Perad Posted February 19, 2007 Share Posted February 19, 2007 I am starting to get one of those headaches that come as a result of frustration and boredom. In short i am converting my site to use Smarty and have become a bit undone on this. In my Template <div class="commentbox"> {if $isloggedin == TRUE} <form action="{$currentpage}?action=addcomment&p={$commentpage}&id={$id}" method="post"> You are posting as {$username}<br /> <textarea cols="60" rows="8" name="comment"></textarea><br /> <input type="submit" name="submit" value="Add Comment"> </form> {else if $isloggedin == FALSE} Please Log In to post a comment. {/if} </div> Translations {$currentpage} = $_SERVER['PHP_SELF'] {$commentpage} = 1 {$id} = article id. When you add a comment he article id and page information are transfered in the http header. I am using a switch statement to get the actions and process the code. case 'addcomment': function addComment() { global $dbc; $p = $_GET['p']; $id = $_GET['id']; $c = $_POST['comment']; $username = $userdata['username']; $userid = $userdata['user_id']; /* insert the comment */ $query = "INSERT INTO comments (id, name, comment, user_id, page) VALUES ('$id', '$username','$c', '$user_id', '$p')" OR die ('Could not connect to MySQL: ' . mysql_error() ); $result = mysql_query ($query); echo $p . ' ' . $id . ' ' . $c; if ($result) { echo "Your comment has been posted. <a href={$_SERVER['PHP_SELF']}?action=show&id=$id".">Return to article</a>"; } else { echo 'Entering the comment has failed, if the problem persists please contact the administrator'; } } addComment(); break; The problem is that the $query is just ignored. echo $p . ' ' . $id . ' ' . $c; writes out all the information i need so i know my variables are working. Please can someone help, it may be something small and silly but in all honesty it has kept me baffled for the last 40minutes Link to comment https://forums.phpfreaks.com/topic/39172-database-query-isnt-erm-querying/ Share on other sites More sharing options...
printf Posted February 19, 2007 Share Posted February 19, 2007 You can use OR die(...) on a variable assignment, only on a function... So this... $query = "INSERT INTO comments (id, name, comment, user_id, page) VALUES ('$id', '$username','$c', '$user_id', '$p')" OR die ('Could not connect to MySQL: ' . mysql_error() ); $result = mysql_query ($query); should be changed to this... $query = "INSERT INTO comments (id, name, comment, user_id, page) VALUES ('$id', '$username','$c', '$user_id', '$p')"; $result = mysql_query ($query) or die ('Could not connect to MySQL: ' . mysql_error() ); Link to comment https://forums.phpfreaks.com/topic/39172-database-query-isnt-erm-querying/#findComment-188652 Share on other sites More sharing options...
monk.e.boy Posted February 19, 2007 Share Posted February 19, 2007 Have you tried SQL injections into this code? Do you have magic quotes on? Google 'PHP SQL injection', because it looks like you may have holes. monk.e.boy Link to comment https://forums.phpfreaks.com/topic/39172-database-query-isnt-erm-querying/#findComment-188655 Share on other sites More sharing options...
tom100 Posted February 19, 2007 Share Posted February 19, 2007 Printf got the problem, but monkey nailed another one. Make sure you are validating all of your input. Especially those GET variables. I usually run scripts like these at the top of my pages as a quick way to secure all code, then do further validation down the road. <?php if (isset($_POST)) { foreach ($_POST as $key=>$post) { $_POST[$key]=htmlspecialchars($post, ENT_QUOTES); } } ?> Link to comment https://forums.phpfreaks.com/topic/39172-database-query-isnt-erm-querying/#findComment-188662 Share on other sites More sharing options...
monk.e.boy Posted February 20, 2007 Share Posted February 20, 2007 <?php if (isset($_POST)) { foreach ($_POST as $key=>$post) { $_POST[$key]=htmlspecialchars($post, ENT_QUOTES); } } ?> That's quite nice. Don't forget to do the $_GET and $_REQUEST and cookie stuff. monk.e.boy Link to comment https://forums.phpfreaks.com/topic/39172-database-query-isnt-erm-querying/#findComment-189353 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.