quick question regarding GET

[jbrill]

if i have this:

$update = "UPDATE guestbook SET actual_time='".$_POST['actual_time']."',cat='".$_POST['cat']."', subcat='".$_POST['subcat']."',machine_time='".$_POST['machine_time']."', setup='".$_POST['setup']."', notes='".$_POST['notes']."' WHERE id='".$_GET['idr']."'";


echo $update."<br>";
mysql_query($update);

echo "<table align=\"center\" border=\"0\" cellpadding=\"5\" cellspacing=\"0\" class=\"tableoutline\">
<tr>
<td class=\"success\">";
echo "Step Was Updated Successfuly!</td></tr></table>";

 

 

i would like, upon success,  to forward to modjob.php where idr = id and table = jobs

 

could someone please write this for me?

 

[roopurt18]

I refuse to help you with your actual question until you remove the unsanitized data from your MySQL query.

 

http://www.php.net/mysql_real_escape_string

[jbrill]

im completely new to php please have mercy! haha could you please explain what u mean? the link is greta but i need clarification/example

[teng84]

modjob.php?idr = id &table = jobs you could have your link like this

am i correct with thiis

 

[roopurt18]

You are taking raw data directly from $_POST and $_GET and inserting it into your database.

 

$update = "UPDATE guestbook SET actual_time='".$_POST['actual_time'] . "...";

 

What happens if I enter the following in your actual_time field:

NULL; DELETE * FROM guestbook WHERE 1;

 

Your SQL query then becomes:

UPDATE guestbook SET actual_time=NULL; DELETE * FROM guestbook WHERE 1;

 

It would take some experimenting and knowledge about your site to get that far, but careless programming makes that kind of information easy to retrieve.

[jbrill]

so what is the proper way to do it?