Posted by shimmyshack on 02/14/07 23:42

On 14 Feb, 23:11, "edward_sanders" <edward_sand...@bellsouth.net>
wrote:
> I meant to add that I am using PHP 5.2.x and
> mysql 5
> Thanks,
> Bruce
>
> "edward_sanders" <edward_sand...@bellsouth.net> wrote in message news:...
> > Hi,
> > This is a newbie question. I am using a text for learning php/mysql.
> > The example is that of a mysql
> > database of jokes. Before we get to joins there is a
> > simple table with 3 fields, ID field (primary key, integer),
> > JokeText, and JokeDate. In the program for some
> > reason the code is not retrieving the ID for each
> > row from the db. It gets the JokeText field just fine.
> > Let me include the snippets below.
>
> > This is where each row (each joke) is to be displayed.
> > Note that the ID is used to give the option of deleting a
> > joke from the db. The link tag is supposed to get that
> > ID passed to the link but that isn't happening. Please help.
>
> > // Display the text of each joke in the paragraph
> > while ( $row = mysql_fetch_array($result)) {
> > $jokeid = $row["ID"];
> > echo ($row["ID"]);
> > $deletejoke=$jokeid;
> > $joketext = $row["JokeText"];
> > $thispage = $_SERVER["PHP_SELF"];
> > echo("<p>$joketext " .
> > "<A HREF='$thispage?deletejoke=$jokeid'>" .
> > "Delete this Joke</a></p>");
> > }
>
> > Then the code to delete the joke ( the row from the
> > db) is as follows:
> > // If a joke has been deleted,
> > // remove it from the database
> > if (isset($_GET['deletejoke'])) {
> > $deletejoke=$_GET['deletejoke'];
> > echo("<p>The joke to delete is number $deletejoke");
> > $sql = "DELETE FROM jokes " .
> > "WHERE ID=$deletejoke";
> > if (mysql_query($sql)) {
> > echo("<p>The joke has been deleted.</p>");
> > } else {
> > echo("<p>Error deleting joke: " .
> > mysql_error() . "</p>");
> > }
> > }
>
> > Thanks in advance for any help,
> > Bruce

ps.
the same goes for any GET string you are including in your webpage,
without attention to cleaning them, your users can place any code they
wish into your page, which renders any login you might have,
ineffective, for instance someone could make a form which auto submits
to your login page, which injects javascript inside which reads the
password and sends it off prior to loggin in your user. easy to do,
just because GET or POST vars are being included into the webpage
without proper cleaning, using htmlentities and validation.
Im thinking here of this line:
"<A HREF='$thispage?deletejoke=$jokeid'>"
which can be used to deface your website etc...

• Next in forum: Re: php/mysql syntax help
• Prev in forum: Re: php/mysql syntax help
• Thread view: Re: php/mysql syntax help

[Reply to this message]