By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,435 Members | 2,033 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,435 IT Pros & Developers. It's quick & easy.

the script wont work and i cant find anything wrong please help

P: n/a
all right so the script is pretty simple it goes it retrives what the
id of the post is and it lets you edit it well no it doesnt.

now if you go to www.kirewire.com/pp2/index/php you will see a number 1
that is the value of collumn home_id which is set to auto increment ect
ect

but this script which gets the id of home_id of a row and lets you edit
it does not work for somereason...
if (isset ($_POST['submit'])) { // Handle the form.

// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.

// Report on the result.
if (mysql_affected_rows() == 1) {
print '<p>The blog entry has been updated.</p>';
} else {
print "<p>Could update the entry because: <b>" . mysql_error() .
"</b>. The query was $query.</p>";
}

} else { // Display the entry in a form.

// Check for a valid entry ID in the URL.
if (is_numeric ($_GET['id']) ) {

// Define the query.
$query = "SELECT * FROM home_id WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.

// Make the form.
print '<form action="update_site.php" method="post">
<p>Header: <input type="text" name="header" size="40" maxsize="100"
value="' . $row['header'] . '" /></p>
<p>Body: <textarea name="body" columns="40" rows="5">' . $row['body']
.. '</textarea></p>
<input type="hidden" name="id" value="' . $_GET['id'] . '" />
<input type="submit" name="submit" value="Update your Website!" />
</form>';

} else { // Couldn't get the information.
print "<p>Could retrieve the entry because: <b>" . mysql_error() .
"</b>. The query was $query.</p>";
}

} else { // No ID set.
print '<p><b>You must have made a mistake in using this
page.</b></p>';
}

} // End of main IF.

mysql_close(); // Close the database connection.

?>

to see what you get go to www.kirewire.com/pp2/update_site.php

could you please help, thanks, and have a happy thanksgiving

Nov 24 '06 #1
Share this Question
Share on Google+
17 Replies


P: n/a
Try "select * from home" instead of "from home_id"...?
$query = "SELECT * FROM home_id WHERE home_id={$_GET['id']}";
so many sites so little time wrote:
all right so the script is pretty simple it goes it retrives what the
id of the post is and it lets you edit it well no it doesnt.

now if you go to www.kirewire.com/pp2/index/php you will see a number 1
that is the value of collumn home_id which is set to auto increment ect
ect

but this script which gets the id of home_id of a row and lets you edit
it does not work for somereason...
if (isset ($_POST['submit'])) { // Handle the form.

// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.

// Report on the result.
if (mysql_affected_rows() == 1) {
print '<p>The blog entry has been updated.</p>';
} else {
print "<p>Could update the entry because: <b>" . mysql_error() .
"</b>. The query was $query.</p>";
}

} else { // Display the entry in a form.

// Check for a valid entry ID in the URL.
if (is_numeric ($_GET['id']) ) {

// Define the query.
$query = "SELECT * FROM home_id WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.

// Make the form.
print '<form action="update_site.php" method="post">
<p>Header: <input type="text" name="header" size="40" maxsize="100"
value="' . $row['header'] . '" /></p>
<p>Body: <textarea name="body" columns="40" rows="5">' . $row['body']
. '</textarea></p>
<input type="hidden" name="id" value="' . $_GET['id'] . '" />
<input type="submit" name="submit" value="Update your Website!" />
</form>';

} else { // Couldn't get the information.
print "<p>Could retrieve the entry because: <b>" . mysql_error() .
"</b>. The query was $query.</p>";
}

} else { // No ID set.
print '<p><b>You must have made a mistake in using this
page.</b></p>';
}

} // End of main IF.

mysql_close(); // Close the database connection.

?>

to see what you get go to www.kirewire.com/pp2/update_site.php

could you please help, thanks, and have a happy thanksgiving
Nov 24 '06 #2

P: n/a
nope
not working
petersprc wrote:
Try "select * from home" instead of "from home_id"...?
$query = "SELECT * FROM home_id WHERE home_id={$_GET['id']}";

so many sites so little time wrote:
all right so the script is pretty simple it goes it retrives what the
id of the post is and it lets you edit it well no it doesnt.

now if you go to www.kirewire.com/pp2/index/php you will see a number 1
that is the value of collumn home_id which is set to auto increment ect
ect

but this script which gets the id of home_id of a row and lets you edit
it does not work for somereason...
if (isset ($_POST['submit'])) { // Handle the form.

// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.

// Report on the result.
if (mysql_affected_rows() == 1) {
print '<p>The blog entry has been updated.</p>';
} else {
print "<p>Could update the entry because: <b>" . mysql_error() .
"</b>. The query was $query.</p>";
}

} else { // Display the entry in a form.

// Check for a valid entry ID in the URL.
if (is_numeric ($_GET['id']) ) {

// Define the query.
$query = "SELECT * FROM home_id WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.

// Make the form.
print '<form action="update_site.php" method="post">
<p>Header: <input type="text" name="header" size="40" maxsize="100"
value="' . $row['header'] . '" /></p>
<p>Body: <textarea name="body" columns="40" rows="5">' . $row['body']
. '</textarea></p>
<input type="hidden" name="id" value="' . $_GET['id'] . '" />
<input type="submit" name="submit" value="Update your Website!" />
</form>';

} else { // Couldn't get the information.
print "<p>Could retrieve the entry because: <b>" . mysql_error() .
"</b>. The query was $query.</p>";
}

} else { // No ID set.
print '<p><b>You must have made a mistake in using this
page.</b></p>';
}

} // End of main IF.

mysql_close(); // Close the database connection.

?>

to see what you get go to www.kirewire.com/pp2/update_site.php

could you please help, thanks, and have a happy thanksgiving
Nov 24 '06 #3

P: n/a

"so many sites so little time" <kk*****@gmail.comwrote in message
news:11**********************@45g2000cws.googlegro ups.com...
nope
not working
petersprc wrote:
>Try "select * from home" instead of "from home_id"...?
$query = "SELECT * FROM home_id WHERE home_id={$_GET['id']}";

so many sites so little time wrote:
all right so the script is pretty simple it goes it retrives what the
id of the post is and it lets you edit it well no it doesnt.

now if you go to www.kirewire.com/pp2/index/php you will see a number 1
that is the value of collumn home_id which is set to auto increment ect
ect

but this script which gets the id of home_id of a row and lets you edit
it does not work for somereason...
if (isset ($_POST['submit'])) { // Handle the form.

// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.

// Report on the result.
if (mysql_affected_rows() == 1) {
print '<p>The blog entry has been updated.</p>';
} else {
print "<p>Could update the entry because: <b>" . mysql_error() .
"</b>. The query was $query.</p>";
}

} else { // Display the entry in a form.

// Check for a valid entry ID in the URL.
if (is_numeric ($_GET['id']) ) {

// Define the query.
$query = "SELECT * FROM home_id WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.

// Make the form.
print '<form action="update_site.php" method="post">
<p>Header: <input type="text" name="header" size="40" maxsize="100"
value="' . $row['header'] . '" /></p>
<p>Body: <textarea name="body" columns="40" rows="5">' . $row['body']
. '</textarea></p>
<input type="hidden" name="id" value="' . $_GET['id'] . '" />
<input type="submit" name="submit" value="Update your Website!" />
</form>';

} else { // Couldn't get the information.
print "<p>Could retrieve the entry because: <b>" . mysql_error() .
"</b>. The query was $query.</p>";
}

} else { // No ID set.
print '<p><b>You must have made a mistake in using this
page.</b></p>';
}

} // End of main IF.

mysql_close(); // Close the database connection.

?>

to see what you get go to www.kirewire.com/pp2/update_site.php

could you please help, thanks, and have a happy thanksgiving
To me petersprc was on the right track. This may not be your main problem
but you still need to fix this part.
"SELECT * FROM home_id WHERE home_id" -"SELECT * FROM home WHERE home_id"
You should be selecting from a table.

Regards,

Brent Palmer.
Nov 24 '06 #4

P: n/a
Alright so im trying that and still no luck the string defines home_id
as home_id={$_GET['id']}' so can i because the collumn i want to select
from is home_id can i say
$query = "SELECT home_id FROM home WHERE home_id={$_GET['id']}; or does
it need to stay wildcard?
Brent Palmer wrote:
"so many sites so little time" <kk*****@gmail.comwrote in message
news:11**********************@45g2000cws.googlegro ups.com...
nope
not working
petersprc wrote:
Try "select * from home" instead of "from home_id"...?

$query = "SELECT * FROM home_id WHERE home_id={$_GET['id']}";

so many sites so little time wrote:
all right so the script is pretty simple it goes it retrives what the
id of the post is and it lets you edit it well no it doesnt.

now if you go to www.kirewire.com/pp2/index/php you will see a number 1
that is the value of collumn home_id which is set to auto increment ect
ect

but this script which gets the id of home_id of a row and lets you edit
it does not work for somereason...
if (isset ($_POST['submit'])) { // Handle the form.

// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.

// Report on the result.
if (mysql_affected_rows() == 1) {
print '<p>The blog entry has been updated.</p>';
} else {
print "<p>Could update the entry because: <b>" . mysql_error() .
"</b>. The query was $query.</p>";
}

} else { // Display the entry in a form.

// Check for a valid entry ID in the URL.
if (is_numeric ($_GET['id']) ) {

// Define the query.
$query = "SELECT * FROM home_id WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.

// Make the form.
print '<form action="update_site.php" method="post">
<p>Header: <input type="text" name="header" size="40" maxsize="100"
value="' . $row['header'] . '" /></p>
<p>Body: <textarea name="body" columns="40" rows="5">' . $row['body']
. '</textarea></p>
<input type="hidden" name="id" value="' . $_GET['id'] . '" />
<input type="submit" name="submit" value="Update your Website!" />
</form>';

} else { // Couldn't get the information.
print "<p>Could retrieve the entry because: <b>" . mysql_error() .
"</b>. The query was $query.</p>";
}

} else { // No ID set.
print '<p><b>You must have made a mistake in using this
page.</b></p>';
}

} // End of main IF.

mysql_close(); // Close the database connection.

?>

to see what you get go to www.kirewire.com/pp2/update_site.php

could you please help, thanks, and have a happy thanksgiving

To me petersprc was on the right track. This may not be your main problem
but you still need to fix this part.
"SELECT * FROM home_id WHERE home_id" -"SELECT * FROM home WHERE home_id"
You should be selecting from a table.

Regards,

Brent Palmer.
Nov 24 '06 #5

P: n/a
so many sites so little time wrote:

<snip>
if (isset ($_POST['submit'])) { // Handle the form.

// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.
<snip>
could you please help, thanks, and have a happy thanksgiving
Check the return value of mysql_* calls.

Where I snipped add

if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}

Add similar code after *all* relevant mysql_* calls.
When you run the script and there is an error, the script itself will
tell you why it failed. After that you just need to (understand the
reason for failure and) correct the error and try again.

--
I (almost) never check the dodgeit address.
If you *really* need to mail me, use the address in the Reply-To
header with a message in *plain* *text* *without* *attachments*.
Nov 24 '06 #6

P: n/a
so many sites so little time wrote:

<snip>
$query = "UPDATE home SET header='{$_POST['header']}',
This approach id possibly vunarable to SQL-injection.
That is bad.
NEVER trust data coming from GET, POST or COOKIE.

Possibly you have magic quotes enabled in php.ini, but you should at least
check for that.

It is much better to set up your applicatie right from the start than fixing
it afterward (after some funny guy gave the command to delete the database
by inserting that command in your 'header' variable).

Anybody who knows how SQL is formulated can come up with an SQL-injection
command. It is easy.

If you don't know what I am talking about (eg you don't know what magic
quotes are and how they change your data and WHY) then you better take a
break from developing your app and learn about that part first.

Regards,
Erwin Moller
Nov 24 '06 #7

P: n/a
alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query

agian the queries are:

<snip>
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.
</snip>
and
<snip>
// Define the query.
$query = "SELECT * FROM home WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.
</snip>
Erwin Moller wrote:
so many sites so little time wrote:

<snip>
$query = "UPDATE home SET header='{$_POST['header']}',

This approach id possibly vunarable to SQL-injection.
That is bad.
NEVER trust data coming from GET, POST or COOKIE.

Possibly you have magic quotes enabled in php.ini, but you should at least
check for that.

It is much better to set up your applicatie right from the start than fixing
it afterward (after some funny guy gave the command to delete the database
by inserting that command in your 'header' variable).

Anybody who knows how SQL is formulated can come up with an SQL-injection
command. It is easy.

If you don't know what I am talking about (eg you don't know what magic
quotes are and how they change your data and WHY) then you better take a
break from developing your app and learn about that part first.

Regards,
Erwin Moller
Nov 25 '06 #8

P: n/a
so many sites so little time wrote:
alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query

agian the queries are:

<snip>
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.
</snip>
and
<snip>
// Define the query.
$query = "SELECT * FROM home WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.
</snip>
Erwin Moller wrote:
Forgive me but I didn't see in your original code where you connected to
the database at all.

You might try running mysql from the command line and copy and pasting
that exact query in. Then play with it until your figure out what's
wrong with the query...

--

Andrew DeFaria <http://defaria.com>
Ever stop to think, and forget to start again?

Nov 26 '06 #9

P: n/a
so many sites so little time wrote:
alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query

agian the queries are:

<snip>
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.
</snip>
and
<snip>
// Define the query.
$query = "SELECT * FROM home WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.
</snip>
Erwin Moller wrote:
Forgive me but I didn't see in your original code where you connected to
the database at all.

You might try running mysql from the command line and copy and pasting
that exact query in. Then play with it until your figure out what's
wrong with the query...

--

Andrew DeFaria <http://defaria.com>
Ever stop to think, and forget to start again?

Nov 26 '06 #10

P: n/a
no no its there its just not important and not connected to the issue
thats why i left it out less code you need to rummage through if that
wasnt working i would get could not connect to database error but here
it is anyway:

<?php // Update_site.php
// This script edits a blog entry using an UPDATE query.

// Address error handing.
ini_set ('display_errors', 1);
error_reporting (E_ALL & ~E_NOTICE);

// Connect and select.
if ($dbc = @mysql_connect ('localhost', 'user', 'pass')) {

if (!@mysql_select_db ('kirewire_tpp')) {
die ('<p>Could select the database because: <b>' . mysql_error() .
'</b></p>');
}

} else {
die ('<p>Could not connect to MySQL because: <b>' . mysql_error() .
'</b></p>');
}

Andrew DeFaria wrote:
so many sites so little time wrote:
alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query

agian the queries are:

<snip>
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.
</snip>
and
<snip>
// Define the query.
$query = "SELECT * FROM home WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.
</snip>
Erwin Moller wrote:
Forgive me but I didn't see in your original code where you connected to
the database at all.

You might try running mysql from the command line and copy and pasting
that exact query in. Then play with it until your figure out what's
wrong with the query...

--

Andrew DeFaria <http://defaria.com>
Ever stop to think, and forget to start again?

--------------080309080406020402070802
Content-Type: text/html; charset=ISO-8859-1
X-Google-AttachSize: 1695

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
so many sites so little time wrote:
<blockquote
cite="mi*************************@j72g2000cwa.goog legroups.com"
type="cite">
<pre wrap="">alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query

agian the queries are:

&lt;snip&gt;
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.
&lt;/snip&gt;
and
&lt;snip&gt;
// Define the query.
$query = "SELECT * FROM home WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.
&lt;/snip&gt;
Erwin Moller wrote:
</pre>
</blockquote>
Forgive me but I didn't see in your original code where you connected
to the database at all.<br>
<br>
You might try running mysql from the command line and copy and pasting
that exact query in. Then play with it until your figure out what's
wrong with the query...<br>
<pre>-- </pre>
<a href="http://defaria.com">Andrew DeFaria</a><br>
<small><font color="#999999">Ever stop to think, and forget to start
again?</font></small>
</body>
</html>

--------------080309080406020402070802--
Nov 26 '06 #11

P: n/a
p.s. its me so many sites so little time just thought i would use my
real name well part of it
plemon wrote:
no no its there its just not important and not connected to the issue
thats why i left it out less code you need to rummage through if that
wasnt working i would get could not connect to database error but here
it is anyway:

<?php // Update_site.php
// This script edits a blog entry using an UPDATE query.

// Address error handing.
ini_set ('display_errors', 1);
error_reporting (E_ALL & ~E_NOTICE);

// Connect and select.
if ($dbc = @mysql_connect ('localhost', 'user', 'pass')) {

if (!@mysql_select_db ('kirewire_tpp')) {
die ('<p>Could select the database because: <b>' . mysql_error() .
'</b></p>');
}

} else {
die ('<p>Could not connect to MySQL because: <b>' . mysql_error() .
'</b></p>');
}

Andrew DeFaria wrote:
so many sites so little time wrote:
alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query
>
agian the queries are:
>
<snip>
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.
</snip>
and
<snip>
// Define the query.
$query = "SELECT * FROM home WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.
>
$row = mysql_fetch_array ($r); // Retrieve the information.
</snip>
Erwin Moller wrote:
>
Forgive me but I didn't see in your original code where you connected to
the database at all.

You might try running mysql from the command line and copy and pasting
that exact query in. Then play with it until your figure out what's
wrong with the query...

--

Andrew DeFaria <http://defaria.com>
Ever stop to think, and forget to start again?

--------------080309080406020402070802
Content-Type: text/html; charset=ISO-8859-1
X-Google-AttachSize: 1695

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
so many sites so little time wrote:
<blockquote
cite="mi*************************@j72g2000cwa.goog legroups.com"
type="cite">
<pre wrap="">alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query

agian the queries are:

&lt;snip&gt;
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
body='{$_POST['body']}' WHERE home_id={$_POST['id']}";
$r = mysql_query ($query); // Execute the query.
&lt;/snip&gt;
and
&lt;snip&gt;
// Define the query.
$query = "SELECT * FROM home WHERE home_id={$_GET['id']}";
if ($r = mysql_query ($query)) { // Run the query.

$row = mysql_fetch_array ($r); // Retrieve the information.
&lt;/snip&gt;
Erwin Moller wrote:
</pre>
</blockquote>
Forgive me but I didn't see in your original code where you connected
to the database at all.<br>
<br>
You might try running mysql from the command line and copy and pasting
that exact query in. Then play with it until your figure out what's
wrong with the query...<br>
<pre>-- </pre>
<a href="http://defaria.com">Andrew DeFaria</a><br>
<small><font color="#999999">Ever stop to think, and forget to start
again?</font></small>
</body>
</html>

--------------080309080406020402070802--
Nov 26 '06 #12

P: n/a
so many sites so little time wrote:
alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query

agian the queries are:

<snip>
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
Did you fix the SQL-injection vunerability I was warning you about?
No.
Reread my post.
Do yourself a favor and fix it.

Regards,
Erwin Moller
Nov 28 '06 #13

P: n/a
i dont understand what you mean about if i dont get the info from post
where am i going to get it?
Erwin Moller wrote:
so many sites so little time wrote:
alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query

agian the queries are:

<snip>
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',

Did you fix the SQL-injection vunerability I was warning you about?
No.
Reread my post.
Do yourself a favor and fix it.

Regards,
Erwin Moller
Nov 28 '06 #14

P: n/a
and there server im on is locked down like sadam so there not getting
in to do that and my ftp yeah sure they can try to crack it heh
Erwin Moller wrote:
so many sites so little time wrote:
alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query

agian the queries are:

<snip>
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',

Did you fix the SQL-injection vunerability I was warning you about?
No.
Reread my post.
Do yourself a favor and fix it.

Regards,
Erwin Moller
Nov 28 '06 #15

P: n/a
plemon wrote:
and there server im on is locked down like sadam so there not getting
in to do that and my ftp yeah sure they can try to crack it heh
It is a common mistake to think you are safe if the server is allright.
If the programmers on the secure server make mistakes, the server cannot do
a thing about it.
If your server is military strength, and runs a webserver running PHP
without magic_quotes_gpc, it is very easy to use SQL-injection, no matter
how 'safe' the server is.
Security is no magic. And it starts with programmers taking it seriously.

If you do not know what SQL-injection is, chances are you didn't write safe
code.

Really, I warned you 3 times in this thread, and you still don't listen.
So my advise is once again: Do yourself a favor, and make sure you
understand what SQL-injection is and how to protect yourself.
Google for it, understand it, then program the rest of your site.

Regards,
Erwin Moller
Erwin Moller wrote:
>so many sites so little time wrote:
alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query

agian the queries are:

<snip>
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',

Did you fix the SQL-injection vunerability I was warning you about?
No.
Reread my post.
Do yourself a favor and fix it.

Regards,
Erwin Moller
Dec 1 '06 #16

P: n/a
so you are saying i should have magic quotes turned on? im reading up
more on sql injection at the moment still don't understand it at all.

On Dec 1 2006, 8:00 am, Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
plemon wrote:
and there server im on is locked down like sadam so there not getting
in to do that and my ftp yeah sure they can try to crack it hehIt is a common mistake to think you are safe if the server is allright.
If the programmers on the secure server make mistakes, the server cannot do
a thing about it.
If your server is military strength, and runs a webserver running PHP
without magic_quotes_gpc, it is very easy to use SQL-injection, no matter
how 'safe' the server is.
Security is no magic. And it starts with programmers taking it seriously.

If you do not know what SQL-injection is, chances are you didn't write safe
code.

Really, I warned you 3 times in this thread, and you still don't listen.
So my advise is once again: Do yourself a favor, and make sure you
understand what SQL-injection is and how to protect yourself.
Google for it, understand it, then program the rest of your site.

Regards,
Erwin Moller
Erwin Moller wrote:
so many sites so little time wrote:
alright so i deleted the part about you must have made a mistake in
using this page
and added
if (!$r) {
// There was an error
// for simplicity sake, I'll just print it and exit
exit('Error in query (' . $query . '): ' . mysql_error());
}
and as you can see at kirewire.com/pp2/update_site.php
all it says now is you must have made a mistake in your query
agian the queries are:
<snip>
// Define the query.
$query = "UPDATE home SET header='{$_POST['header']}',
Did you fix the SQL-injection vunerability I was warning you about?
No.
Reread my post.
Do yourself a favor and fix it.
Regards,
Erwin Moller
Jan 16 '07 #17

P: n/a
..oO(plemon)
>so you are saying i should have magic quotes turned on?
No, magic quotes are dead. Turn them off and forget about them.
Thankfully they'll be completely removed in PHP 6.
>im reading up
more on sql injection at the moment still don't understand it at all.
Never(!) trust any data sent in from a client. URL parameters, POST
data, cookies - everything can easily be faked. This not only applies to
databases, but to everything on a server that deals with user-submitted
data. Validate everything and escape it if necessary!

In the case of DBs you have to make sure that _all_ data that goes into
a DB is properly escaped, so that it's not possible for an attacker to
inject his own SQL commands to wreak havoc on your DB.

In PHP there are two more or less ways to do that:

1) Use DB-specific escaping functions, like mysql_real_escape_string()
for example.

2) Use prepared statements as provided by the PDO extension.

Micha
Jan 16 '07 #18

This discussion thread is closed

Replies have been disabled for this discussion.