Legaci Posted June 18, 2013 Posted June 18, 2013 if(!$_POST['add']) { $query = array(); $db->query("SELECT * FROM `inventory` mi LEFT JOIN `items` i ON mi.inv_itemid = i.itmid WHERE mi.inv_userid = '".mysql_real_escape_string($ir['userid'])."'"); $le = array(); echo "<table width = '750px' class = 'rounded'><tr><td align = 'center'> <table width = '100%'><tr bgcolor = #999999 style = 'font-weight:800;'><td>Item</td><td>Qty</td><td>Add</td> </tr>"; $num=0; while($le = $db->fetch_row($listem)) { echo "<form action = 'display.php?action=add' method = 'post'> <tr bgcolor = $color> <td align = 'left'>".htmlentities($le['itmname'])."</td> <td align = 'left'>".number_format($le['inv_qty'])."</td> <td align = 'right'><input type = 'text' name = 'qty' value = ''> <input type = 'hidden' name = 'item' value = '".$le['inv_id']."'> <input type = 'submit' name = 'add' value = 'Add'></td></tr></form>"; } echo "</table></td></tr></table>"; } else { $_POST['inv_id'] = abs(intval($_POST['inv_id'])); $_POST['inv_qty'] = abs(intval($_POST['inv_qty'])); if(!$_POST['inv_id'] || !$_POST['inv_qty']) { echo "Error, Please go back and fill the form in correctly!<br/> <hr width='750px'>><a href='display.php?action=add'>Back</a><hr width='750px'>"; $h->endpage(); exit(); it tells me Error, Please go back and fill the form in correctly! im trying to make it secure this is why i am having problems with it help would be awesome thank you Quote
Dominion Posted June 18, 2013 Posted June 18, 2013 (edited) Read the if() if(!$_POST['inv_id'] || !$_POST['inv_qty']) { echo "Error, Please go back and fill the form in correctly! Not a security issue... although there are a few here e.g. mysql_real_escape_string on an ID why? Edited June 18, 2013 by Dominion edited to avoid confusion Quote
Guest Posted June 18, 2013 Posted June 18, 2013 I think you need to learn some basic PHP, your past errors could have been prevented if you had learnt the basics Quote
Legaci Posted June 18, 2013 Author Posted June 18, 2013 ive almost finished my mod i havent coded this myself i have been converting it to V2 so all the codes i am not familiar with i am almost successful i have taken out the mres Quote
Alan Posted June 18, 2013 Posted June 18, 2013 Marginally OT but nevertheless... it's a select query. you don't mres coming out of the DB.Say what now? While I agree, I'd not bother to mres the id, I'd at least have an assertion that it was either an int or a string of digits. Just because its a SELECT does not mean every effort should be taken to ensure that *any* variable that is passed to is fully sanitized. As I've said before, and I'll no doubt say again ... [user Input] -> mysql_real_escape_string() -> [Database] -> htmlentities() -> [browser Output] where [user Input] means anything from the superglobals (GET/POST/COOKIE/ENV/SESSION/SERVER/FILES), and/or anything read from a file or stream. mres() / he() can of course be replaced with your tool of choice depending on your database and of course scripting language. I'd also point out "encoding", but I'm sure everybody will do what they normally do and ignore it altogether - with latin_swedish_ci data tables, iso-8859-1 code, cp-1251/2 or utf-8 html... Fun for all the family Quote
Dominion Posted June 18, 2013 Posted June 18, 2013 (edited) Bad wording on my part. By "coming out of the database" I mean the ID is an AUTO INCREMENT (generated by the database), and (correct me if I'm wrong) but even with mccodes it's not something a user can edit. mres is the wrong thing to check it with even if you felt it necessary. It should be checked before hand if stored somewhere the user can edit. Edited June 18, 2013 by Dominion Quote
Legaci Posted June 18, 2013 Author Posted June 18, 2013 (edited) the mres was already there and that passed my mind mainly getting it to work with V2 and was somewhat secure was the priority but thanks you helped QUERY ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 Query was SELECT * FROM inventory WHERE inv_userid=1 AND inv_itemid= this is all it tells me is this because of item_remove($ir['userid'], $r['inv_itemid'], $qty); or this if(!$_POST['add']) { $query = array(); $db->query("SELECT * FROM `inventory` mi LEFT JOIN `items` i ON mi.inv_itemid = i.itmid WHERE mi.inv_userid = '".$ir['userid']."'"); $le = array(); echo "<table width = '750px' class = 'rounded'><tr><td align = 'center'> <table width = '100%'><tr bgcolor = #999999 style = 'font-weight:800;'><td>Item</td><td>Qty</td><td>Add</td> </tr>"; $num=0; or could it be global_func.php Edited June 18, 2013 by Legaci Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.