5

I have a small problem. I access the site thru foro.php?id=74&mode=add or foro.php?id=74&mode=edit it works fine.. But when I add a colon, semicolon (; or :) to foro.php?id=74&mode=add it goes to the edit option

foro.php?id=74&mode=add;
foro.php?id=74&mode=add:
foro.php?id=74&mode=add’

Below is my code

<?php 
$numb=mysql_real_escape_string($_GET['id']);

  if ($_GET['mode']=='add') {

    $sql1="select * from cello where number='".mysql_real_escape_string($numb)."' LIMIT 1";
    $result1=mysql_query($sql1) or die(mysql_error());
    while ($row=mysql_fetch_array($result1)) {

        $name=$row['name'];
        echo $name;
    }
  }


elseif ($_GET['mode']='edit') {

$sql="select * from cello account_number='".mysql_real_escape_string($numb)."' limit 1";
$result=mysql_query($sql) or die(mysql_error());

    while ($row=mysql_fetch_array($result)) {

 $acnumb=$row['number'];
$name=$row['name'];
$address=$row['address'];

echo $acnumb;
echo $name;
echo $address;

     }
     }
 else {echo "error!!";}
     ?>

Any way how to prevent it?

Improve this question

3 Answers 3

Reset to default
8

You have used the assignment operator = instead of the equality operator ==.

Try changing this:

elseif ($_GET['mode']='edit') {

to this:

elseif ($_GET['mode']=='edit') {
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

5

The problem is that in the following lines, in the if statement, you are not comparing, but assigning a value to the mode element in the GET array:

...
elseif ($_GET['mode']='edit') {

$sql="select * from cello account_number='".mysql_real_escape_string($numb)."' limit 1";
$result=mysql_query($sql) or die(mysql_error());
...

That operation returns true, the first comparison is false, and that is why it goes in the edit section.

Improve this answer

Comments

5

Solution:

The problem definitely lies with the elseif ($_GET['mode']='edit') { line; the = operator there sets $_GET['mode'] to 'edit' (which always evaluates to true). A good but lexically-confusing practice to get into is writing conditionals like so:

if (5 == $some_var)

Which will immediately give an error if the second = was not included.

Suggestion:

You may want to implement a switch control to organize your code:

<?php
switch ($_GET['mode']) {
    case 'add':

        $sql1="select * from cello where number='".mysql_real_escape_string($numb)."' LIMIT 1";
        $result1=mysql_query($sql1) or die(mysql_error());
        while ($row=mysql_fetch_array($result1)) {

            $name=$row['name'];
            echo $name;
        }

        break;

    case 'edit':
        $sql="select * from cello account_number='".mysql_real_escape_string($numb)."' limit 1";
        $result=mysql_query($sql) or die(mysql_error());

        while ($row=mysql_fetch_array($result)) {

            $acnumb=$row['number'];
            $name=$row['name'];
            $address=$row['address'];

            echo $acnumb;
            echo $name;
            echo $address;

        }

        break;

    default:
        echo "error!!";
}
Improve this answer

1 Comment

Thanks for the suggestion.. i didn't think of it earlier

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.