<? session_start(); if ($_SESSION['membersarea']!="Active") { echo "<script>document.location.href='login.php'</script>"; } else { include_once ("config/config.php"); $page_title = 'View the Current Users'; include ("themes/".$setts['default_theme']."/header.php"); // Page header. echo '<h1 id="mainhead">House Price</h1>'; // Make the query. $aucid=$_REQUEST['houseofferid']; $override= "SELECT * FROM home_offers WHERE houseid='$aucid'"; $oresult= mysql_query($override); $num = mysql_num_rows($oresult); if ($num > 0) { // If it ran OK, display the records. echo "<p>There's currently $num offer(s) on house.</p>\n"; echo '<form action="updateoffers.php" method="post"><table align="center" cellspacing="0" cellpadding="5"><tr><td align="left"><b>Name</b></td><td align="left"><b>Date Registered</b></td></tr>'; while ($row = mysql_fetch_array($oresult, MYSQL_ASSOC)) { echo '<tr><td><input type="text" name="buyid" value="' . $row['buyerid'] . '"></td><td><input type="text" name="amt" value="' . $row['amount'] . '"></td></tr>'; } echo '</table><input type="submit" name="submit" value="Send"></form>'; mysql_free_result ($oresult); } else { echo '<p class="error">There are currently no registered users.</p>'; } } mysql_close(); // Close the database connection. ?>
Another thing you might want to fix is the ability to use SQL injection on your script.
I could easily drop your database from the URL.
Always sanitize your data before you run the query.
Try:
// Make the query. $aucid=abs($_REQUEST['houseofferid']); $override= "SELECT * FROM home_offers WHERE houseid='$aucid'"; $oresult= mysql_query($override) or die(mysql_error()); $num = mysql_num_rows($oresult);
And a hint: Some people do not allow js redirects therefore if an error happened on your script they would be left with a blank page. You should do this instead:
header('Location: login.php');
