- you need to SANITIZE you inputs.
something like this.
$id = filter_var($_GET['id'],FILTER_SANITIZE_NUMBER_INT);
// Fetch the data from the database
$sql_query_string = sprintf("SELECT * FROM %s WHERE id='%s';--",$tbl_name,$id);
- Connection Handler
notice the $dbh, this is the variable that should be set with your
include("database_connect.php"); script, you would
$dbh = mysqli_connect("server_location","username","password","database") or die("Error " . mysqli_error($dbh));;
this will connect to a database, if your server encounters a problem the script will die and output the server error. Useful.
- I prefer to use the string print format function, its tidy, allows you to read the query string, its much clearer and you should add the ;-- to the end of the query string so that it is terminated, in the case of an injection attack the hacker could inject code to try and gain access. See an example http://www.rackspace.com/.../sql-injection-in-mysql a similar process is used to inject code in to a PHP script that breaks the PHP script to insert code that then allows or exposes the code to the person who injected the code.
If memory serves me, several months ago this site was cracked and some program was placed on the server to allow the visitor to view the server contents, the other web domains of developer.com, what it did was expose the underlying system, what server was being used, etc. I am not going to go in to specifics but even with the best kept web server and forum, it is possible to be hacked because of underlying weakness in the supporting systems, what you have to do is limit the threat as best you can.
In your update script, remember to "close" it...
familiarize yourself with the mysqli methods as the mysql functions as indicated are depreciated and at some point in the near future, PHP will stop supporting altogether these functions.