• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 214
  • Last Modified:

checkbox in php

umm i cant figure out where im off wrong..


always records 0 in my db even when the checkbox is selected
<input type="checkbox" name="email" />
 
Code: [Select]
elseif (isset($_POST['submit']))
{
            $thePost = $_POST['yourpost'];
            $theSubject = $_POST['subject'];
            if ($thePost == "" || $thePost == null)
            {
                        $errMsgPost = "Error: You did not type in a post."; //no post entered
            } elseif ($theSubject == "" || $theSubject == null)
            {
                        $errMsgSubject = "Error: You did not enter a subject."; //no subject entered
            }
            else
            {
            if (isset($_POST['email'])) {
            $insertpost = "INSERT INTO forumtutorial_posts(emailreply) values('1')";
 
}
 
                        //we now strip HTML injections
                        $theSubject = strip_tags($theSubject);
                        $thePost = strip_tags($thePost);
                        $insertpost = "INSERT INTO forumtutorial_posts(forum,author,title,post,showtime,realtime,lastrepliedto,lastposter) values('$forum','$username','$theSubject','$thePost','$thedate','$thedate','$thedate','$username')";
                        mysql_query($insertpost) or die("Could not insert post"); //insert post
                        $updatepost = "UPDATE `users` SET `post_count`=`post_count`+'1' WHERE `Username`='$username'";
                        mysql_query($updatepost) or die("Could not update post");
                        header("Location: http://www.runningprofiles.com/members/index.php?page=forum&forum=$forum");
                        exit;
            }
}
?>

Open in new window

0
runnerjp
Asked:
runnerjp
  • 2
1 Solution
 
jausionsCommented:
You're not running the query after the isset($_POST['email'])), you're just write the SQL query to the variable, but nothing is done with it, no mysql_query($insertpost).

On a side noe you should ALWAYS add addslashes() to your user-supplied data when you do INSERT SQL statements because your code is at a extremely high risk to be hacked and destroy your database.
0
 
runnerjpAuthor Commented:
thnaks... wont $theSubject = strip_tags($theSubject);
                        $thePost = strip_tags($thePost);

do the job?
0
 
und3athCommented:
if (isset($_POST['email'])) {
            $insertpost = "INSERT INTO forumtutorial_posts(emailreply) values('1')";
 !!!!!!!!HERE !!!!!!!!!!!!!!! mysql_query($insertpost);
}
 
                        //we now strip HTML injections
                        $theSubject = strip_tags($theSubject);
                        $thePost = strip_tags($thePost);
0
 
jausionsCommented:
runnerip:

strip_tags only takes care of HTML tags, which don't really matter from a SQL stand point. This is good for protection against cross-site attacks though.

What you need to be wary about for SQL injections are the quotes, which need to be escaped.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now