JeevesBond — Fri, 03 Aug 2007 16:58:39 +0000

Wow, that's some confusing code you've got there!

<?php
$con = mysql_connect($server, $username, $password) or die(\"Could not connect!\");
mysql_select_db(\"database_name\", $con);
$requestId = (int) $_POST['requestId'];
$sql = \"UPDATE friends SET pending='y' WHERE requestId=\". $requestId;
if (mysql_query($sql, $con) {
  echo \"Friend request accepted!\";
}
else {
  die(\"Friend request failed \". mysql_error());
}
mysql_close($con);
?>

If you don't want to get your site cracked, always cast variables before putting them into a SQL query, secondly if you're putting a string into a query always run it through: mysql_escape_string first. Don't ever trust any input from the user, assume that everyone who uses your site is out to get you: paranoid? Yes, but it works.

*** EDIT ***
I changed your code to use PHP syntax highlighting, to do this on future posts enclose the code in: [ php ][ /php ]. Just makes it easier to read.

brady.k — Fri, 03 Aug 2007 16:53:52 +0000

Ok...

This would be appropriate:

<?php
$sql = \"UPDATE friends SET pending = 'y' WHERE userid = '$userid'\";
?>

..what is all the stuff afterwards? Not only is it not making sense to me, but it seems to be wrong? If you can explain what you are doing from "VALUES" on, then I can help you rewrite it.