On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
my code is this:
$query1=select * from patient where id=.$_POST['txt'];
it works but
Holy Jesus!
Can't wait to send to your server POST request with txt=1;DROP DATABASE; --
Of course, if you'll switch to prepare statement instead of
Of course have to use filters and etc...
Bálint Horváth
On 25 May 2011 09:53, Vitalii Demianets vi...@nppfactor.kiev.ua wrote:
On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
my code is this:
$query1=select * from patient where id=.$_POST['txt'];
it works but
Holy Jesus!
Can't
Vitalii Demianets vi...@nppfactor.kiev.ua wrote:
On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
my code is this:
$query1=select * from patient where id=.$_POST['txt'];
it works but
Holy Jesus!
Can't wait to send to your server POST request with txt=1;DROP
DATABASE; --
Of course, if
(mostly in Russian)
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion
Original message
From: Negin Nickparsa nickpa...@gmail.com
To: php-general@lists.php.net
Date created: , 7:05:18 AM
Subject: [PHP] simple question abt convert to integer
Tnx to all:D
Paul you are absolutly right:D
it was a bad mistake from me
there was no need 2 convert it
Balint helped me n with mysql_error i found that
my code hasn't any mistake
i just forgot the BIG thing!
selecting db:D
i totally forgot it because i had array keys with if statement n in there
The problem is that if you set the post directly to the query it's available
to be an attach code in the field... (eg. DROP DATABASE;) it's called to
SQL injection...
what I mean on filtering:
always check the values in query eg.: $id = $_POST['id'];
if(is_numeric($id)){...}else{bad post}
and at
i got it tnx Balint
my code is this:
$query1=select * from patient where id=.$_POST['txt'];
it works but
i think because i have error in next line:
*Warning*: mysql_num_rows() expects parameter 1 to be resource, boolean
given
$num2=Mysql_num_rows($result1);
i echoed $ query1 and the result was this=select * from
Hi,
I've a simply idea...
If you have integer in your mysql, don't use at that field in the query...
Try this:
$query=select * from patient where id=.$id.;
There isn't apostrofy in the mysql query...
Bálint Horváth
On 25 May 2011 06:06, Negin Nickparsa nickpa...@gmail.com wrote:
my code is
$id=(int)$_POST['txt'];
$query1=select * from patient where id=.$id.;
echo $query1;
$result1=mysql_query($query1);
echo $result1;
$num2=Mysql_num_rows($result1);
$num3=Mysql_num_fields($result1);
still it has previous error
Here is my output:select * from patient where id=1
*Warning*:
Bálint Horváth,
the second post of me is using your idea
your idea is working but why i have error still?
$result1=mysql_query($query1);
echo $result1;
it can't echo $result1
i don't know why?
If the query is incorrect u get boolean: false, if its correct u get a
resource id...
Bálint Horváth
On 25 May 2011 06:28, Negin Nickparsa nickpa...@gmail.com wrote:
i recieve nothing not a resource id and nore false
On Wed, May 25, 2011 at 08:57:18AM +0430, Negin Nickparsa wrote:
$id=(int)$_POST['txt'];
$query1=select * from patient where id=.$id.;
You're not *thinking* about what you're doing. The above is silly. Think
about it: you're sending a string to MySQL. If $_POST['txt'] returns a
string which
Problem solved succesfully after changed the query integer apostrofyless..
and printed the mysql_errno() and mysql_error()...
Remember:
-In the script languages as php the apostrofy ' or or sg. like these means
the string marker...
-While ure developing show all error codes and messages...
-If
16 matches
Mail list logo
