I need help with this script...

[Barrucadu]

when I load the page nothing happenes, heres the script:

<?php

include '../../Includes/DBconnect.php';

session_start();

$sql = 'select * from '.$DBusers.' where uname="'.$_SESSION['usrnm'].'" and pword="'.$_SESSION['pwcd'].'" limit 1';

mysql_connect($DBhostname,$DBusername,$DBpassword);
mysql_select_db($DBname);
$result = mysql_query($sql) or die($sql);
mysql_close();

$num = mysql_num_rows($result);

if($num == 0){
	header("Location: http://www.yarrt.com/badlogin.php
	");
}
if(!$_SESSION['admincode'] == "67896789"){
	header("Location: http://www.yarrt.com/admin/badlogin.php
	");
}

if($_GET['act']=='delusr'){
	$sqlcode = 'DELETE FROM members_1 WHERE uname="'.$_GET['user'].'";';
	$sql2 = 'insert into admin_pending values("'.$sqlcode.'","'.$_SESSION['usrnm'].'")';
}
if($_POST['act']=='changeinfo'){
	$sqlcode = '';
	if(!$_POST['newinfo']=='' && !$_POST['newpassword']==''){
		$sqlcode = 'UPDATE members_1 SET myinfo="'.$_POST['newinfo'].'",pword="'.$_POST['newpassword'].'" WHERE uname="'.$_POST['olduname'].'";';
	}
	if($_POST['newinfo']=='' && !$_POST['newpassword']==''){
		$sqlcode = 'UPDATE members_1 SET pword="'.$_POST['newpassword'].'" WHERE uname="'.$_POST['olduname'].'";';
	}
	if(!$_POST['newinfo']=='' && $_POST['newpassword']==''){
		$sqlcode = 'UPDATE members_1 SET myinfo="'.$_POST['newinfo'].'" WHERE uname="'.$_POST['olduname'].'";';
	}
	$sql2 = 'insert into admin_pending values("'.$sqlcode.'","'.$_SESSION['usrnm'].'")';
}
if($_GET['act']=='delcont'){
	$sqlcode = 'DELETE FROM content_1 WHERE page="'.$_GET['page'].'" and title="'.$_GET['title'].'";';
	$sql2 = 'insert into admin_pending values("'.$sqlcode.'","'.$_SESSION['uname'].'")';
}
if($_GET['act']=='addcont'){
	$sqlcode = 'INSERT INTO content_1 VALUES("thompson","'.$_POST['contt'].'","'.$_POST['contb'].'");';
	$sql2 = 'insert into admin_pending values("'.$sqlcode.'","'.$_SESSION['uname'].'")';
}

mysql_connect($DBhostname,$DBusername,$DBpassword);
mysql_select_db($DBname);
mysql_query($sql2) or die($sql2);
mysql_close();
header("Location: http://yarrt.com/members/admin/index.php");

What its supposed to do is create a sql query and put it in the pending database, for later use.

 

[axilant]

replace:

mysql_query($sql2) or die($sql2);

With

mysql_query($sql2) or die(mysql_error());

See if there is an error, if so, copy and paste the error message.

Cody

 

[Barrucadu]

Ive made it echo the error message and the query, the output is:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'testtesttest",pword="1234" WHERE uname="dphoyes";","Mikor")' at

insert into admin_pending values("UPDATE members_1 SET myinfo="testtesttest",pword="1234" WHERE uname="dphoyes";","Mikor")

the error is because i use " twice but i dont know how to get around this..

 

[axilant]

All of your queries are messed up, your going to need to go and fix em.

you have:

insert into admin_pending values("UPDATE members_1 SET myinfo="testtesttest",pword="1234" WHERE uname="dphoyes";","Mikor")

Thats two types of queries.... :P You insert... plus update... im not even going to try to think what you are trying to do cause you lost me here... and i have seen some confusing codes O.o

insert into admin_pending values("UPDATE members_1 SET myinfo="testtesttest",pword="1234" WHERE uname="dphoyes";","Mikor")

 

[Barrucadu]

i'm trying to store a query in a database for later use.

 

[axilant]

i'm trying to store a query in a database for later use.

In that case, http://php.net/base64_encode http://php.net/base64_decode

I wouldnt even bother trying to escape something like that O.o just encrypt it lol
And decrypt it for usage.