I have a problem that is a bit strange. My page contains an html link that refreshes the page and calls the PHP variable. This variable adds a date string to the url string, which is passed to the MySQL query, which captures records matching that date. I think this causes an injection, as it sometimes removes the user from the database!
I know there may be security issues using the "#" in the hyperlink, but I would like to know what is going on. It will also have different effects for different browsers, seeing how it uses javascript. Remote users seem to only occur on some people's computers.
The PHP code computes the timestamp after three days and then puts it in SQL format:
$ts_threeDays = mktime(1,0,0,date('m'), date('d')+3-date('w'), date('y'));
$threeDaysAhead = date('y-m-d', $ts_second_day);
The script then listens for the variable 'day' in the url string passed by the hyperlink on the page:
$date = mysql_real_escape_string($_GET['day']);
JavaScript and hyperlink:
<a href='#' onClick="document.location.href='planner.php?day=<?php echo $threeDaysAhead; ?>'"> 3 Days Later</a>
The MySQL query is larger, but the only input that it takes from the user action is the above date string. The query basically looks like this (uses a different select statement to access the user table):
SELECT planner.details FROM planner
WHERE planner.date = '$date' AND users.`user_id` = '$id' // Logged in Id superglobal
If anyone can help me and explain my problem, I will be very grateful. Many thanks