[PixelBit]

First I'd like to say to ignore the password method in this code, it's temporary

Ok so I have this form + php code which posts what you enter into a database, all the fields work except the select box where you select update/event/article/donate. The select box that you select 1 2 or 3 works fine, it's just this one select box, I really don't understand.

Anyhow to test out what I mean go here http://relent.dyndns....php?page=admin on the page you are sent to on submit it will say Entry successful and then say update/event/article/donate (or it should) and then 1 2 or 3. This is so you can quickly tell if it submitted to the right place. You can see that the 1/2/3 changes but not the update/event/article/donate. The password is 1234.

Here is my code:
admin.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
	<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
	<meta name="author" content="Jamal Antonio" />

	<title>Administration Panel</title>
    <link href="admin.css" rel="stylesheet" type="text/css" media="screen" />
</head>
<div class="container">
    <div id="content">
    Note: Updates and Events require all feilds to be filled in, Articles require all but area and donate only needs content. Always fill in password.
        <form action="admin.php" method="post">
            <div id="top">
                Title: <input name="title" type="text" />
                Author Name: <input name="author" type="text" />
            </div>

            <textarea rows="20" cols="126" name="content">Content, you can use html and even embedded css and javascript!</textarea>
            <div id="bottom">
                <select name="secttype">
                    <option value="updates">updates</option>
                    <option value="events">events</option>
                    <option value="articles">articles</option>
                    <option value="donate">donate</option>
                </select>
                <select name="area">
                    <option value="1">1</option>
                    <option value="2">2</option>
                    <option value="3">3</option>
                </select>
                    Admin password: <input type="password" name="password" />       
                <input type="submit" />
            </div>
        </form>
    </div>
</div>
<body>



</body>
</html>

admin.php:

<?php

/**
 * @author Jamal Antonio
 * @copyright 2012
 */
 
    ini_set('display_errors', 1);
    ini_set('log_errors', 1);
    ini_set('error_log', dirname(__FILE__) . '/error_log.txt');
    error_reporting(E_ALL);
    include "config.php";

    $title = $_POST['title'];
    $author = $_POST['author'];
    $content = $_POST['content'];
    $area = $_POST['area'];
    $password = $_POST['password'];
    $secttype = $_POST['secttype'];
    
    date_default_timezone_set('GMT');
    $date = date('Y/d/m');

    mysql_connect($conf['service'], $conf['username'], $conf['password']);
    @mysql_select_db($conf['database']) or die( "Error connecting to database!");

    $query = "SELECT * FROM admin where id = '1'";
    $result = mysql_query($query) or trigger_error("SQL", E_USER_ERROR);
    $cpass = mysql_result($result, 0, "password"); 
    
    if ($password == $cpass) {

        if ($secttype = "updates"){
            $query = "INSERT INTO updates VALUES (null, '$title', '$date', '$content', '$author', '$area')";
        }
        else if ($secttype = "events"){
            $query = "INSERT INTO events VALUES (null, '$title', '$date', '$content', '$author', '$area')";
        }
        else if ($secttype = "articles"){
            $query = "INSERT INTO articles VALUES (null, '$title', '$date', '$content', '$author',)";
        }
        else if ($secttype = "donate"){
            $query = "INSERT INTO donate VALUES (null, '$content')";
        }

        $result= mysql_query($query);

        If ($result){
        echo "Entry successful $secttype $area";
        }
        else {
            echo"Didn't work!";
        }   
    }
    else {
        echo "Incorrect password";
    }
?>

[e_i_pi]

All of your comparitors are messed up. For example, you're doing this:

if ($secttype = "updates"){

...when you should be doing this...

if ($secttype == "updates"){

I can spot four instances where you have this mistake, lines 33, 36, 39, 42.

[PixelBit]

e_i_pi, on 05 February 2012 - 04:11 AM, said:

All of your comparitors are messed up. For example, you're doing this:

if ($secttype = "updates"){

...when you should be doing this...

if ($secttype == "updates"){

I can spot four instances where you have this mistake, lines 33, 36, 39, 42.

Crap, thanks I'll try that now, this is what happens when I'm forced to code in VB.NET at college

EDIT: Worked, thanks.

This post has been edited by PixelBit: 05 February 2012 - 04:14 AM

[CTphpnwb]

This is just plain wrong:

    $title = $_POST['title'];
    $author = $_POST['author'];
    $content = $_POST['content'];
    $area = $_POST['area'];
    $password = $_POST['password'];
    $secttype = $_POST['secttype'];

First, it's a waste of time. All it does is copy data from one variable to another. There's no good reason to do that, especially considering that it sets you up for your worst mistake: putting user supplied data directly into a query. That's just begging to have your site hacked.

Learn to use prepared statements.

[PixelBit]

CTphpnwb, on 05 February 2012 - 10:23 AM, said:

This is just plain wrong:

    $title = $_POST['title'];
    $author = $_POST['author'];
    $content = $_POST['content'];
    $area = $_POST['area'];
    $password = $_POST['password'];
    $secttype = $_POST['secttype'];

First, it's a waste of time. All it does is copy data from one variable to another. There's no good reason to do that, especially considering that it sets you up for your worst mistake: putting user supplied data directly into a query. That's just begging to have your site hacked.

Learn to use prepared statements.

I know how to use prepared statements, I did this because a.) I prefer typing $author than $_POST['author'] and b.) The website is in no need of protection because it's just a small community that use it, if anyone decides to inject and post something on the website its no problem anyway and I doubt anyone will do it anyway, it's just a website for a small minecraft server.

This post has been edited by PixelBit: 05 February 2012 - 11:20 PM

[Dormilich]

PixelBit, on 06 February 2012 - 07:19 AM, said:

I know how to use prepared statements, I did this because a.) I prefer typing $author than $_POST['author']

being lazy doesn't make it right.

PixelBit, on 06 February 2012 - 07:19 AM, said:

The website is in no need of protection because it's just a small community that use it, if anyone decides to inject and post something on the website its no problem anyway and I doubt anyone will do it anyway

so it is ok for a hacker to delete all your files (including the DB)? and even if you doubt someone will do that, once someone does, you have a problem. (there are a couple of "my site has been hacked" threads here and I doubt the users had large scale websites)