php - MySQLi query not working? Everything seems correct -
i have no idea why following code not work. of variables defined , yet doesnt work.
include('config.php'); $qid = $_get['newanswer']; $g_q_info = $con->query("select * questions id='$qid'"); $q_i = $g_q_info->fetch_object(); require_once 'htmlpurifier/library/htmlpurifier.auto.php'; $config = htmlpurifier_config::createdefault(); $purifier = new htmlpurifier($config); $content = $_post['editor1']; $content = $purifier->purify($content); $title = htmlspecialchars(strip_tags($_post['title'])); $questionid = $q_i->id; $con->query("insert answers (questionid,title,content) values ($questionid,$title,$contents)");
you have forgotten quote values you're inserting, , queries assuming success. on top of sql injection attack vulnerabilities in code. absolute bare minimum fix should soemthing like:
$con->query("insert a[..snip..]) values ('$questionid','$title','$contents')"); ^-- ^-^-- etc.. note additional quotes. won't fix larger injection problem, though.
Comments
Post a Comment