At 4:20 PM +0430 3/31/10, Parham Doustdar wrote:
Hi there,
Here is a snippet of code... that doesn't work for some reason. Please note
that I have put some

@mysql_query($query) or die(mysql_error());

statements, to see if MySQL gives an error. I receive nothing other than the
file starting to download. This is supposed to be a file download counter:

//connect to the DB
mysql_connect() //There is no problem with the connection so I didn't
include the complete code.

//The table where the hits are stored.
$table = "files";

$query = "select * from " . $table . " where filename = '" . $_GET['file'] .
$result = mysql_query($query);

if ($result) //Has the file previously been added?
$query = "update " . $table . " set hits = hits + 1 where filename = '" .
$_GET['file'] . "'";
@mysql_query($query) or die(mysql_error());
header('location:' . $_GET['file']);
else //it's the first time we're adding this file to the DB.
$query = "insert into " . $table . " (filename, hits) values ('" .
$_GET['file'] . "', 1)";
@mysql_query($query) or die(mysql_error());
header('location:' . $_GET['file']);

Hi Parham:

Considering that no one made comment, let me say that using $_GET in such a fashion is dangerous. One should always clean/scrub all variables that makeup a db query.

Doing what you did above is opening your database to possible SQL injection. This is not a secure thing to do.

For example, let's say I provide the following string to your form (first GET):

"anything OR '1' = '1'; DROP TABLE customers"

If your database configuration allows for multiple statements, then any table named "customers" would be immediately dropped from your database. I'm sure you can see how you would not want to allow someone to drop tables from your database. In short, never trust anything coming from client-side.

Here's a reference on the subject:

There are many others.




PHP General Mailing List (
To unsubscribe, visit:

Reply via email to