2007. 04. 11, szerda keltezéssel 16.57-kor Fredrik Thunberg ezt írta:
> marcelo Wolfgang skrev:
> > Hi all,
> >
> > I'm new to this list and new to php programming so sorry if I do
> > something wrong here :)
> >
> > Ok, now to my problem.
> >
> > I've created a query to update a mysql db, and it isn't working, and
> > it's not throwing me any errors, so I need some help to figure out
> > what's wrong here. My code follows :
> >
> > <?
> > if($_GET['act'] = 'a'){
> > $action = 1;
> > } else if ($_GET['act'] = 'd'){
> > $action = 0;
> > }
>
>
> Don't use "=", use "==" (or in some cases "===").
> "=" is for assignment.
>
> Also, what if $_GET['act'] is neither 'a' or 'd'?
>
>
> > $id = $_GET['id'];
> >
>
> Again, what if $_GET['id'] is null?
and what if $_GET['id'] is something like
"1; DROP TABLE tb_emails;"
??
SQL injection just waits to happen
greets
Zoltán Németh
>
> > mysql_connect("localhost","XXXX","XXXX") or die (mysql_error());
> > mysql_select_db ("taiomara_emailList");
>
> > $email_Query = mysql_query("UPDATE 'tb_emails' SET 'bol_active' =
> > $action WHERE `auto_id` = $id");
>
> Use backticks if you think you need them
> In this case you don't
>
> $sql = "UPDATE `tb_emails` SET `bol_active` = $action WHERE `auto_id` =
> $id";
>
> echo "DEBUG: $sql";
>
> $email_Query = mysql_query( $sql );
>
> This is how to get the error:
>
> if ( !$email_Query )
> echo mysql_error();
>
>
> > mysql_close();
> > ?>
> >
> > The page is executed, but it don't update the table ... I've tried with
> > the '' and without it ( the phpmyadmin page is where I got the idea of
> > using the '' ). Any clues ?
> >
> > Also, how can I make a redirect after the query has run ?
> >
>
> header("Location: http://www.foooooobar.com";);
>
> Will work as long as you don't print out any output whatsoever to the
> browser before this line of code.
>
>
> > TIA
> > Marcelo Wolfgang
> >
>
> /T
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
