i got it tnx Balint
The problem is that if you set the post directly to the query it's available
to be an attach code in the field... (eg. DROP DATABASE;) it's called to
"SQL injection"...
what I mean on filtering:
always check the values in query eg.: $id = $_POST['id'];
if(is_numeric($id)){...}else{bad post}
and at
Tnx to all:D
Paul you are absolutly right:D
it was a bad mistake from me
there was no need 2 convert it
Balint helped me n with mysql_error i found that
my code hasn't any mistake
i just forgot the BIG thing!
selecting db:D
i totally forgot it because i had array keys with if statement n in there i
Hello Negin,
$query1="select * from patient where id=".$_POST['txt'];
$result1=mysql_query($query1);
$rows=mysql_num_rows($result1);
Note: you *didn't* execute the query by calling mysql_query on it.
--
With best regards from Ukraine,
Andre
Skype: Francophile
My blog: http://oire.org/menelion (mo
"Vitalii Demianets" wrote:
>On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
>> my code is this:
>> $query1="select * from patient where id=".$_POST['txt'];
>> it works but
>
>Holy Jesus!
>Can't wait to send to your server POST request with txt="1;DROP
>DATABASE; --"
>
>Of course, if you'
Of course have to use filters and etc...
Bálint Horváth
On 25 May 2011 09:53, "Vitalii Demianets" wrote:
> On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
>> my code is this:
>> $query1="select * from patient where id=".$_POST['txt'];
>> it works but
>
> Holy Jesus!
> Can't wait to send
On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
> my code is this:
> $query1="select * from patient where id=".$_POST['txt'];
> it works but
Holy Jesus!
Can't wait to send to your server POST request with txt="1;DROP DATABASE; --"
Of course, if you'll switch to prepare statement instead
Problem solved succesfully after changed the query integer apostrofyless..
and printed the mysql_errno() and mysql_error()...
Remember:
-In the script languages as php the apostrofy ' or " or sg. like these means
the string marker...
-While ure developing show all error codes and messages...
-If u
On Wed, May 25, 2011 at 08:57:18AM +0430, Negin Nickparsa wrote:
> $id=(int)$_POST['txt'];
> $query1="select * from patient where id=".$id."";
You're not *thinking* about what you're doing. The above is silly. Think
about it: you're sending a string to MySQL. If $_POST['txt'] returns a
string whi
i recieve nothing not a resource id and nore false
If the query is incorrect u get boolean: false, if its correct u get a
resource id...
Bálint Horváth
On 25 May 2011 06:28, "Negin Nickparsa" wrote:
$result1=mysql_query($query1);
echo $result1;
it can't echo $result1
i don't know why?
Bálint Horváth,
the second post of me is using your idea
your idea is working but why i have error still?
$id=(int)$_POST['txt'];
$query1="select * from patient where id=".$id."";
echo $query1;
$result1=mysql_query($query1);
echo $result1;
$num2=Mysql_num_rows($result1);
$num3=Mysql_num_fields($result1);
still it has previous error
Here is my output:select * from patient where id=1
*Warning*: mysql_
Hi,
I've a simply idea...
If you have integer in your mysql, don't use " at that field in the query...
Try this:
$query="select * from patient where id=".$id."";
There isn't apostrofy in the mysql query...
Bálint Horváth
On 25 May 2011 06:06, "Negin Nickparsa" wrote:
> my code is this:
> $query1=
15 matches
Mail list logo
