R1der Posted June 5, 2007 Share Posted June 5, 2007 Ok i have made a classifieds page but when you click "Post" it inserts the 'id' 'username' but when it comes to adding the 'text' part it INSERTS '0' and i cant understand why :S Can anyone help with this? <? session_start(); include("gameconfig.php"); $title = "Classifieds"; if(!$email || !$password){ error("field"); exit; } if($playerinfo[password] != $password){ error("password"); }else{ include("top.php"); $cost=1000*$playerinfo['level']; echo "<center>Tribal Classifieds<br><br></center>"; echo "<center>It will cost you $cost gold to post a advertisement<br><br></center>"; echo "<center><form method=post action=classifieds.php?action=post>Advertise: <input name=post size=12> <INPUT TYPE=SUBMIT VALUE=Post></FORM></center>"; $select = mysql_query("select * from classifieds order by id DESC LIMIT 20"); while($lis = mysql_fetch_array($select)) if($playerinfo['status'] !="Member"){ echo "<center>[<a href=classifieds.php?step=delete&id=$lis[id]>D</a>] "; echo "$lis[username]: $lis[text]</center><br>"; }else{ echo "$lis[username]: $lis[text]</center><br>"; } if($action == "post") { $post = abs($post); $post = str_replace("-","",$post); $cost=1000*$playerinfo['level']; if($playerinfo['gold'] > $cost){ mysql_query("UPDATE userdb set gold=gold-$cost WHERE id='$playerinfo[id]'"); mysql_query("INSERT INTO classifieds (id, username, text) VALUES ('', '$playerinfo[username]', '$post')") or die(mysql_error()); echo "<center>You sucessfully added your advertisement.</center>"; }else{ echo "<cener>You do not have enough gold to proceed</center>"; } } if ($step == delete) { echo "News deleted. <a href=classifieds.php>Back</a>"; $remove = mysql_query("delete from classifieds where id='$id'"); } include("bottom.php"); } ?> Thanks. Oh and also can you tell me if my code (test box) is secure enough from sql injections? Thanks for your time Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/ Share on other sites More sharing options...
only one Posted June 5, 2007 Share Posted June 5, 2007 mysql_query("UPDATE userdb set gold=$playerinfo['gold']-$cost WHERE id='$playerinfo[id]'"); Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268177 Share on other sites More sharing options...
R1der Posted June 5, 2007 Author Share Posted June 5, 2007 Erm the update query works fine how it is.. Why would that have anything to do with the INSERT query? Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268178 Share on other sites More sharing options...
only one Posted June 5, 2007 Share Posted June 5, 2007 (`id`, `username`, `text`) try that??, i dont see anything wrong Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268184 Share on other sites More sharing options...
R1der Posted June 5, 2007 Author Share Posted June 5, 2007 Nope that did'nt work either I know i looked at it for a good 2 hours yestaday and couldnt spot anything i even tried rewriting it and still for the same thing. Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268186 Share on other sites More sharing options...
only one Posted June 5, 2007 Share Posted June 5, 2007 is it showing up an error? Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268187 Share on other sites More sharing options...
R1der Posted June 5, 2007 Author Share Posted June 5, 2007 No it posts but instead of it showing what thay typed in it puts a '0' the database type is varchar(255) Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268189 Share on other sites More sharing options...
only one Posted June 5, 2007 Share Posted June 5, 2007 if its only a number you should use int, then it will insert 0 Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268191 Share on other sites More sharing options...
R1der Posted June 5, 2007 Author Share Posted June 5, 2007 But i dont want it to insert '0' lol It's a advertisement thing so thay type something and it shows.. i.e thay type.. 'I am selling crystals' and it should insert "I am selling crystals" but its not its inserting '0' Get what i mean? Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268193 Share on other sites More sharing options...
only one Posted June 5, 2007 Share Posted June 5, 2007 yea i understand i dont think you want to use the abs function $post = abs($post); thats only goin to define weather its varchar or integer Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268195 Share on other sites More sharing options...
R1der Posted June 5, 2007 Author Share Posted June 5, 2007 Oh i got told that would protect the textbox from SQL injections Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268198 Share on other sites More sharing options...
R1der Posted June 5, 2007 Author Share Posted June 5, 2007 Ok it worked once i removed that.. So how can i protect the text box now from SQL injections? Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268200 Share on other sites More sharing options...
R1der Posted June 5, 2007 Author Share Posted June 5, 2007 How about something like this.. would this work? $post['post']=str_replace(array("<", ">","\'"), array("<", ">", "'"), $post['post']); Would that work to protect it? Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268205 Share on other sites More sharing options...
only one Posted June 5, 2007 Share Posted June 5, 2007 yea $post = str_replace(array("<", ">","\'"), array("<", ">", "'"), $post['post']); Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268209 Share on other sites More sharing options...
R1der Posted June 5, 2007 Author Share Posted June 5, 2007 kk thanks for all your help.. Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268211 Share on other sites More sharing options...
mmarif4u Posted June 5, 2007 Share Posted June 5, 2007 The best way to protect from sql injection is: $post=mysql_real_escape_string($_POST['post']); It will protect more than ur code u mention. hope this will help. Link to comment https://forums.phpfreaks.com/topic/54240-solved-insert-problem/#findComment-268213 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.