Jump to content

post mysql query


gmaster_PT

Recommended Posts

hi all 

<?php
if (substr($_POST['tag'], 0, 15) == 'chave|commando|'){
include 'db_con.php';
session_start();
$sql = substr($_POST['tag'], 15, 2000);						
$result = mysql_query($sql);
mysql_close($con);
echo $results;
} else { 
"<script>window.location = 'http://www.google.com'</script>";
}
?>

the tag recive "Update config_hal SET pgtobtn = 5 " if i send the tag like that this works fine ...

if i try to send like that  "Update config_hal SET pgtobtn = N " this dont work...

i know that i should write something like this "Update config_hal SET pgtobtn = 'N' " but also dont work 

can anybody tellme whats wrong with my code????

Link to comment
Share on other sites

i hope you are not going to use this method, of getting the whole sql query statement via user submitted data, on an actual live web site?

 

your current code will allow anyone who finds the site it run any query they want. they will either delete your data or set any of your data to anything they want.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.