Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New to the CF scene
    Join Date
    Jan 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question Correct coding syntax

    I have used the code below with success. However, it has been some time since I did any coding and now this piece of code does not work. I believe it is because Register Globals are now by default set to off???

    Can anyone show me the correct way to write this now

    Many thanks for the help


    <?
    include ('config.php');
    $sql = "SELECT * FROM pages WHERE page_href = '$page_name' order by page_id";
    $class = mysql_query($sql, $conn);
    while($row = mysql_fetch_object($class))
    {
    $page_id=$row->page_id;
    $page_name=$row->page_name;
    $page_type=$row->page_type;
    $page_image=$row->page_image;
    $page_details=$row->page_details;
    $page_image2=$row->page_image2;
    $page_details2=$row->page_details2;
    $page_href=$row->page_href;
    $temptype=$row->temptype;

    $sql8 = "SELECT * FROM templates where tmp_code='$temptype'";
    $class8 = mysql_query($sql8, $conn);
    list($tmplt_id,$template,$tmp_code)=mysql_fetch_row($class8);

    include ("$template");


    }

    ?>

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Change this
    PHP Code:
    <?
    to this
    PHP Code:
    <?php
    and where is $page_name coming from? Is it something like index.php?page_name=blah

    If that is the case you have a major security hole in your code. It is open to sql injection.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    New to the CF scene
    Join Date
    Jan 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    $page_name is a field name from the database table. So yes, it is like index.php?page_name=

  • #4
    New Coder
    Join Date
    Jun 2009
    Location
    Manipal
    Posts
    45
    Thanks
    2
    Thanked 3 Times in 3 Posts
    You should never do that because then you are open to MySQL Injection .. Google it for more info .

    It is basically a method where hackers could take control of your site

    Instead, you should use
    mysql_real_escape_string();

  • #5
    Regular Coder
    Join Date
    Dec 2009
    Location
    UK
    Posts
    495
    Thanks
    0
    Thanked 58 Times in 58 Posts
    I wouldn't recommend it but you could just use the extract function with $_REQUEST to extract all the data how register globals did. I would seriously recommend that you do some research into SQL injection and prevention methods. Take a look at the added bytes website for information on php security
    http://www.addedbytes.com/
    My site: JayGilford.com
    Resources:
    PHP Pagination Class | Getting all page links | Handling PHP Errors properly
    If you like a users help, show your appreciation with the rep and thanks buttons :)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •