I just feel I do need to add this. Look at these two lines of code:
[php]$blid=$_GET['blid'];
$query=mysql_query("select * from pms_block,pms_rental where pms_block.block_id=pms_rental.block_id and pms_rental.block_id=$blid");[/php]
Now imagine what would happen if a malicious user modified the URL that would normally be created when submitting your form:
http://www.yoursite.com/yourphpfunct...?blid=1;delete from pms_block;delete from pms_rental
Obviously the hacker in this case would need to know the names of your database tables for this example to work, but I am sure one can come up with many other more generalized sql statements that could be just as dangerous. In the above case, this URL combined with your script will cause the two tables pmd_block and pms_rental to be emptied completely.
The moral of the story: never use $_GET or $_POST variables directly in SQL or other executable statements without validation and appropriate filtering of anything malicious.
Steve, Denmark
Please enclose your posted code in [code] tags (See
How to Ask a Question). -
moderator