thenetbox
07-16-2002, 02:53 AM
does any one here know how to inject an SQL query with a URL encoded variable?
I have been trying this but it gives an error
$result = mysql_query("SELECT image_name FROM photo_album WHERE file_name='$username' ",$db);
if (!$result) {
echo("Sorry no Pictures: " . mysql_error(). "</p>");
I type http://www.url.com/memberpics.php?username=vivica
but it gives an error
Is there some other way to get it to work with an SQL query like that? like a different command? help :(
I have been trying this but it gives an error
$result = mysql_query("SELECT image_name FROM photo_album WHERE file_name='$username' ",$db);
if (!$result) {
echo("Sorry no Pictures: " . mysql_error(). "</p>");
I type http://www.url.com/memberpics.php?username=vivica
but it gives an error
Is there some other way to get it to work with an SQL query like that? like a different command? help :(