|
PHP - Weird Output From Mysql_real_escape_string
I'm inserting some data from a CSV file into a database. I'm using mysql_real_escape_string to escape a string and getting some really weird output.
ex. input string = Adobe CS5 output = \0\0A\0d\0o\0b\0e\0 \0C\0S\05 I plugged the string into mb_detect_encoding and it told me it was in ASCII and I did a bunch of searching to find out that \0 is a null byte. The only thing I can't figure out is how to convert it to something that won't give me that garbage when I run it through mysql_real_escape_string. I tried mb_convert_encoding($str,"ISO-8859-1","ASCII") and it didn't do anything. Anyone know something I can try?? Similar TutorialsI'm not even sure how to explain it. I'm linking a team's roster to its coach. Now I'm getting a weird offset issue when I output the roster. It has something to do with the STATUS. Down below DIV class="roster_player_list", my Status values are 1, 2, 3, or 4, and each is then assigned a word value. My output should look like this (without the arrow and number) : Returning Starter <---- 1 # # # Key Returner <--- 2 # # Varsity Newcomer <--- 3 # # # Key Freshmen <--- 4 # The last "1" (Returning Starter) disappears from my list on both of my test accounts. I should have four Returning Starters instead of three. I've changed a player's status from a 2 to a 1, and the list changed. That player disappeared, the other appeared. Code: [Select] $sql = "SELECT * FROM players as p INNER JOIN schools as s WHERE s.coachFirst='".$current_first."' AND s.coachLast='".$current_last."' AND s.id = p.tid ORDER BY status, playerLast"; $results = mysql_query($sql); echo '<div class="roster">'; $team = mysql_fetch_assoc($results); echo '<div class="roster_team_info">' . $current_first . ' ' . $current_last . ' <div class="school">' . $team['school'] . '</div> <div class="coach">Coach ' .$team['coachFirst'] . ' ' . $team['coachLast'] .'</div> <div>Sectional: ' . $team['sectional'] . '</div> <div>Class: ' . $team['class'] . 'A</div> '; echo '</div>'; echo '<div class="roster_player_list">'; $currentStatus = false; //Flag to detect change in status while($player = mysql_fetch_assoc($results)) { if($currentStatus != $player['status']) { //Status has changed, display status header $currentStatus = $player['status']; echo '<br><b>'; if ($currentStatus == '1') {echo 'Returning Starters';} elseif ($currentStatus == '2') {echo 'Key Returners';} elseif ($currentStatus == '3') {echo 'Varsity Newcomers';} elseif ($currentStatus == '4') {echo 'Key Freshmen';} echo '</b><br>'; } //Display player info echo $player['playerFirst'] . ' ' . $player['playerLast'] . ', ' . $player['feet'] . '\'' . $player['inches'] . '",' . $player['position'] . ', ' . $player['year'] . ';<br>'; } I have an auto responder in a php order form with the phrase "Our web sites uses a secure order form for customers to purchase products, and services..." When the message is sent, the word 'services' comes out like this: "...products, and 1s." Each instance of the word 'services' is changed to '1s'. Any ideas?
Well I have a script that executes a scan on a system set to run infinitely, and I need it to echo out a message each time it loops through, but I don't want it to echo out the message with the next loop message below it, and the next one below that etc... I've tried using the flush(); function and been messing around with that with no luck. For security reasons I don't want to release any of the processing code, but here is the basic construction of the script: <?PHP ***PROCESSING AND SCAN CODE*** ***PROCESSING AND SCAN CODE*** ***PROCESSING AND SCAN CODE*** ***PROCESSING AND SCAN CODE*** $RepeatIt = -1; for($g=1; $g!=$RepeatIt+1; $g++) { ***PROCESSING AND SCAN CODE*** ***PROCESSING AND SCAN CODE*** ***PROCESSING AND SCAN CODE*** ***PROCESSING AND SCAN CODE*** $ScanMessage = ":.:.: SCANNING THE HITLIST FOR MOBSTER: ".$MobName." (SCAN #$g) :.:.:"."<br/><br/>"; echo $ScanMessage; ***PROCESSING AND SCAN CODE*** ***PROCESSING AND SCAN CODE*** ***PROCESSING AND SCAN CODE*** ***PROCESSING AND SCAN CODE*** } ?> At the moment it's returning: :.:.: SCANNING THE HITLIST FOR MOBSTER: DEUS EX DESTROYER (SCAN #1) :.:.: :.:.: SCANNING THE HITLIST FOR MOBSTER: DEUS EX DESTROYER (SCAN #2) :.:.: :.:.: SCANNING THE HITLIST FOR MOBSTER: DEUS EX DESTROYER (SCAN #3) :.:.: :.:.: SCANNING THE HITLIST FOR MOBSTER: DEUS EX DESTROYER (SCAN #4) :.:.: So what I want it to do is just delete the scanning message and replace it with the next scan message so while running this script you would see just the number increment on the same line. Any suggestions? Thanks. Good morning,
I am trying to implement a simple sanitization of data before inserting in my database and am having a little trouble due to the fact that I am using a third party script that is accessing posted variables in a way that is unfamiliar to me... here's the data. The problem area is red. The form simply hangs up when submitted. I have used this method in the past, but not with an object operator.
// insert into database hey guys, just wondering, is it advisable to use mysql_real_escape_string() with <select> boxes, i know the web designer will always set the values for options within select boxes, therefore there shouldn't be any danger, but then i found such js code as: Code: [Select] javascript:document.body.contentEditable='true'; document.designMode='on'; void 0 (this allows the user of any site to edit content on the users end) so with something like the above, is it at all possible for a user to alter the option values within a select box and successfully submit the altered form? thanks Is it correct to use mysql_real_escape_string() function on every query that i wonna insert or search ? I have fields like TEXT(dectription of article), VARCHAR(name of article) and more like that, and is there correct to use mysql_real_escape_string for all fields when query is INSERT ? Code: [Select] $update = "UPDATE model SET name = '$name', age = '$age', height = '" . mysql_real_escape_string($height) . "', hair = '$hair', bust = '$bust', waist = '$waist', hips = '$hips' ......... WHERE id = '$id' "; $rsUpdate = mysql_query($update); After reading the manual at php.net on this function, I should be inserting the mysql_real_escape_string for each variable, correct? Right now I just have it for $height. The reason I'm asking is because I have 28 columns in this table and want to make sure I'm using this function properly as it seems like a tedious process and messy code. Hello All, Wondering if someone can help. I have a piece of code which I use on all data I post to my database which uses mysql_real_escape_string on all my forms for security purposes that I found on t'internet: if(!get_magic_quotes_gpc()){ $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_REQUEST = array_map('mysql_real_escape_string', $_REQUEST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } However, ever since i've installed this i'm having problems with other elements, such as deleting records from a MYSQL database like so: <?php $msg = ""; if(isset($_POST['Submit'])){ $total = $_POST['total']; $news_ids = $_POST['nws_id']; foreach($news_ids as $id){ mysql_query("DELETE FROM news WHERE news_id='$id'"); } $msg = count($news_ids) . " News Item(s) deleted!"; } $result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;"); $num = mysql_num_rows($result); $n = 0; ?> Yet if I delete the piece of code above code it works fine, but I don't understand why the above code effects this? Anyone plese help me understand? Thanks I have a form that allows users to submit to a database and for security reasons I am using mysql_real_scape_string on all of their input values. However this means that if the user puts something in speech marks such as "hello" It will then show up in the database as \"hello\" This means that whenever I fetch anything from the database it will have slashes in which doesn't look good. How do other people get round this problem. When I fetch something from my database should I do a string replace and just delete these slashes or is there a better method? Thanks for any help. Hi, just wondering do i need to use mysql_real_escape_string() on login information (username and password). I use it as shown below but get an error when connecting. Code: [Select] if(isset($_POST['submit'])){ if( empty($_POST['uname']) && (empty($_POST['upass']))){ header( "Location:Messages.php?msg=1" ); exit(); } $n=mysql_real_escape_string($_POST['uname']); $p=mysql_real_escape_string($_POST['upass']); include('config.php'); $query="select * from country where uname='$n' and pw='$p'"; $result=mysql_query($query); I just red few tutorials about mysql_real_escape_string. Could someone check if this is correct? <?php $conn = mysql_connect("localhost","myusername","thepassword1"); mysql_select_db("mydataB", $db); $result = mysql_query("SELECT * FROM applicant WHERE username = '$username'"); if (mysql_num_rows ($result) > 0){ $register = "&err=Not Available."; echo($register); } else { $username = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $name = mysql_real_escape_string($_POST['name'], $db); $email = mysql_real_escape_string($_POST['email'], $db); $id = mysql_real_escape_string($_POST['id'], $db); mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')"); $register = "Successful."; echo($register); } ?> Hello and thanks in advance for the input. I a fully functioning form. I am validating the input and successfully inserting the input into the mysql database. Now I am trying to escape the data by adding the basic line of code: $name = mysql_real_escape_string($_POST['name']); The input is successful but the mysql_database for name field is empty. If I remove the above line of code and just input the value for $name (without escape) the update works great. So the question is obvious for the above. Why? This code gives an error. Please help fix. $mydb = mysql_connect("localhost","my_un","my_pw"); mysql_select_db("my_db"); $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", mysql_real_escape_string($userNm)); if(mysql_num_rows($query)) { $login = "&err=Not allowed."; echo($login); } else { $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $login = "&err=Retry!!"; echo($login); } else { $row = mysql_fetch_array($result); $userNm=$row['username']; $passWd=$row['password']; $login = "$userNm=" . $userNm . "$passWd=" . $passWd . "&err=Successful."; echo($login); } } Hi, i had today problem with my script. Everything worked well on my localhost(xampp server) and when i uploaded on dedi machine functions with MySQL database stoped working. Problem was with mysql_real_escape_string and i forgot that i must first open connection and then mysql_real_escape_string... But strange thing is that on xampp server i dont need to open connection for mysql_real_escape_string, and everything worked well... is there any solutio to php scripts on xampp worke same as php script on linux apache server? Hi, I have an HTML Area on an admin section of my site. The HTML gets submitted to a MySQL database, but gets parsed using mysql_real_escape_string. The problem i have just noticed, is that upon every edit, it gets parsed again, and again. Here is the code: Code: [Select] $updatequery = "UPDATE zen_blog SET content = '" . mysql_real_escape_string($htmlcontent) . "', active=$activate WHERE id = $updateid"; $doupdate = $db->Execute($updatequery); Here is the result: Quote <h2 class=\\"\\\\\\"\\\\\\\\\\\\\\"page_title\\\\\\\\\\\\\\"\\\\\\"\\"> Is it possible to only use it where its needed? Thanks! Joe Hi all, I use mysql_real_escape_string on user inputs before using them in a MySQL query. However, some of my queries use arrays or imploded arrays, for example a query of the form: SELECT .. FROM .. WHERE .. IN .. It seems like in these cases I can't use mysql_real_escape_string, am I correct in thinking this? If so, what can I use instead to ensure the best possible security against SQL injections? Thanks! If i use mysql_real_escape_string() whilst inserting data...and that data contained 'common sql injection chars' - im guessing it would escape/backslash them? So say if I now wanted to select/extract that data from the DB, would the data contain the slashes or would the slashes be automatically removed/stripped? I am trying to insert variables into a database, some of which potentially could hold apostrophes. I know about mysql_real_escape_string so I generate this sql statement: Code: [Select] $sql = ("INSERT INTO $fcbk_id (PredictedAt, HomeTeam, AwayTeam, HomePrediction, AwayPrediction, GameKey) VALUES ('".mysql_real_escape_string($date_now)."', '".mysql_real_escape_string($HomeTeam)."', '".mysql_real_escape_string($AwayTeam)."', '".mysql_real_escape_string($HomeScore)."', '".mysql_real_escape_string($AwayScore)."', '".mysql_real_escape_string($GameKey)."')"); It dont get any errors, even with this: Code: [Select] if (!mysql_query($sql)) { // SQL failed, print error message and abort print mysql_error();exit(); } however it still doesnt insert anything after an apostrophe in the fields. I am running this from my localhost. I.e Nottingham is sometimes shortened to Nott'ham, but all that would be entered to the database is Nott Any ideas why? |
|||||||