Member Avatar for urbanthistleuk

Morning All,

I am having a few problems with this code below, been trying to figure out where i'm going wrong, can any one shead some light to where I may be going wrong? I keep getting a 500 Server Error, when trying to process the form

Thanks

<?php

include('config.inc');

$1st_body = mysql_real_escape_string( stripslashes( $_POST[ '_1st_body' ] ) );

$id=$_GET['1st_rem_id'];

mysql_select_db($dbname);
$sql="UPDATE db SET 1st_body='$1st_body' WHERE 1st_rem_id='$id'";
$result=mysql_query($sql);

if (!mysql_query($sql))
  {
  die('Error: ' . mysql_error());
  }
header("Location: 1st_not.php");

mysql_close()
}

?>
  • 2 Contributors
  • 4 Replies
  • 136 Views
  • 10 Hours Discussion Span
  • Latest Post Latest Post by urbanthistleuk
Member Avatar for diafol

comment out the header() and see if it still happens.

BTW header() should have an exit after it.

Also, prob. unrelated...

Check for the exitence of a variable before you assign it to another...

$id=$_GET['1st_rem_id'];

What happens if it doesn't exist? ERROR

Is there a reason why you're passing GET and POST params? Never pass GET params for modification of DB data. Also you don't clean your GET input, so you are open to SQL injection.
Also, not a rule BTW, fields and various array items starting with numbers tend to be avoided. Some used to cause problems in the past, but I think systems are more forgiving these days, but the convention has sort of stuck. I'm open to disagreement on this.

Member Avatar for urbanthistleuk

Thanks for the update,

Tried commenting it out but still getting the same, will have a play arround with it later,

Whats the best way to pass params for modification to a db this is the way I was shown a while ago, never really understood why though, what the best way to not clean your GET input

Cheers
Martin

Member Avatar for diafol

You can insert a hidden form field to hold any id values you want posted with the form.

If you expect an integer - e.g. $_POST['id'] - check with is_int(), or force typing (or 'cast') with intval() or by prefixing the variable with (int).

You should aim to validate all numerics, dates, patterned text (e.g. e-mail) fields before processing with DB.

You can clean input by a number of methods. I noticed that you were using old-soon-to-die-style mysql - so for that it's vitally important that you use functions like mysql_real_escape_string or intval. If you use mysqli or PDO, then you're pretty safe with binding parameters, so no need for a mysqli_real_escape_string type thingy.

Have a look at SANITIZE/VALIDATE FITLERS: http://www.php.net/manual/en/filter.filters.php

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.