$sql='UPDATE Reg_Stud SET Result=$perc WHERE RegID="$_SESSION['id']"';
Whts wrong with this syntax
views:
37answers:
1
+2
A:
Two problems:
- Variable interpolation does not happen in single quotes.
- An un-escaped quote in a string prematurely terminates the string.
You can do:
$sql='UPDATE Reg_Stud SET Result='.$perc.' WHERE RegID='.$_SESSION['id'];
codaddict
2010-10-23 20:14:39
You can do this, if you want Bobby Tables to screw your database.
delnan
2010-10-23 20:15:50
@delnan: How do you know the variables are not sanitized?
codaddict
2010-10-23 20:20:43
@delnen: I do not get? If you consider `$perc` (maybe it was `ctype_digit` checked?) and `$_SESSION['id']` (you set it yourself to an int) to be valid, then there is no chance Bobby Tables might attack. But obviously escaping them won't hurt you either ;)
nikic
2010-10-23 20:21:41
I don't *know* the variables aren't sanitized, but come on, the odds are pretty good ;)
delnan
2010-10-23 20:23:48
I had no idea who bobby tables was, im glad i know him now!
Drewdin
2010-10-23 21:07:56
Your code does not yield in the same result.
Gumbo
2010-10-29 16:37:54