ansaurus

Question

Answer 1

A:

please change :

<?php if(isset($_POST['c2'])){    
mysql_query("UPDATE `grass` SET `".addslashes(striptags($num))."`='".addslashes(strip_tags($_POST['c2']))."'"); }
     if(isset($_POST['kill2'])){
     mysql_query("UPDATE `grass` SET `".addslashes(strip_tags($num))."`='0'"); } ?>

john misoskian 2010-09-30 09:25:18

Hmmm, its not updating data :( Why?

Nation 2010-09-30 09:29:06

Sql ingection is a thing to be avoided.

Col. Shrapnel 2010-09-30 09:32:28

Doesn't work and security issue.

Chouchenos 2010-09-30 09:57:25

Even worst now.

Col. Shrapnel 2010-09-30 10:04:44

:) if code writer know security add addslashes and striptags function. Sorry commenters , i can't think this guy newbie. :)... or using htmllawed xss framework and and and etc.

john misoskian 2010-09-30 10:05:35

At this moment Im not thinking about security. At first I need to make script work for me. And I cant insert That fu.... $num into db

Nation 2010-09-30 10:09:04

I can't say for this guy, but you know nothing of security

Col. Shrapnel 2010-09-30 10:09:50

@Nation please paste your database structure.

john misoskian 2010-09-30 10:12:50

Okey, I dont. And striptags is a function or something like that? What is under striptags?

Nation 2010-09-30 10:13:52

http://tr.php.net/manual/en/function.strip-tags.php

john misoskian 2010-09-30 10:17:57

oh yeah. it's a function. **and it has absolutely nothing to do here**. Because your advisor has absolutely no clue

Col. Shrapnel 2010-09-30 10:18:23

Please try to See. However, this function is not using the exploit, the more you give some exploitable vulnerability. I am a having daily visitor 22,000,000 to the portal developer . and believe that we need to use it here.

john misoskian 2010-09-30 10:22:03

@john: it's not an answer to his question...

iKid 2010-09-30 10:25:23

Answer 2

A:

I take it that $num is a column. Once the value is actually a column in grass then the query syntax looks fine in terms of inserting the value. However you really should have a where clause in your statement or every row will be changed. Maybe that is what you want but I doubt it.

Belinda 2010-09-30 09:28:10

Nation 2010-09-30 09:38:29

What output are you getting? Is it an error or is the table not being updated. What do you expect $_POST['c2'] to be?

Belinda 2010-09-30 09:47:37

$_POST['c2'] = <input type="radio" value="1" name="c2" />

Nation 2010-09-30 09:50:14

@Nation as a matter of fact your database design is terrible. You have to change it as soon as possible

Col. Shrapnel 2010-09-30 09:51:59

Col. Shrapnel :D Okey, maybe you can show better way. :)

Nation 2010-09-30 09:53:17

@Nation I did it already. Post your question here, not on the site that asks me to register.

Col. Shrapnel 2010-09-30 09:55:25

Where it is?...

Nation 2010-09-30 10:05:18

@Nation **the link you posted in your question asks me to register to see the contents**. Am I clear enough?

Col. Shrapnel 2010-09-30 10:11:21

Okey, I changed it. Now you can work with it.

Nation 2010-09-30 10:16:31

Answer 3

A:

Tnx for all :) Problem was in: form action="" method="post">

Nation 2010-09-30 10:46:50

ansaurus

tags:

views:

answers:

Insert php value into mysql table

related questions