MrVaux Posted September 28, 2010 Share Posted September 28, 2010 I just decided to turn register globals from on to off. This change made a lot of trouble for me. I simply can´t update a record in the DB anymore. I get the following errormsg. Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /customers/websides.dk/websides.dk/httpd.www/luffe/liga/admin/form_edit_news.php on line 18 I believe the problem is that the variable is empty, but Im not sure. How do I rewrite below to work with register globals = off <? include "admin_menu.php"; $id = $_GET['id']; $news = $_GET['news']; include "config.php"; $link = mysql_connect($dbhost, $dbuser, $dbpasswd) or die("Couldn't establish connection"); mysql_select_db($dbname); $query = "SELECT * FROM league_news WHERE id = id"; $result = mysql_query($query); $row = mysql_fetch_array($result); echo "<H3>Info text</H3>\n"; echo "<table style='border-width:1px; border-style:dashed; border-color:#000000;' width='600px' cellpadding='4' cellspacing='0' bgcolor='#cee5cb'>\n"; echo "<tr>\n"; echo "<td width='100%'>$row[news]</td>\n"; echo "</tr>\n"; echo "<tr>\n"; echo "<input type='hidden' name='id' value='{$_GET[id]}'>"; echo "<td width='100%'></td>\n"; echo "</tr>\n"; echo "</table>\n"; echo "<br>\n"; echo "</form>\n"; echo "<a href='form_edit_news.php?id=$row[id]'><b>Edit info</b></a>"; ?> Quote Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/ Share on other sites More sharing options...
mds1256 Posted September 28, 2010 Share Posted September 28, 2010 shouldnt the line: $query = "SELECT * FROM league_news WHERE id = id"; look more like: $query = "SELECT * FROM league_news WHERE id = $id"; Quote Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1116706 Share on other sites More sharing options...
Pikachu2000 Posted September 28, 2010 Share Posted September 28, 2010 I don't see an opening <form> tag in that code. Quote Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1116739 Share on other sites More sharing options...
BlueSkyIS Posted September 28, 2010 Share Posted September 28, 2010 ^yes. also: your SQL is failing but you don't know it. so $result is not a valid resource. check it this way: $result = mysql_query($query) or die(mysql_error() . " IN: $query"); Quote Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1116741 Share on other sites More sharing options...
MrVaux Posted September 29, 2010 Author Share Posted September 29, 2010 I don't see an opening <form> tag in that code. Actually the </form> tag is to be cleaned up since there is no form on that page. Thanks for notice. $result = mysql_query($query) or die(mysql_error() . " IN: $query"); What does this do? Does it write out the errors in the query? So it actually works at the moment, I think.... I changed the $news = $_GET['news']; to $news = $_REQUEST['news']; Thanks for all your input so far... Quote Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1117052 Share on other sites More sharing options...
yaMz Posted September 29, 2010 Share Posted September 29, 2010 This is very unsafe code practice: <?php $id = $_GET['id']; //allows injection $news = $_GET['news']; //allows injection //consider mysql_real_escape_string() and strip_tags() ?> Quote Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1117057 Share on other sites More sharing options...
MrVaux Posted September 29, 2010 Author Share Posted September 29, 2010 This is very unsafe code practice: <?php $id = $_GET['id']; //allows injection $news = $_GET['news']; //allows injection //consider mysql_real_escape_string() and strip_tags() ?> I am pretty n00B at php, so how where you to code what you suggest? Quote Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1117066 Share on other sites More sharing options...
yaMz Posted September 29, 2010 Share Posted September 29, 2010 Since you are using $_GET, the information can be altered by input. Small Example: Someone sends query directly from their browser: http://yoursite.com/script.php?id=1<?phpinfo();?> <?php echo "<input type='hidden' name='id' value='{$_GET[id]}'>"; ?> will now output: <input type='hidden' name='id' value='{<?phpinfo();?>}'> This would allow them to view your php.ini settings. This would only be the beginning. <?php include ("admin_menu.php"); // if ID is to only return numbers, it'd be simpler to: $id = preg_replace("[^0-9]", "", $_GET['id']); //and $news = mysql_real_escape_string(strip_tags($_GET['news'])); Quote Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1117068 Share on other sites More sharing options...
MrVaux Posted September 29, 2010 Author Share Posted September 29, 2010 Thanks a lot for taking your time to show me all this. I will try to recode it when i get off at work Quote Link to comment https://forums.phpfreaks.com/topic/214601-problem-when-turning-register-globals-off/#findComment-1117072 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.