Ian Barnes wrote:
> Hi,
>
> $sql1 = "UPDATE members SET $pass WHERE id = '$editid'";
you might consider that $editid is not what you think.
use var_dump() et al to discover what is really in each var.
>
> Thats whats on 199. ON line 198 i have: $pass = $_POST['pass'];
which means I can inject just about any SQL I want into your server.
(you need to plug that hole)
>
> Thanks,
> Ian
>
>
>
> On 11/29/06, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
>>
>> Ian Barnes wrote:
>> > Hi,
>> >
>> > We recently upgraded our primary webserver to php 5 from php4 and we
>> are
>> > now
>> > getting the following errors on the site:
>> >
>> > *Catchable fatal error*: Object of class stdClass could not be
>> converted
>> to
>> > string in /home/www/somesite/somfile.php on line *199
>> >
>> > *Around that area in the code is some code something like:
>>
>> so what is line 199?
>>
>> >
>> > if(!$db->query("SQL $HaveYouGoTAVarInHere HERE"))
>>
>> ^^^^---- ??
>>
>> > {
>> > echo 'Fail';
>> > }
>> >
>> > Any ideas what it means or how I can fix it ?
>> >
>> > Thanks
>> > Ian
>> >
>> > P.S. Please copy me, i dont know if my list membership is working.
>> >
>>
>>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
