Jump to content
MakeWebGames

Forum error


juelpatwary

Recommended Posts

Well I just went to post in my forum on my game (First time post) and an error comes up

 

Topic Posted!

QUERY ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

Query was SELECT * FROM forum_forums WHERE ff_id=

It says it posts it (Which it does post it)

Then when i go to see my post this comes up

 

QUERY ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-20, 20' at line 1

Query was SELECT * FROM forum_posts WHERE fp_topic_id=3 ORDER BY fp_time ASC LIMIT -20, 20

Ive just recently installed this mod

But i dont think that caused it...

That was my first post and it came up that error...

 

Anyhelp please?

Regards

Link to comment
Share on other sites

Re: Forum error

Yeah i can post properly now, But i cant see the post i first did, It just came up that error again - but its fine now if i make a new topic... Anyway when i try to delete the post(My first one) It comes up this

Fatal error: Call to a member function query() on a non-object in /home/bfp111/public_html/forums.php on line 703

On line 703 is this

 

$q=$db->query("SELECT * FROM forum_topics WHERE ft_id={$_GET['topic']}");
Link to comment
Share on other sites

Guest Anonymous

Re: Forum error

Yes I did manage to read what you posted ...

A better (and safer) method is:

 

<?php
$topic = isset($_GET['topic']) && is_string($_GET['topic']) && preg_match("`^\d+$`ims", $_GET['topic']) ? @intval($_GET['topic']) : 0;
$sql = sprintf("SELECT * FROM `forum_topics` WHERE (`ft_id` = %u)", $topic);
$rs = mysql_query($sql);
if (!is_resource($rs))
{
die("<tt>Database Error</tt>");
}
?>

 

There are several important things here ...

 

  • Safely retrieve the topic id#
  • Define the SQL query
  • Check the result

 

You will notice, I am not checking for topic id #0 - I will leave that up the skilled "coders" to figure out.

You will also notice I am not display the actual SQL error (if any) - Why? Once you learn that, you will then understand more about how security is defined. Quite simple - Never give ANY clues as to how the system is running.

Security is not something that can ever be added easily to a system. Yes, I'm far more strict than most on it, but with good reason. Commercially I have to maintain a lot of rather sensitive databases and whilst I'm self-employed with no true written agreement between myself and my clients, at the end of the day it's my ass that will get chewed if anyone subverts any of the security layers.

So think *very* careful about what you do - If you only add "some" security - you are really not helping. The more experienced developers understand that it takes a while to learn these tricks, but learn them you must in order to retain a stable product.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...