|
PHP - Question On Mysq1 Real Escape String
on the first column do I need to escape that? "pm_id"
if so how do i do that with the right syntax is it like this? pm_id = '.mysql_real_escape_string.' Code: [Select] <?php $mail2 = "INSERT INTO pm SET pm_id = '', sendto = '".mysql_real_escape_string($to)."', sentfrom = '".mysql_real_escape_string($from)."' ?> Also when you create a new row with a id having auto increment. do i have to do id ="" so there isnt ever two rows matching the same id? Similar TutorialsI have never used real escape string so want to make sure I did it correctly. Also, if I can place it anywhere else to make it even more secure please let me know. This is just the action of a just a simple POST html form. Here it is. Code: [Select] <?php require ('staffarea/sql.php'); $showform="false"; $mcid = mysql_real_escape_string($_POST['mcid']); $age = mysql_real_escape_string($_POST['age']); $description = mysql_real_escape_string($_POST['description']); if(!mysql_query("INSERT INTO `somedatabase`.`appsubmissions` (`id`, `username`, `age`, `description`, `status`) VALUES (NULL, '$mcid', '$age', '$description', 'Pending');")) { echo '<div class=blockrow><b><font size=4>Submission Error</font><br /><br />Something went wrong. Contact Staff in the Support Forums and give them this information:<br /><br /></b><font color=red>'; echo mysql_error(); echo "</font>"; echo '<br /><br /><a href="/forumdisplay.php?f=14">Support Forums</a></div>'; } else { $lastID=mysql_insert_id(); echo "<div class=blockrow><font size=3><b>$mcid, Thank You for your Building Application!</b></font><br /><br />"; echo "Your Unique Application ID: <b>", $lastID; echo "</b> (save this so you can check the application status later)<br /><br /> Your application was submitted successfully. Please allow Staff 24 hours to accept or deny your application. If after 48 hours you still do not have building rights, assume the application was denied and re-submit with different information. DO NOT submit an application more than every 48 hours, doing so will get your account banned for spamming.<br /><br /> While waiting, you might check out the <a href=/index.php?pageid=mcguide>Ultimate Guide</a>.</div>"; } mysql_close($con); ?> i have made function of prepare or check the mysql real escapte string but when i run this code it gives two warnings msg Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'SYSTEM'@'localhost' (using password: NO) in C:\wamp\www\cart\include\db.php on line 42 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\cart\include\db.php on line 42 kindly tell me what is this msg about how to solve it my code is 37 public function mysql_prep($value){ 38 $magic_quotes_active=get_magic_quotes_gpc(); 39v$new_enough_php=function_exists("mysql_real_escape_string"); 40 if($new_enough_php){ 41if($magic_quotes_active){ $value=stripslashes($value);} 42 $value= mysql_real_escape_string($value);} 43 else { 44 if($magic_quotes_active){$value=addslashes($value);} 45} 46 return $value; 48 } Hello I am having a problem trying to write to a database using mysql real escape so there wont be any injection attacks. I trying using myrealescape and it returns errors: Code: [Select] Notice: Use of undefined constant messageTo - assumed 'messageTo' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageSubject - assumed 'messageSubject' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageBody - assumed 'messageBody' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 I add in the single quotes and it doesn't write either. Dreamweaver says that either single quotes or not there is no syntax errors. What going on? I have used it like this befo ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "') and no problems.. ~AJ <?php require_once('connect.php'); if(isset($_COOKIE['user'])){}else{ header( 'Location: members.php'); } if (isset($_POST['sendBtn'])){ $messageFrom = $_COOKIE['user']; $messageTo = $_POST['messageTo']; $hash = $messageTo.$messageFrom.time(); $hash = md5($hash); mysql_select_db("majik"); $sql="INSERT INTO messagesystem(ID, hash, messageTo, messageFrom, messageSubject, messageBody, messageDate, messageRead, messageDelete) VALUES ('','$hash','" . mysql_real_escape_string($_POST['messageTo']) . "','$messageFrom','" . mysql_real_escape_string($_POST['messageSubject']) . "','" . mysql_real_escape_string($_POST['messageBody']) . "','0','0')"; echo '<center>Your message was sent to: '.$messageTo.'</center>'; } ?> '[$username]' is using a variable from a cookie varifying that you are logged in, this code works except i need to put real escape strings and protection from mysql injection and dont really know where to put them. Code: [Select] if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } [CODE] I am having problems with these slashes. They keep showing up when I echo data.... The code is to update a field in a mysql database table. Here is my code: Code: [Select] $query = mysql_query("SELECT * FROM `bus` WHERE username='$username'"); $row = mysql_fetch_array($query); $bio = $row['about']; $bio = str_replace("<br />","\r\n",$bio); if(isset($_POST['submit'])){ if(empty($errors)){ if($password == $pass){ $about1 = mysql_real_escape_string($_POST["about"]); $about1 = str_replace("\r\n","<br />",$about1); mysql_query("UPDATE bus SET about='$about1' WHERE username='$username'"); }else{$errors[] = 'Incorrect Password';} } } When I run this and put: About: I'm very tired today It's been very hard I get the about1 string as: I\\\'m very tired today\r\nIt\\\'s been very hard Why??? Hi Chaps, this is really getting my back up as its never happened before...im doing a site on a server im not familiar with and its causing me problems Code: [Select] <? if(isset($_POST['upload'])) { include 'dbconnection.php'; $ttitle = mysql_real_escape_string($_POST['ttitle']); $ttitle2 = mysql_real_escape_string($_POST['ttitle2']); $query = "INSERT INTO test ( ttitle, ttitle2) ". "VALUES ('$ttitle', '$ttitle2' )"; mysql_query($query) or die('Error, query failed : ' . mysql_error()); echo "<br>File uploaded<br>"; } ?> The database table is showing that it includes the backslash in the record, whereas i understood mysql_real_escape_string was oinly used to carry the data, and the backslash wouldn't be uncluded. From the server: PHP.ini file: (ver 5.2.17) magic_quotes_gpc Off Off magic_quotes_runtime Off Off magic_quotes_sybase Off Off Is there something i can do to get this sorted, as i dont want to add stripslashes() throught the site. As with the above, i have some forms with loads of fields, so if there is someway of adding a function that would be great.... thanks in advance I think ive finished the piece of code below, after using escape string for the first time. Ive also put my connection details in a different folder on my hosting account root (worried that this would of been displayed in the event of a parsing eror), is there anything else I can do to make my site secure? Code: [Select] <?php include('func.php'); include($_SERVER['DOCUMENT_ROOT'].'/include/db.php'); ?> <!--$INC_DIR = $_SERVER["DOCUMENT_ROOT"]. "/include/";--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Chained Select Boxes using PHP, MySQL and jQuery</title> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js"></script> <script type="text/javascript"> $(document).ready(function() { $('#wait_1').hide(); $('#drop_1').change(function(){ $('#wait_1').show(); $('#result_1').hide(); $.get("func.php", { func: "drop_1", drop_var: $('#drop_1').val() }, function(response){ $('#result_1').fadeOut(); setTimeout("finishAjax('result_1', '"+escape(response)+"')", 400); }); return false; }); }); function finishAjax(id, response) { $('#wait_1').hide(); $('#'+id).html(unescape(response)); $('#'+id).fadeIn(); } </script> </head> <body> <p> <form action="" method="post"> Name: <input type="text" name="Name" /><br /> Phone: <input type="text" name="Phone" /><br /> Email: <input type="text" name="Email" /><br /> Postcode: <input type="text" name="Postcode" /><br /> Web Address: <input type="text" name="Website" /><br /><br /> <select name="drop_1" id="drop_1"> <option value="" selected="selected" disabled="disabled">Select a Category</option> <?php getTierOne(); ?> </select> <span id="wait_1" style="display: none;"> <img alt="Please Wait" src="ajax-loader.gif"/> </span> <span id="result_1" style="display: none;"></span> <br /> </form> </p> <p> <?php if(isset($_POST['submit'])){ $drop = mysql_real_escape_string($_POST['drop_1']); $tier_two = mysql_real_escape_string($_POST['Subtype']); echo "You selected "; echo $drop." & ".$tier_two; } $Name = mysql_real_escape_string($_POST["Name"]); $Phone = mysql_real_escape_string($_POST["Phone"]); $Email = mysql_real_escape_string($_POST["Email"]); $Postcode = mysql_real_escape_string($_POST["Postcode"]); $Website = mysql_real_escape_string($_POST["Website"]); echo "<br>"; echo $Name; echo "<br>"; echo $Website; $query = ("INSERT INTO business (`id`, `Name`, `Type`, `Subtype`, `Phone`, `Email`, `Postcode`, `Web Address`) VALUES ('NULL', '$Name', '$drop', '$tier_two' , '$Phone', '$Email', '$Postcode', '$Website')"); mysql_query($query) or die ( "<br>Query: $query<br>Error: " .mysql_error()); ?> </body> </html> Say, Code: [Select] $ok = 'ABCDEFG' What is the command to check whether $ok contains 'C'? Hey all, I have a quick question and I know the answer is probably pretty easy but i've been working on it a while now and can't figure out how to get this done. SOO the situation is. I am looping through an RSS feed and with each entry I want to search for a brand name within the title, and add a company logo beside the entry. I was playing with something like this but it doesn't work real well.. // Find Kokatat $find = "Kokatat"; if(strstr($string, $find)) { $icon = "koksm.jpg"; } else { $icon = ""; } I appreciate any input! Hi everyone Well I've started learning php yesterday and now I encountered my first problem, I looked around but I don't really know what to search for if I want my answer so here I come Code: [Select] <html> <body> <?php $names = array('Peter','Quagmire','Joe'); $ages = array("Peter"=>32, "Quagmire"=>30, "Joe"=>34); $who = rand(0,2); $who2 = $names[$who]; echo "$names[$who] is $ages[$who2] years old"; ?> </body> </html> This is the script I have, and there is the kind of script I expected: Code: [Select] <html> <body> <?php $names = array('Peter','Quagmire','Joe'); $ages = array("Peter"=>32, "Quagmire"=>30, "Joe"=>34); $who = rand('Peter','Quagmire','Joe'); echo "$who is $ages[$who] years old"; ?> </body> </html> But after some search I concluded that rand is only used for random numbers So, my question is, which function should I use to achieve my goal? Is there any randstring('string1','string2',etc) command? Tnx for your time May I please ask one more question? About replacing a string only if it appears *after* a particular string?
I'm having trouble replacing all occurrences of "wheel" with "TIRE" but only when the word "wheel" is after this: (W/
Example:
From this:
A large wheel is shiny.
Big 4 wheel truck (W/ wheel)
Car with a wheel, and a small toy (w/ wheel)
Four wheelers are cool
To this:
A large wheel is shiny.
Big 4 wheel truck (W/ TIRE)
Car with a wheel, and a small toy (w/ TIRE)
Four wheelers are cool
Unfortunately, I thought this worked:
$fixed = str_ireplace('wheel','tire',substr($original_string,stripos($original_string,'(W')));
...until I realized it was *cutting off* all characters up until that first '(W/'
What can be done to make this work?
Edited by Nyla, 20 November 2014 - 09:40 PM. Hello dear folks i am currently workin on a little parser with cURL - and i have some questions he How to do the String concatenation with PHP ; note i wanna do it with curl! the target URL: http://www.schulministerium.nrw.de/BP/SchuleSuchen?action=572.8745475728288 click all checkbuttons Results: approx 6400 results Here i can provide some "more help for getting the target!" - btw see three detail page: http://www.schulministerium.nrw.de/BP/SchuleSuchen?action=261.2855969084779&SchulAdresseMapDO=116191 http://www.schulministerium.nrw.de/BP/SchuleSuchen?action=261.2855969084779&SchulAdresseMapDO=116270 http://www.schulministerium.nrw.de/BP/SchuleSuchen?action=261.2855969084779&SchulAdresseMapDO=188268 btw: we can loop over the results - with a iteration - especially i wanna know: how to do the String concatenation with PHP ; note i wanna do it with curl! function get_page_data($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $output = curl_exec($ch); if($output!=false && $_POST['dt']=='No') return $output; curl_close($ch); } for($i=1;$i<=$match[1];$i++) { $url = "http://www.example.com/page?page={$i}"; $data = get_page_data($url); if($data) { $cleaned = string_between('onload="check();">', '</body>', $data); return = stip_tags($cleaned, '<table><tr><td><div>'); } } any and all help will be greatly appreciated love to hear from you best regards Hi guys, I think escaping is the correct term, apologies if its not. Could anyone show me how I can escape this so it works? Thanks Code: [Select] echo "[ - <a href="/$dir/game_play.php">Play</a> - ]"; Hey! Code: [Select] echo "<ol type=\"a"\>";This gives an error, how am I supposed to escape the " " correctly? I haven't coded HTML or PHP in several years and am trying to get back into it. Seems to me that there were some nifty tricks so that when you were conctenating HTML and PHP you didn't get a birds nest. Maybe it was using something like { } but I don;t recall. I also seem to recall that wisely choosing where to use single (') and double (") quote was key! For example, how could this code be cleaner?
echo '<table id="membershipPlans"> <!-- Column Groups --> <colgroup> <col id="feature">'."\r"; foreach ($plan_names as $p_id => $p_name): echo '<col id="option0'.$p_id.'">'."\r"; endforeach; echo '</colgroup>";
Hello, I was wondering if I need to escape all get values. I often use a $_GET variable as in mypage.php?id=variable to selecting records to view etc. I usually convert this to a variable to be used in a WHERE statement. Code: [Select] IF ($_GET['id']){ $id=$_GET['id']; } But what if someone tried to view all records Quote http://www.mypage.com/page.php?id=0';SELECT%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content page data being displayed somehow. Or better yet, if visiting Quote http://www.mypage.com/page.php?id=0';DELETE%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content being deleted. Is that even possible in the in the context of a MySQL WHERE statement? Seems like the MySQL statement wouldn't be structured correctly and wouldn't work. I use mysqli_real_escape_string" on posted content but should I also escape all GET input? I have front page and page for news, and i wonna to set, on front page to show news but only 100 characters, and on news page to be all text, i done that with substr($news, 0, 100); but i have proble, when i have in $news text like this: Code: [Select] Hi everyone. <b>Bold</b>now, subsrt count <b> and </b> like characters, how can i escape that <b> </b>, <u> </u> and other? I am having problems understanding how to sanitize my form data so it is safe to INSERT. If I use this code... Quote $trimmed = array_map('trim', $_POST); $body = mysqli_real_escape_string($dbc, $trimmed['body']); And I enter into my form... Quote O'Reilly's book Then I see this in phpMyAdmin... Quote O\'Reilly\'s book --------- If I use this code... Quote $trimmed = array_map('trim', $_POST); $body = $trimmed['body']; And I enter into my form... Quote O'Reilly's book Then I see this in phpMyAdmin... Quote O'Reilly's book Why the strange behavior?? Debbie Hello. My client and I are trying to figure out a strange issue with exporting blobs. We are trying to sync a WAMP based databse and local MySQL database. The problem is with blob columns.
The issue: When exporting a blob, the local MySQL dump command inserts an escape character "\" before characters such as NUL, TAB and LF, and I am assuming a lot more. My PHP export function (opens a file, SELECT * FROM tbl, writes to the file) does not do this. The main issue is that my client cannot import my PHP dump files when there are blobs, which I suppose is because they are missing these escape characters. He can however re-import his own MySQL dumps. I know I could remedy by using PHP string replace functions to find each character and insert a '\' before it, but I don't know which characters will need to be escaped. I also feel like there is a more simple solution. For example this is what I have and it worked for a tiny 1 pixel image, but not for something complex:
$val = str_replace(chr('NUL'), '\0', $val);
$val = str_replace(chr(0x9), chr(0x5c).chr(0x9), $val);
$val = str_replace(chr(0xa), chr(0x5c).chr(0xa), $val);
Thanks
I've got a basic text input area within a form for users to add a brief bio about themselves. I made sure to use mysql_real_escape_string to avoid problems with special characters. However, when I want to display the content within the text area when a user chooses to update or change their bio, the text displays the escape characters. How do I display data from my db without the user having to deal with the escape characters? |
|||||||