MrVaux Posted September 28, 2010 Share Posted September 28, 2010 I just decided to turn register globals from on to off. This change made a lot of trouble for me. I simply can´t update a record in the DB anymore. I get the following errormsg. Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /customers/websides.dk/websides.dk/httpd.www/luffe/liga/admin/form_edit_news.php on line 18 I believe the problem is that the variable is empty, but Im not sure. How do I rewrite below to work with register globals = off <? include "admin_menu.php"; $id = $_GET['id']; $news = $_GET['news']; include "config.php"; $link = mysql_connect($dbhost, $dbuser, $dbpasswd) or die("Couldn't establish connection"); mysql_select_db($dbname); $query = "SELECT * FROM league_news WHERE id = id"; $result = mysql_query($query); $row = mysql_fetch_array($result); echo "<H3>Info text</H3>\n"; echo "<table style='border-width:1px; border-style:dashed; border-color:#000000;' width='600px' cellpadding='4' cellspacing='0' bgcolor='#cee5cb'>\n"; echo "<tr>\n"; echo "<td width='100%'>$row[news]</td>\n"; echo "</tr>\n"; echo "<tr>\n"; echo "<input type='hidden' name='id' value='{$_GET[id]}'>"; echo "<td width='100%'></td>\n"; echo "</tr>\n"; echo "</table>\n"; echo "<br>\n"; echo "</form>\n"; echo "<a href='form_edit_news.php?id=$row[id]'><b>Edit info</b></a>"; ?> Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/ Share on other sites More sharing options...
mds1256 Posted September 28, 2010 Share Posted September 28, 2010 shouldnt the line: $query = "SELECT * FROM league_news WHERE id = id"; look more like: $query = "SELECT * FROM league_news WHERE id = $id"; Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1116706 Share on other sites More sharing options...
Pikachu2000 Posted September 28, 2010 Share Posted September 28, 2010 I don't see an opening <form> tag in that code. Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1116739 Share on other sites More sharing options...
BlueSkyIS Posted September 28, 2010 Share Posted September 28, 2010 ^yes. also: your SQL is failing but you don't know it. so $result is not a valid resource. check it this way: $result = mysql_query($query) or die(mysql_error() . " IN: $query"); Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1116741 Share on other sites More sharing options...
MrVaux Posted September 29, 2010 Author Share Posted September 29, 2010 I don't see an opening <form> tag in that code. Actually the </form> tag is to be cleaned up since there is no form on that page. Thanks for notice. $result = mysql_query($query) or die(mysql_error() . " IN: $query"); What does this do? Does it write out the errors in the query? So it actually works at the moment, I think.... I changed the $news = $_GET['news']; to $news = $_REQUEST['news']; Thanks for all your input so far... Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1117052 Share on other sites More sharing options...
yaMz Posted September 29, 2010 Share Posted September 29, 2010 This is very unsafe code practice: <?php $id = $_GET['id']; //allows injection $news = $_GET['news']; //allows injection //consider mysql_real_escape_string() and strip_tags() ?> Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1117057 Share on other sites More sharing options...
MrVaux Posted September 29, 2010 Author Share Posted September 29, 2010 This is very unsafe code practice: <?php $id = $_GET['id']; //allows injection $news = $_GET['news']; //allows injection //consider mysql_real_escape_string() and strip_tags() ?> I am pretty n00B at php, so how where you to code what you suggest? Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1117066 Share on other sites More sharing options...
yaMz Posted September 29, 2010 Share Posted September 29, 2010 Since you are using $_GET, the information can be altered by input. Small Example: Someone sends query directly from their browser: http://yoursite.com/script.php?id=1<?phpinfo();?> <?php echo "<input type='hidden' name='id' value='{$_GET[id]}'>"; ?> will now output: <input type='hidden' name='id' value='{<?phpinfo();?>}'> This would allow them to view your php.ini settings. This would only be the beginning. <?php include ("admin_menu.php"); // if ID is to only return numbers, it'd be simpler to: $id = preg_replace("[^0-9]", "", $_GET['id']); //and $news = mysql_real_escape_string(strip_tags($_GET['news'])); Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1117068 Share on other sites More sharing options...
MrVaux Posted September 29, 2010 Author Share Posted September 29, 2010 Thanks a lot for taking your time to show me all this. I will try to recode it when i get off at work Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1117072 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.