r\n";
fwrite($fo, $stringData1);

$select = mysql_query("SELECT ac_no, cust_name, GROUP_CONCAT(install_amt SEPARATOR ',') as installamt FROM ankali_slabpay  WHERE agent_id=$agent_id GROUP BY ac_no");
$e=array();
$inst_result=array();
while($row1 = mysql_fetch_assoc($select)){
$e[] = $row1['installamt'];
$a=implode(",",$e);

$i=0;
foreach($b as $k=>$v)
{
    if($v==$a[$i])
    {
        $b[$k]='000000'; //replace with 000000 if both values are same i.e. $b == $a
    }
    $i++;
}
$arr2=implode(",",$b);

$stringData2=str_pad($row1['ac_no'], 4, '0', STR_PAD_LEFT).",".str_pad($row1['cust_name'],20, ' ', STR_PAD_RIGHT). ",".$arr2."@"."\r\n";
fwrite($fo, $stringData2);
}
$stringData3="";
fwrite($fo, $stringData3);
fclose($fo);
header("Content-Disposition: attachment; filename=$dfile");
header("Content-Type: application/octet-stream; "); 
readfile($dfile);

the output should be:

$C21,KISAN SWARAJ        ,10,ROBERT                  ,123456,123456                      @
0001,MICHAEL             ,000000,000400,000450@
0005,KIM                 ,000350,000400,000450@

php

Edited 11 Years Ago by blueguy777 because: mistaken in title

2 Contributors
2 Replies
126 Views
55 Minutes Discussion Span
Latest Post 11 Years Ago Latest Post by blueguy777

tpunt 0 Newbie Poster

11 Years Ago

Could you also post what the output actually is at the moment? That should help myself and others to find out where you're going wrong easier.

What I will comment on within your code though is that your use of mysql_real_escape_string() (MRES) is nugatory. The MRES function was designed to escape quotes (both single and double) and backslashes. Because you aren't encasing the $agent_id variable within either of these quotes within your query, SQL code can be directly entered into the query and it will not be treated as a harmless string - it will be executed against your database. To avoid this problem, you can validate the $agent_id variable prior to using it within your query, perhaps through type-casting it to an integer:

<?php
$clean['id'] = (int) $_GET['memberid'];

$result = mysql_query("SELECT id,ac_no,agent_name FROM ankali_slabpay WHERE agent_id=$agent_id ORDER BY id DESC LIMIT 1");

You should also eschew using the original mysql extension since it has been deprecated as of PHP 5.5.0.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

blueguy777 0 Newbie Poster · Answer 1 · 2013-09-13T11:07:10+00:00

the output is:

$C21,KISAN SWARAJ        ,10,ROBERT               ,123456,123456       @
0001,MICHAEL             ,232,256,296@
0005,KIM                 ,232,256,296@