NamePros.Com - View Single Post - php code for inventory system in updating item quantity

Ack! Never trust user input (e.g., $_POST and $_GET variables). The above code is open to a sql injection.

Replace

PHP Code:

    $item = $_GET['item'];

with

PHP Code:

    $item = mysql_real_escape_string($_GET['item']);

Also, you might want to check if the item actually exists, and if you have any in stock:

PHP Code:

    $row = mysql_fetch_array( $result );

 
if ($row === false)

{

        echo 'this item does not exist!';

        return; // or whatever you need to do

}

else

{

        if ($row['count']  == 0)

        {

             echo 'sorry, none in stock.';

             return; // or whatever you need to do

        }

 
        // if you got here you have stock on hand, so continue

        $count = $row['count'] - 1;

        // etc...

}

Just a rough draft, but you get the idea.

03-13-2007, 11:45 PM	· #5
cef NamePros Regular Location: NYC Trader Rating: (8) Join Date: May 2004 Posts: 234 NP$: 75.00 (Donate)	Ack! Never trust user input (e.g., $_POST and $_GET variables). The above code is open to a sql injection. Replace PHP Code: `$item = $_GET['item'];` with PHP Code: `$item = mysql_real_escape_string($_GET['item']);` Also, you might want to check if the item actually exists, and if you have any in stock: PHP Code: $row = mysql_fetch_array( $result ); if ($row === false) { echo 'this item does not exist!'; return; // or whatever you need to do } else { if ($row['count'] == 0) { echo 'sorry, none in stock.'; return; // or whatever you need to do } // if you got here you have stock on hand, so continue $count = $row['count'] - 1; // etc... } Just a rough draft, but you get the idea. Please register or log-in into NamePros to hide ads