skizzy Posted May 17, 2012 Posted May 17, 2012 function sig_change() { global $ir,$c,$userid,$h; print "<h3>Profile Sig Change</h3> <form action='preferences.php?action=sigchange2' method='post'> signature (you may use BBcode): <textarea rows=10 cols=50 name='signature'>{$ir['signature']}</textarea><br /> <input type='submit' value='Change Info' /></form>"; } function do_sig_change() { global $db,$ir,$c,$userid,$h; $db->query("UPDATE users SET signature='{$_POST['signature']}' WHERE userid=$userid"); print "signature changed!"; } what it wont do is post to the db. i double checked the field it is correct it will work if i manually post the update in the db and shows correctly on the profile page Quote
Paul Evans Posted May 18, 2012 Posted May 18, 2012 (edited) although would this work ;) testicle', user_level ='2 the query would be UPDATE `users` SET `signature` = 'tesicle', user_level = '2' WHERE `userid` = {$ir['userid']} LOL would be a little more fun IMO. The moral of the story is learn how to sanitise your script or you'll end up like SRB bitter he got hacked (joke). Edited May 18, 2012 by Paul Evans Quote
lucky3809 Posted May 18, 2012 Posted May 18, 2012 The database queries should always be secured, the output will not secure the database even if you have secured the output only... Once a user submits something it goes to the database first then to the output, your game will be hacked fast if you don't have your database secured... Unless your meaning you have somebody's cheap way coding and they secured all the vars in another page you included?? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.