ludjer Posted September 9, 2006 Share Posted September 9, 2006 OK here is my problemi type in a "file.php"and it does the loo of the sql databasebut now when use this "file.php?newsid=11"a blank screen comes upi want it to echo $newsid but it wontit will echo amount but no id if any1 can help me i would really be happy heres my code[code]<?phprequire_once('config/database.php');$amount = '5';if (isset ($_GET['newsid'])){ $_GET['newsid']= $newsid;$newsid= $_GET['newsid'];echo $newsid;echo $amount; }else {$amount = '5';$result = mysql_query("SELECT * FROM news LIMIT $amount");while ( $row = mysql_fetch_array($result) ) {?> <div style="width:450px;"> <h3><u><?php echo @$row['title']; ?></a></u></h3> <p><?php echo nl2br(@$row['content']); ?></p> <p><b>Posted On:</b><i><?php echo @$row['date']; ?> by <?php echo @$row['user']; ?></i></p><br /><hr /> </div> <?php }}?>[/code]thx ludger Quote Link to comment Share on other sites More sharing options...
onlyican Posted September 9, 2006 Share Posted September 9, 2006 You cant rename a GET method$_GET["newsid"] = $newside?????? Quote Link to comment Share on other sites More sharing options...
tomfmason Posted September 9, 2006 Share Posted September 9, 2006 lol ^ you beat me to it.Also, you should validate the newsid or at least use something like this.[code=php:0]$newsid = mysql_real_escape_string(trim($_GET['newsid']));[/code]And maybe use a preg_match to make sure that it is has nothing but numbers in it. Otherwise you may find your site getting crackedGood Luck,Tom Quote Link to comment Share on other sites More sharing options...
ludjer Posted September 9, 2006 Author Share Posted September 9, 2006 i dont get it here is my new codeand its still not getting newsidstill the same problem[code]<?phprequire_once('config/database.php');$amount = '5';if (isset ($_GET['newsid'])){ $_GET['newsid']= $newsid;$newsid = mysql_real_escape_string(trim($_GET['newsid']));echo $newsid;echo $amount; }else {$amount = '5';$result = mysql_query("SELECT * FROM news LIMIT $amount");while ( $row = mysql_fetch_array($result) ) {?> <div style="width:450px;"> <h3><u><?php echo @$row['title']; ?></a></u></h3> <p><?php echo nl2br(@$row['content']); ?></p> <p><b>Posted On:</b><i><?php echo @$row['date']; ?> by <?php echo @$row['user']; ?></i></p><br /><hr /> </div> <?php }}?>[/code] Quote Link to comment Share on other sites More sharing options...
tleisher Posted September 9, 2006 Share Posted September 9, 2006 You still have: $_GET['newsid']= $newsid;Delete that aprt and just leave this line:$newsid = mysql_real_escape_string(trim($_GET['newsid'])); Quote Link to comment Share on other sites More sharing options...
onlyican Posted September 9, 2006 Share Posted September 9, 2006 What aboutis_numeric()Or is that not good? Quote Link to comment Share on other sites More sharing options...
tomfmason Posted September 9, 2006 Share Posted September 9, 2006 I guess that would work fine. Maybe do something like this[code=php:0]if (is_numeric($newsid) == false) { die("Hacking attempt");}[/code]Good Luck,Tom Quote Link to comment Share on other sites More sharing options...
ludjer Posted September 10, 2006 Author Share Posted September 10, 2006 thx guys it works now Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.