Reputation: 3253
I have a small problem. I access the site thru foro.php?id=74&mode=add or foro.php?id=74&mode=edit it works fine.. But when I add a colon, semicolon (; or :) to foro.php?id=74&mode=add it goes to the edit option
foro.php?id=74&mode=add;
foro.php?id=74&mode=add:
foro.php?id=74&mode=add’
Below is my code
<?php
$numb=mysql_real_escape_string($_GET['id']);
if ($_GET['mode']=='add') {
$sql1="select * from cello where number='".mysql_real_escape_string($numb)."' LIMIT 1";
$result1=mysql_query($sql1) or die(mysql_error());
while ($row=mysql_fetch_array($result1)) {
$name=$row['name'];
echo $name;
}
}
elseif ($_GET['mode']='edit') {
$sql="select * from cello account_number='".mysql_real_escape_string($numb)."' limit 1";
$result=mysql_query($sql) or die(mysql_error());
while ($row=mysql_fetch_array($result)) {
$acnumb=$row['number'];
$name=$row['name'];
$address=$row['address'];
echo $acnumb;
echo $name;
echo $address;
}
}
else {echo "error!!";}
?>
Any way how to prevent it?
Upvotes: 5
Views: 892
Reputation: 30651
Solution:
The problem definitely lies with the elseif ($_GET['mode']='edit') {
line; the =
operator there sets $_GET['mode']
to 'edit'
(which always evaluates to true
). A good but lexically-confusing practice to get into is writing conditionals like so:
if (5 == $some_var)
Which will immediately give an error if the second =
was not included.
Suggestion:
You may want to implement a switch
control to organize your code:
<?php
switch ($_GET['mode']) {
case 'add':
$sql1="select * from cello where number='".mysql_real_escape_string($numb)."' LIMIT 1";
$result1=mysql_query($sql1) or die(mysql_error());
while ($row=mysql_fetch_array($result1)) {
$name=$row['name'];
echo $name;
}
break;
case 'edit':
$sql="select * from cello account_number='".mysql_real_escape_string($numb)."' limit 1";
$result=mysql_query($sql) or die(mysql_error());
while ($row=mysql_fetch_array($result)) {
$acnumb=$row['number'];
$name=$row['name'];
$address=$row['address'];
echo $acnumb;
echo $name;
echo $address;
}
break;
default:
echo "error!!";
}
Upvotes: 5
Reputation: 10011
The problem is that in the following lines, in the if statement, you are not comparing, but assigning a value to the mode element in the GET array:
...
elseif ($_GET['mode']='edit') {
$sql="select * from cello account_number='".mysql_real_escape_string($numb)."' limit 1";
$result=mysql_query($sql) or die(mysql_error());
...
That operation returns true, the first comparison is false, and that is why it goes in the edit section.
Upvotes: 5
Reputation: 21659
You have used the assignment operator =
instead of the equality operator ==
.
Try changing this:
elseif ($_GET['mode']='edit') {
to this:
elseif ($_GET['mode']=='edit') {
Upvotes: 8