Page is a not externally linkable
rocknbil - 3:19 am on Jan 26, 2010 (gmt 0)
I've never seen what you're doing on line 18, and it shouldn't be necessary. The final solution, really, is in proper input filtering. PHP coders like to turn to a predefined function such as is_numeric(), like you have there with empty(), fair enough. But ZERO is also numeric, and you'd never (err . . . should never) have a unique record id of zero. So the fix: I'd like to add, since you are querying a numeric field, you are correct to not quote $record. The reason for this is if it is quoted, like $query = "SELECT * FROM smitty WHERE field_1='$record'"; If it's an invalid input (text r something) you'll get no results, or won't do an update, and you'll wonder why. This is prevented by the >0 check in my test, but it's something that's handy to know.
You've built quite an interesting case here that's a combination of issues and conditions. :-)
if (isset($_POST['record'] and ($_POST['record'] > 0)) {
$record = $_POST['record'];
// note no need for empty check.
// Retrieve details for editing
$query = "SELECT * FROM smitty WHERE field_1=$record";
// line 18 . . poof
if (!($result = @mysql_query($query))) { die("Something is wrong."); }
// do mysql_fetch_array, but since it's a SINGLE RECORD
// don't do while, do IF
if ($row=mysql_fetch_array($result)) {
echo "found " . $row['name'];
}
else { echo "no record found"; }
}
else { echo "Request record_id is invalid, use a number"; }