PHP - Mysql Escape.. Is It Really Needed?

Code: [Select]
<?php
$verificate = $_GET["ver"];
$username = $_GET["user"];
$password = $_GET["pass"];

$dbh = mysql_connect("localhost","XXXXXX_dtbusre","my database password here")
                            or die(mysql_error());
mysql_select_db("databasename_zxq_dtb")     or die(mysql_error());
$sql = "SELECT loggedin FROM entityTable WHERE username=$username";
$result = mysql_query($sql) or die(mysql_error());
while ($line = mysql_fetch_array($result)){
  echo $line[0]."\t".$line[1]."\n";
}
mysql_close($dbh);

if($verificate === "144356455343"){
echo "SURE";
}
else{
echo "NOPE";
}
?>
I get this:
Code: [Select]
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

Hei everyone. 
I am new on php development and i do not have budget on offering a course so i am trying to learn my self.    i need some help on the following :   i want to create infopanel.php  where the script will get info from.    For example if user logs in the  script will have to call :

<?php
include '/incl/infopanel.php' ;
?>

The info panel to load all details from  database:

<?php
$name='$myname';
$sur_name='$sname';
$age='$myage';
$country='$mycountry';
?>

So the info with my has to be from database .   so can some one help me how to call all information from database to a specific file that i will not have to  call always information on every page    I hope i have been so clean with my request

Hi, Ive stumbled apon a Mongo database connected to a broadcast script. I would like to change it to a Mysql database can anybody please show me an example how it will look in Mysql format

<?php
/* Require the PHP wrapper for the Mxit API */
require_once ('MxitAPI.php');


/* Function to count the number of users in MongoDB */
function count_users() {
    $mongo = new Mongo('127.0.0.1');
    $collection = $mongo->sampleapp->users;
    $collection->ensureIndex(array('uid' => 1));


    return $collection->count();
}


/* Function to get batches of users from MongoDB */
function get_users($skip=0, $limit=50) {
    $mongo = new Mongo('127.0.0.1');
    $collection = $mongo->sampleapp->users;


    $collection->ensureIndex(array('mxitid'     => 1,
                                   'created_at' => 1));


    $users = $collection->find()->sort(array('created_at' => 1))->skip($skip)->limit($limit);


    return iterator_to_array($users);
}


/* Instantiate the Mxit API */
$api = new MxitAPI($key, $secret);


/* Set up the message */
$message = "(\*) Congratulations to our winners (\*)\n\n";
$message .= "1st place - Michael with 100 points\n";
$message .= "2nd place - Sipho with 50 points\n";
$message .= "3nd place - Carla with 25 points\n\n";
$message .= 'Good Luck! :) $Click here$';


/* Mxit Markup is included in the message, so set ContainsMarkup to true */
$contains_markup = 'true';


/* Count the number of users in the database */
$count = count_users();


/* Initialise the variable that counts how many messages have been sent */
$sent = 0;


/* Keep looping through the user list, until the number of messages sent equals the number of users */
while ($sent < $count) {
    /* Get users in batches of 50 */
    $users = get_users($sent, 50);


    /* The list where the user MxitIDs will be stored */
    $list = array();


    foreach ($users as $user) {
        $list[] = $user['mxitid'];
        $sent++;
    }


    /* If there is a problem getting an access token, retry */
    $access_token = NULL;
    while (is_null($access_token)) {
        /* We are sending a message so request access to the message/send scope */
        $api->get_app_token('message/send');
        $token = $api->get_token();
        $access_token = $token['access_token'];


        // Only attempt to send a message if we have a valid auth token
        if (!is_null($access_token)) {
            $users = implode(',', $list);
            echo "\n$sent: $users\n";


            $api->send_message($app, $users, $message, $contains_markup);
        }
    }
}


echo "\n\nBroadcast to $sent users\n\n";

Here is my HTML code:

Code: [Select]

<html>
<head>
<title>Simple Search Form</title>
</head>
<body>
   <form name="searchform" method="get" action="/search.php">

        Select Gender:
        <select name="gender">
                <option value="Male">Male</option>
                <option value="Female">Female</option>
        </select>

        Select City:
        <select name="gender">
                <option value="all">All Cities</option>
                <option value="newyork">New York</option>
                <option value="toronto">Toronto</option>
                <option value="london">London</option>
                <option value="paris">Paris</option>
        </select>

   <form>
</body>
</html>


Here is my PHP code:


<?php
 
// get the data from the search form 

# get the gender (male or female)
$gender = $_GET['gender']; 

# get the city
$city = $_GET['city'];

// connect to mysql and select db
mysql_connect('localhost', 'root', 'pass') or die(mysql_error());
mysql_select_db($test_db);

// send query
$query = mysql_query("SELECT * FROM `visitors_location` WHERE gender='$gender' AND city='$city'");
$count = mysql_num_rows($query);

// display data
while ( $show = mysql_fetch_assoc($query) ) {
 
          echo $gender . " " . $city;

}

?>


My script basically shows # of males or females in a specific city. How can I show all males in all cities? In other words, let's say I want to show # of Females from all those 4 cities combined. I don't know how to do that. Can someone please help me?

I have a webpage where the candidates can attach their resumes  and send to the admin.These attachments are saved in the mysql db as blob datatype.In another webpage the admin needs to download all this resumes and see the content.
How will i code for that.

Hi!
I hope somebody can help me what im do wrong.
i have checked that the data from the file is in $source_file but nothing imports to the database

Code: [Select]
<?php

include('config.php');
include('opendb.php');

if(isset($_POST['upload']))
{
$source_file = @$_POST['userfile'];

//$source_file = fopen('http://localhost/test/upload/test.csv', 'r');
$target_table = 'foretag';
function csv_file_to_mysql_table($source_file, $target_table, $max_line_length=10000) {
     if (($handle = fopen("$source_file", "r")) !== FALSE) { 
        $columns = fgetcsv($handle, $max_line_length, ","); 
        foreach ($columns as $column) { 
            $column = str_replace(".","",$column); 
        } 
        $insert_query_prefix = "INSERT INTO $target_table (".join(",",$columns).")\nVALUES";
         while (($data = fgetcsv($handle, $max_line_length, ";")) !== FALSE) { 
            while (count($data)<count($columns)) 
                array_push($data, NULL); 
            $query = "$insert_query_prefix (".join(",",quote_all_array($data)).");";
             mysql_query($query); 
        } 
        fclose($handle); 
    } 
} 

function quote_all_array($values) { 
    foreach ($values as $key=>$value) 
        if (is_array($value)) 
            $values[$key] = quote_all_array($value); 
        else 
            $values[$key] = quote_all($value); 
    return $values; 
} 

function quote_all($value) { 
    if (is_null($value)) 
        return "NULL"; 

    $value = "'" . mysql_real_escape_string($value) . "'"; 
    return $value; 
}
}
include('closedb.php');

echo "<br>done<br>";

?>

Hello. I'm a newbie so sorry if this isn't the best forum to post my problem.   I am using a MySQL and PHP to create a web app. I have authentication, and I can register users. I also have a form that users provide information and it is successfully inserting data into a table in my database.   I will use fictional fields for my database table called meal_info:   username dateStartedDiet numberMealsPerDay costPerMeal   Problem: Select user-specific data from the MySQL database, using Session username to select only the current user's data, then display it and do some calculations.   Here is thecode at the top, and I am fairly sure it's working:   session_start(); //execute commone code require("common.php"); //includes code to connect to database, etc. if(empty($_SESSION['user'])) 

I'm attempting to implement a simple social networking system but at the moment am confused about how to create a multiple query which will display a certain user's friends list.

The database contains four tables, the two tables that I'm using at the moment at 'usersTable' and 'friendshipsTable' are detailed below.


usersTable           | Table that stores all the user data

UserID         | Default primary key
Forename              |
Surname         |
Username           |
Password              |
Email Address      |


friendshipTable   | Table that stores information about friendships between users

FriendshipID      |  Default primary key
userID_1                |  UserID
userID_2         |  UserID
Status         |  Either Pending or Confirmed.

The user's id is parsed into the url, and then saved into a variable.

blah.com/userprofile.php?id=6

$id = $_GET['id']; 

I am familiar with creating simple queries, but can't quite work out how to set up multiple table queries.

What the query needs to do is to check the userID that is parsed with the url, and then check the friendshipsTable by checking if either the userID_1 or userID_2 field  matches the userID to grab the records from the table where there is a match.

The next step is to check to see if the friendship is 'Confirmed' or 'Pending' and if it is 'Pending' to ignore it. Once the records have then been chosen I need the query to then check the value in either userID_1 or userID_2 that doesn't match userID and then pull the user's username and name from the usersTable so it can be displayed on a webpage.

I've no idea hoe much I may or may not be overcomplicating this, an example of the code that I've got so far for this query can be found below, but that's as far as I've got at the moment.

$displayFriends = mysql_query("SELECT * FROM friendshipTable, usersTable WHERE friendshipTable.userID_1='$id' OR friendshipTable.userID_2='$id' ");

Cheers for any help.

I am creating a site to display some products. For ease of updating I want it to run off a MySQL database. I have created the database and php scripts to output and input data etc. I know want to show that data in my web pages. My question is.... Is it best to insert HTML into the php output script to display the information and make the site look how I want....OR ....... should I create a template of the site in HTML and then somehow call the php output script (and the particular row of the database...)

Basically... should I put the html code into the php - OR - put the php into the HTML??

I hope this make sense......

thanks

This topic has been moved to Miscellaneous.

http://www.phpfreaks.com/forums/index.php?topic=333523.0

Hi guys, I think escaping is the correct term, apologies if its not.

Could anyone show me how I  can escape this so it works? Thanks

Code: [Select]
echo "[ - <a href="/$dir/game_play.php">Play</a> - ]";

Hey!
Code: [Select]
echo "<ol type=\"a"\>";This gives an error, how am I supposed to escape the " " correctly?

I haven't coded HTML or PHP in several years and am trying to get back into it.

Seems to me that there were some nifty tricks so that when you were conctenating HTML and PHP you didn't get a birds nest.

Maybe it was using something like { } but I don;t recall.

I also seem to recall that wisely choosing where to use single (') and double (") quote was key!

For example, how could this code be cleaner?

	echo '<table id="membershipPlans">
	<!-- Column Groups -->
	<colgroup>
	  <col id="feature">'."\r";
	  foreach ($plan_names as $p_id => $p_name):
	    echo '<col id="option0'.$p_id.'">'."\r";
	  endforeach;
	  echo '</colgroup>";
	

 

Hello, I was wondering if I need to escape all get values.  I often use a $_GET variable as in mypage.php?id=variable to selecting records to view etc.  I usually convert this to a variable to be used in a WHERE statement.
Code: [Select]
IF ($_GET['id']){
$id=$_GET['id'];
}
But what if someone tried to view all records
Quote

http://www.mypage.com/page.php?id=0';SELECT%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0


resulted in all content page data being displayed somehow. Or better yet, if visiting
Quote

http://www.mypage.com/page.php?id=0';DELETE%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0


resulted in all content being deleted. 

Is that even possible in the in the context of a MySQL WHERE statement?  Seems like the MySQL statement wouldn't be structured correctly and wouldn't work.
I use mysqli_real_escape_string" on posted content but should I also escape all GET input?

Hi Chaps, this is really getting my back up as its never happened before...im doing a site on a server im not familiar with and its causing me problems

Code: [Select]
<?
if(isset($_POST['upload']))
{
        include 'dbconnection.php';
$ttitle = mysql_real_escape_string($_POST['ttitle']);
$ttitle2 = mysql_real_escape_string($_POST['ttitle2']);
$query = "INSERT INTO test ( ttitle, ttitle2) ".
             "VALUES ('$ttitle', '$ttitle2' )";
             mysql_query($query) or die('Error, query failed : ' . mysql_error());                   
echo "<br>File uploaded<br>";
}       
?>
The database table is showing that it includes the backslash in the record, whereas i understood mysql_real_escape_string was oinly used to carry the data, and the backslash wouldn't be uncluded.

From the server:
PHP.ini file: (ver 5.2.17)
magic_quotes_gpc Off Off
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

Is there something i can do to get this sorted, as i dont want to add stripslashes() throught the site.

As with the above, i have some forms with loads of fields, so if there is someway of adding a function that would be great....

thanks in advance