Problem when turning register globals = off

[MrVaux]

I just decided to turn register globals from on to off.

 

This change made a lot of trouble for me.

I simply can´t update a record in the DB anymore. I get the following errormsg.

 

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /customers/websides.dk/websides.dk/httpd.www/luffe/liga/admin/form_edit_news.php on line 18

 

I believe the problem is that the variable is empty, but Im not sure.

 

How do I rewrite below to work with register globals = off

 

<?
include "admin_menu.php";
$id = $_GET['id'];
$news = $_GET['news'];

include "config.php";
$link = mysql_connect($dbhost, $dbuser, $dbpasswd) or die("Couldn't establish connection");
mysql_select_db($dbname);
$query = "SELECT * FROM league_news WHERE id = id";
$result = mysql_query($query);
$row = mysql_fetch_array($result);

echo "<H3>Info text</H3>\n";
echo "<table style='border-width:1px; border-style:dashed; border-color:#000000;' width='600px' cellpadding='4' cellspacing='0' bgcolor='#cee5cb'>\n";
echo "<tr>\n";
echo "<td width='100%'>$row[news]</td>\n";
echo "</tr>\n";

echo "<tr>\n";
echo "<input type='hidden' name='id' value='{$_GET[id]}'>";
echo "<td width='100%'></td>\n";
echo "</tr>\n";

echo "</table>\n";
echo "<br>\n";
echo "</form>\n";
echo "<a href='form_edit_news.php?id=$row[id]'><b>Edit info</b></a>";
?>

[mds1256]

shouldnt the line:

 

$query = "SELECT * FROM league_news WHERE id = id";

 

look more like:

 

$query = "SELECT * FROM league_news WHERE id = $id";

[Pikachu2000]

I don't see an opening <form> tag in that code.

[BlueSkyIS]

^yes.

 

also: your SQL is failing but you don't know it. so $result is not a valid resource. check it this way:

 

 

$result = mysql_query($query) or die(mysql_error() . " IN: $query");

 

[MrVaux]

I don't see an opening <form> tag in that code.

 

Actually the </form> tag is to be cleaned up since there is no form on that page. Thanks for notice.

 

$result = mysql_query($query) or die(mysql_error() . " IN: $query");

 

What does this do? Does it write out the errors in the query?

 

 

So it actually works at the moment, I think....

I changed the

 

$news = $_GET['news']; to $news = $_REQUEST['news'];

 

Thanks for all your input so far...

[yaMz]

This is very unsafe code practice:

 

<?php
$id = $_GET['id']; //allows injection
$news = $_GET['news']; //allows injection

//consider mysql_real_escape_string() and strip_tags()
?>

[MrVaux]

This is very unsafe code practice:

 

<?php
$id = $_GET['id']; //allows injection
$news = $_GET['news']; //allows injection

//consider mysql_real_escape_string() and strip_tags()
?>

 

 

I am pretty n00B at php, so how where you to code what you suggest?

[yaMz]

Since you  are using $_GET, the information can be altered by input. Small Example:

 

Someone sends query directly from their browser:

http://yoursite.com/script.php?id=1<?phpinfo();?>

 

<?php
echo "<input type='hidden' name='id' value='{$_GET[id]}'>";
?>

 

will now output:

 

<input type='hidden' name='id' value='{<?phpinfo();?>}'>

This would allow them to view your php.ini settings. This would only be the beginning.

 

 

<?php
include ("admin_menu.php");

// if ID is to only return numbers, it'd be simpler to:
$id = preg_replace("[^0-9]", "", $_GET['id']);

//and 
$news = mysql_real_escape_string(strip_tags($_GET['news']));

[MrVaux]

Thanks a lot for taking your time to show me all this.

 

I will try to recode it when i get off at work