I have used “echo $query” to see whether it is getting value or not but it is not showing anything on the page. What is the other way to see what value it is getting?
I use Aptana Studio 2.0 PDT but I am not able to set the breakpoints. Quite new in it.
<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');
$ulName = $_GET['ControlName'];
$query = $_GET['SqlQuery'];
echo $query;
mysql_connect('localhost:3306','pffsddsf','dfsdfsd');
mysql_select_db('publicdb');
$result=mysql_query("select * from electioncategorymaster");
?>
<ul id="<?php echo $ulName; ?>" name="<?php echo $ulName; ?>">
<?php while($row=mysql_fetch_array($result))
{ ?>
<li><?php echo $row[1]; ?></li>
<?php } ?>
</ul>
You may not be getting the parameters you expect, so start your script with
to see what your page is actually getting.
While I appreciate you are just learning, accepting parameters which are passed verbatim to the database server and to the client browser is a security no-no.
Take the $ulName variable – I could inject HTML of my choosing there, so why not constrain it to alphanumerics?
As for accepting SQL via a parameter, I really wouldn’t do that unless you trust the user of your application completely….
Scary right? Now how about if you combined both these flaws? I could craft a link which displayed your page, but embedded a form with hidden fields containing that query, along which a big button which said “click me for funny cat videos”. Now I just need to send the link out there and wait for someone else to do my evil bidding 🙂