Jump to content


Photo

Tutorial system problem


  • Please log in to reply
3 replies to this topic

#1 Rosst

Rosst
  • Members
  • PipPip
  • Member
  • 29 posts

Posted 06 July 2006 - 10:25 PM

OK, I will get straight to the point, I made a tutorial system, and when I went to my second tutorial I saw the first one, see the links: http://vexxon.net/in...cat=PHP&tutid=2, anyway here is my code:
<?php
include('config.php'); // connect to database
include('includes/bbcode.php');
if ($_GET['cat']) {
if ($_GET['tutid']) {
$tutid = $_GET['tutid'];
$cat = $_GET['cat'];
$query = mysql_query("SELECT * FROM tutorial where id = '$tutid' & tut_type = '$cat'");
$r = mysql_fetch_array($query);
echo "
<table border=\"0\">
<tr>
<td>".$r[tut_name]."</td><td>By ".$r[user]."
</tr>
<tr>
<td>".$r[tut_desc]."</td>
</tr>
<tr>
<td>".bbcode($r[tut])."</td>
</tr>
</table>
";
}
else {
$acat = $_GET['cat'];
$query1 = mysql_query("SELECT * FROM tutorial where tut_type = '$acat'");
if (mysql_num_rows($query1) == 0) {
echo "No tutorials in this category";
}
else {
echo "<table border=\"0\">";
while($s = mysql_fetch_array($query1)) {
echo "
<tr>
<td><a href=\"index.php?id=tuts&cat=".$s[tut_type]."&tutid=".$s[id]."\">".$s[tut_name]."</td><td>By <a href=\"index.php?id=memb&user=".$s[user]."\">".$s[user]."</a></td>
</tr>
";
}
echo "</table>";
}
}
}
else {
$query2 = mysql_query("SELECT * FROM tutorialcats");
echo "<table border=\"0\">";
while($t = mysql_fetch_array($query2)) {
echo "
<tr>
<td>- <a href=\"index.php?id=tuts&cat=".$t['name']."\">".$t['name']."</td>
</tr>
";
}
echo "</table>";
}
?>


#2 underparnv

underparnv
  • Members
  • PipPipPip
  • Advanced Member
  • 30 posts
  • LocationReno, Nevada

Posted 06 July 2006 - 10:55 PM

Change your query to this:

<?php
$query = mysql_query("SELECT * FROM tutorial WHERE id = $tutid AND tut_type = '$cat'");
?>

Enjoy!
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning."

The Sporting Edge - Free NFL Football Pool


#3 Rosst

Rosst
  • Members
  • PipPip
  • Member
  • 29 posts

Posted 07 July 2006 - 01:10 AM

Thanks, it worked!

#4 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 07 July 2006 - 10:39 AM

You would have to use intval or mysql_real_escape_string on the variable $tutid if you choose not to enclose the value in quotes in the query to ensure that people to not exploit your code inject another query the initial query.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users