4
XoopsDB doesn't execute command queries when the calling page reads $_GET variables as a security measure.
In this case $xoopsDB->query() does allways return true so it SEEMS like the query executed fine.
If you are aware that you are running a security risk and have taken utmost care to sanitise these $_GET vars you can call $xoopsDB->queryF() to make the changes anyways.
Talking about sanitising values:
Allways try to quote non-integer values using $xoopsDB->quoteString() and make sure any integer you include doesn't contain SQL-injection instructions e.g.:
if (intval($pid) <= 0)
die("Illegal parameter value (pid)");
$xoopsDB->query("UPDATE ".$xoopsDB->prefix("users_gal")." SET visit_count = visit_count + 1, visit_lastip='".$xoopsDB->quoteString($_SERVER['REMOTE_ADDR'])."' WHERE pid=$pid");