Message #58320
acenes
Partner
Avatar
Posts: 1556
Chur, Switzerland
Show all topics
iconCaution:
The way you directly use $_POST variables in the SQL statement made your site vulnerable for SQL-Injection.
Your should use the Input class to fetch the variables and the escape function of the database classes to insert the vars.
Either:
iconphp:
$this->Database
->prepare(
"UPDATE tl_school_schools".
" SET school_desc=?, website=?, city=?, ....." .
" WHERE id=?"
)
->execute(
$this->Input->post('school_desc'),
$this->Input->post('website'),
$this->Input->post('city'),
.....
$this->Input->post('schoolkey')
);
Or:
iconphp:
$this->Database
->prepare("UPDATE tl_school_schools %s WHERE id=?")
->set(
array(
'school_desc' => $this->Input->post('school_desc'),
'website' => $this->Input->post('website'),
'city' => $this->Input->post('city'),
.....
)
)
->execute($this->Input->post('schoolkey'));
Now you also see why you have issues with the question mark: It is used as variable placeholder.
Peter - "May the the TYPOlight shine on you"
Bookmarks