|
PHP - How To Write This Mysql_real_escape_string Into Dropdownlist?
Hi.
I got this code below, which makes a dropdownlist. the value is passed in a string to a URL. The value EXAMPLE: is 13:30pm, but what reaches the URL is 13 If i add the mysql_real_escape_string, the full value is passed to the URL. BUT so is the "mysql_real_escape_string".. what is wrong with this code? this example does not work period: $query = "SELECT DISTINCT timeslot_start FROM #__profile_rates ORDER BY timeslot_start ASC"; $dropDownList ="<select class=\"inputbox\" name=\"timeslotstart\">"; $timeslotstarts =doSelectSql($query); foreach ($timeslotstarts as $timelotstart) { $timeslot_start=mysql_real_escape_string($timelotstart->timeslot_start); $dropDownList .= "<option value=$timeslot_start>".$timeslot_start."</option>"; } $dropDownList.="</select>"; $output['TIMESLOTSTART']=$dropDownList; but if i change to this it works but gives the "mysql_real_escape_string" in the url foreach ($timeslotstarts as $timelotstart) { $timeslot_start=$timelotstart->timeslot_start; $dropDownList .= "<option value=mysql_real_escape_string($timeslot_start)>".$timeslot_start."</option>"; } //Url looks like www.xxxx.com/xxx/x//xxxx/timeslotstart=mysql_real_escape_string(13%3A30pm), Everything is correct except the mysql_real_escape_string and the "(" and ")" should not be passed. how can i write this? Similar Tutorialshi friends! this code Code: [Select] foreach ( $users as $key => $value ) { $user_ids = implode(',', $value); echo "$key - $user_ids<br />"; } sends this output: Code: [Select] user one - 376,373 user charlie - user beta - 372 I need the $user_ids are shown in a DropDownList, of course only if the $user_ids is not empty. How can I do? thanks! Hi all,
I'm trying to code a dependable dropdownlist with php/mysql/ajax.
Goal is to select one thing in the first dropdown and depending on that option (and without reloading the page) enabling the second and add the options to the second, dependant on the first.
This is the index :
<?php
require_once($_SERVER['DOCUMENT_ROOT'].'/dbconnect.php');
?>
<script type="text/javascript" src="http://ajax.googleapis.com/
ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function()
{
$(".country").change(function()
{
var id=$(this).val();
var dataString = 'id='+id;
$.ajax
({
type: "POST",
url: "edit_form.php",
data: dataString,
cache: false,
success: function(html)
{
$(".city").html(html);
}
});
});
});
</script>
<?php
$id_test=$_POST['selector'];
$N = count($id_test);
for($i=0; $i < $N; $i++)
{
$result = mysqli_query($conn, "SELECT * FROM cloud where id='$id_test[$i]'");
while($row = mysqli_fetch_array($result))
{
$id_bird = $row['id'];
?>
<div style="margin:80px">
<label>Country :</label> <select name="country" class="country">
<option selected="selected">--Select Country--</option>
<?php
$sql=mysqli_query($conn, "SELECT category.id AS cat_id, category.name, category.type, cloud.id
FROM cloud,category,link_category_cloud
WHERE link_category_cloud.cloud_id = cloud.id
AND link_category_cloud.category_id = category.id
AND cloud.id='$id_test[$i]'");
while($row=mysqli_fetch_array($sql))
{
$id_test=$row['cat_id'];
$data=$row['name'];
echo '<option value="'.$id_test.'">'.$data.'</option>';
} ?>
</select>
<br/>
<br/>
<label>City :</label> <select name="city" class="city">
<option selected="selected">--Select City--</option>
</select>
</div>
<?php
}
}
?>
And this is the edit_form.php part :
<?php
require_once($_SERVER['DOCUMENT_ROOT'].'/dbconnect.php');
$cat_id = $_GET['cat_id'];
$cloud_id = $_GET['id'];
if($_POST['id_test'])
{
$id_test=$_POST['id_test'];
$data=$_POST['data'];
$sql=mysqli_query($conn, "SELECT * FROM link_category_cloud WHERE category_id={$cat_id}");
$data=$row['cloud_id'];
$id_test=$_POST['id_test'];
echo '<option value="'.$id_test.'">'.$id_test.' '.$data.'</option>';
//}
}
?>
Now, it does not work. I'm not only tring to pass through ID to 'edit_form.php', but also $data and $id_test[i]. Any idea how I can do this?
Thank you very much, all help is so appreciated!!
Hey guys, i'm new to this site and would need some help with coding. So i'm making a car part website which should has brand/model search. It's a dropdown search which will get the brand / model from database and should display all the parts for that exact model, from folder. Database structure which i have is id, master, name. ( Here's some pictures to clear out what i'm doing. http://imgur.com/a/7XwVd ) So the problem is that it does not get the images from folder named ex: *_audi_a3.jpg. And link to codes what have been written already. Parts.php: http://pastebin.com/q6vdypge Update.php: http://pastebin.com/DymhGQ17 Search_images.php: http://pastebin.com/LF5Q0i8f Core.js: http://pastebin.com/bgc0y4TS I don't know what's wrong with it sadly. One thing i noticed when i used firebug it gives error on category when searching error:true. Hope you guys understand what i mean here, and also all help is appreciated. And move this post if it's in wrong place. Thanks! Edited by aeonius, 17 October 2014 - 12:15 PM. Good morning,
I am trying to implement a simple sanitization of data before inserting in my database and am having a little trouble due to the fact that I am using a third party script that is accessing posted variables in a way that is unfamiliar to me... here's the data. The problem area is red. The form simply hangs up when submitted. I have used this method in the past, but not with an object operator.
// insert into database Is it correct to use mysql_real_escape_string() function on every query that i wonna insert or search ? I have fields like TEXT(dectription of article), VARCHAR(name of article) and more like that, and is there correct to use mysql_real_escape_string for all fields when query is INSERT ? I have a form that allows users to submit to a database and for security reasons I am using mysql_real_scape_string on all of their input values. However this means that if the user puts something in speech marks such as "hello" It will then show up in the database as \"hello\" This means that whenever I fetch anything from the database it will have slashes in which doesn't look good. How do other people get round this problem. When I fetch something from my database should I do a string replace and just delete these slashes or is there a better method? Thanks for any help. Hello All, Wondering if someone can help. I have a piece of code which I use on all data I post to my database which uses mysql_real_escape_string on all my forms for security purposes that I found on t'internet: if(!get_magic_quotes_gpc()){ $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_REQUEST = array_map('mysql_real_escape_string', $_REQUEST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } However, ever since i've installed this i'm having problems with other elements, such as deleting records from a MYSQL database like so: <?php $msg = ""; if(isset($_POST['Submit'])){ $total = $_POST['total']; $news_ids = $_POST['nws_id']; foreach($news_ids as $id){ mysql_query("DELETE FROM news WHERE news_id='$id'"); } $msg = count($news_ids) . " News Item(s) deleted!"; } $result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;"); $num = mysql_num_rows($result); $n = 0; ?> Yet if I delete the piece of code above code it works fine, but I don't understand why the above code effects this? Anyone plese help me understand? Thanks hey guys, just wondering, is it advisable to use mysql_real_escape_string() with <select> boxes, i know the web designer will always set the values for options within select boxes, therefore there shouldn't be any danger, but then i found such js code as: Code: [Select] javascript:document.body.contentEditable='true'; document.designMode='on'; void 0 (this allows the user of any site to edit content on the users end) so with something like the above, is it at all possible for a user to alter the option values within a select box and successfully submit the altered form? thanks I just red few tutorials about mysql_real_escape_string. Could someone check if this is correct? <?php $conn = mysql_connect("localhost","myusername","thepassword1"); mysql_select_db("mydataB", $db); $result = mysql_query("SELECT * FROM applicant WHERE username = '$username'"); if (mysql_num_rows ($result) > 0){ $register = "&err=Not Available."; echo($register); } else { $username = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $name = mysql_real_escape_string($_POST['name'], $db); $email = mysql_real_escape_string($_POST['email'], $db); $id = mysql_real_escape_string($_POST['id'], $db); mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')"); $register = "Successful."; echo($register); } ?> Code: [Select] $update = "UPDATE model SET name = '$name', age = '$age', height = '" . mysql_real_escape_string($height) . "', hair = '$hair', bust = '$bust', waist = '$waist', hips = '$hips' ......... WHERE id = '$id' "; $rsUpdate = mysql_query($update); After reading the manual at php.net on this function, I should be inserting the mysql_real_escape_string for each variable, correct? Right now I just have it for $height. The reason I'm asking is because I have 28 columns in this table and want to make sure I'm using this function properly as it seems like a tedious process and messy code. This code gives an error. Please help fix. $mydb = mysql_connect("localhost","my_un","my_pw"); mysql_select_db("my_db"); $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", mysql_real_escape_string($userNm)); if(mysql_num_rows($query)) { $login = "&err=Not allowed."; echo($login); } else { $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $login = "&err=Retry!!"; echo($login); } else { $row = mysql_fetch_array($result); $userNm=$row['username']; $passWd=$row['password']; $login = "$userNm=" . $userNm . "$passWd=" . $passWd . "&err=Successful."; echo($login); } } Hi, just wondering do i need to use mysql_real_escape_string() on login information (username and password). I use it as shown below but get an error when connecting. Code: [Select] if(isset($_POST['submit'])){ if( empty($_POST['uname']) && (empty($_POST['upass']))){ header( "Location:Messages.php?msg=1" ); exit(); } $n=mysql_real_escape_string($_POST['uname']); $p=mysql_real_escape_string($_POST['upass']); include('config.php'); $query="select * from country where uname='$n' and pw='$p'"; $result=mysql_query($query); Hello and thanks in advance for the input. I a fully functioning form. I am validating the input and successfully inserting the input into the mysql database. Now I am trying to escape the data by adding the basic line of code: $name = mysql_real_escape_string($_POST['name']); The input is successful but the mysql_database for name field is empty. If I remove the above line of code and just input the value for $name (without escape) the update works great. So the question is obvious for the above. Why? I keep getting the following error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established With this code: <?php $level = $_POST[level]; $first = $_POST[first]; $second = $_POST[second]; $third = $_POST[third]; $fourth = $_POST[fourth]; $mysqli = new mysqli("*****", "*****", "******", "********"); if ($mysqli === false) { die("ERROR: Could not connect to database. " . mysqli_connect_error()); } $vidlink=mysql_real_escape_string($_POST[vidlink]); $title=mysql_real_escape_string($_POST[title]); $des=mysql_real_escape_string($_POST[des]); $website=mysql_real_escape_string($_POST[website]); $cat= mysql_real_escape_string($first . $second . $third . $fourth); why won't it work? I have an AJAX script which queries a DB when a user inputs a search text. That's great, works well. However, when I use mysql_real_escape_string, it seems to completely rid the '$q'. When I don't use it, it works well but of course, there's the security side of things. Here's the code snippet: <?php error_reporting(E_ALL); $q = $_GET["q"];//added mysql_real_escape_string //$q = mysql_real_escape_string('$_GET["q"]'); $con = mysql_connect("localhost","aaaaa","aaaaa"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("aaaaa", $con); $sql="SELECT * FROM articles WHERE keywords LIKE '%$q%'"; ?> It seems so simple, but its just not working. What could it be? Hi, I am trying to make a blog system in php and mysql and just about got it working except for one thing. I need to sanitise the fields, both to prevent against sql injection and to allow the bloggers to use punctuation such as quotes. this is the query code I have so far: if($_SERVER["REQUEST_METHOD"] == "POST") { $post_title = $_POST['posttitle']; $post_content = $_POST['postcontent']; $post_content = mysql_real_escape_string($post_content); $query=mysql_query("INSERT INTO 'blog'('Title','Content') VALUES ('$post_title','$post_content')",$connect); header("Location:index.php?page=afterpost&post=".mysql_insert_id()); } I can't see why that isn't working, but when I type something in with a quote in it it just doesn't submit to the database. Without a quote works fine. If I try echo $post_content;, it comes up with backslashes before the quotes so the mysql_real_escape_string seems to be working. What am I doing wrong? Thanks in advance. Is it necessary to use mysql_real_escape_string() when I'm retrieving fields from a table that the user had no input on the result? Such as if there was a template color that the admin set in the siteconfig table that the script selects automatically with no user input. Cheers! If i use mysql_real_escape_string() whilst inserting data...and that data contained 'common sql injection chars' - im guessing it would escape/backslash them? So say if I now wanted to select/extract that data from the DB, would the data contain the slashes or would the slashes be automatically removed/stripped? |
|||||||