MessiAz
06-20-2008, 08:00 PM
i coded a php file to read a member's custom profile field.
do you see something bad in my code? is it safe to upload this file to my forum ?
request
http://xxxxxxxxxxx.com/forum/test.php?user=Tester
$username = $_GET['user'];
$query = "SELECT userid FROM vb_user WHERE username='" . $username . "'";
$result = mysql_query($query);
if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$userid = $row[0];
$query = "SELECT usergroupid FROM vb_user WHERE userid='" . $userid . "'";
$result = mysql_query($query);
if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$group = $row[0];
$query = "SELECT field6 FROM vb_userfield WHERE userid='" . $userid . "'";
$result = mysql_query($query);
if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$serial = $row[0];
echo "Username: " . $username . "<br>";
echo "Userid: " . $userid . "<br>";
echo "group: " . $group . "<br>";
echo "programid: " . $serial . "<br>";
}
}
}
else {
echo "Username: Invalid";
}
do you see something bad in my code? is it safe to upload this file to my forum ?
request
http://xxxxxxxxxxx.com/forum/test.php?user=Tester
$username = $_GET['user'];
$query = "SELECT userid FROM vb_user WHERE username='" . $username . "'";
$result = mysql_query($query);
if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$userid = $row[0];
$query = "SELECT usergroupid FROM vb_user WHERE userid='" . $userid . "'";
$result = mysql_query($query);
if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$group = $row[0];
$query = "SELECT field6 FROM vb_userfield WHERE userid='" . $userid . "'";
$result = mysql_query($query);
if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$serial = $row[0];
echo "Username: " . $username . "<br>";
echo "Userid: " . $userid . "<br>";
echo "group: " . $group . "<br>";
echo "programid: " . $serial . "<br>";
}
}
}
else {
echo "Username: Invalid";
}