PHP - Mysql_real_escape_string() Doesn't Work
Hello all, I'm trying to clean up some user input for my database but the mysql_real_escape_string function doesn't seem to work, and neither does addslashes(). I've browsed the net and made sure I'm connected to the database before the function is called. I can't figure out what I'm doing wrong. Here's the relevant part of the code:
Code: [Select] <?php mysql_connect("localhost","adminname","adminpassword") or die (mysql_error()); mysql_select_db("databasename") or die (mysql_error()); $comment=mysql_real_escape_string($_POST['commentbox']); ?> ...and then the result is put into the database along with some other data. The database entry is correct, except, when I check the database or echo the result I get the same thing that was entered into 'commentbox'. For instance, if I enter "I am very 'confused' by this" into the box, the same string will be found in the database table. No slashes, just quotes. Anyone have an idea what's wrong with this? Because it all seems simple and correct but doesn't work. Similar TutorialsNever had this one before. Here's a string from a URL: $urltext = Product_Name_'with_single_quotes'_"_B Code: [Select] $name = str_replace( "_", " ", $urltext ); echo 'raw: ' . $name . "<br>"; $name = mysql_real_escape_string( $name ); echo 'mysql_real_escaped: ' . $name . '<br>'; Doesn't seem possible, but both of the "echos" return the same string. My query fails because there are no backslashes in the SQL statement. What's going on here? raw: Product Name 'with single quotes' " B mysql_real_escaped: Product Name 'with single quotes' " B if ($count==1){ header("Location:store.php"); }very simple I have issolated it and it doesn't redirect maybe u can see where my mistake is I've joined querys because I'm making my own forums. However, when it gets to the echoin out part, it shows the category and only ONE of the sub categorys. Code: [Select] <div id="forumContainer"> <?php $lastboard = ''; $forumQ = mysql_query("SELECT f1.cat_name as catName, f1.cat_id as catID, f2.cat_id as subCatID, f2.sub_id as subID, f2.sub_name as subName, f2.sub_desc as subDesc FROM `forum_cats` as f1 LEFT JOIN `forum_sub` as f2 ON f1.cat_id = f2.cat_id GROUP BY f2.cat_id "); while($forumF = mysql_fetch_assoc($forumQ)) { if($forumF['catName'] != $lastboard) { echo '<div class="forumCat">'.$forumF['catName'].'</div>'; $lastboard = $forumF['catName']; } echo '<div class="forumSub">'.$forumF['subName'].'</div>'; } ?> </div> $Row[2] doesn't work but if I use $Row["linkcat"] than it works fine. Is there somewhere to activate in the php.ini file ? Code: [Select] // I got 9 fields to in the table tbl_link ! $Row[2] should give me a number. $Verbinding = mysql_connect($db_host, $db_user, $db_passw); mysql_select_db($db_name); $sql = "Select * from tbl_link where userid=1"; $ResultShow = mysql_query($sql); while ($Row = mysql_fetch_assoc($ResultShow)){ echo $Row[2]; } All the tables are correct and it's making the connect to the database fine it's just not working, did I write it wrong? Code: [Select] function newPm($to, $from, $title, $text){ $q = $db->query("SELECT * FROM ibf_message_topics ORDER BY mt_id DESC"); $lastMsg = $db->fetch_assoc($q); $mid = $lastMsg['mt_id'] + 1; $msgId = $lastMsg['mt_msg_id'] + 1; $db->query("INSERT INTO ibf_message_topics SET mt_id=$mid, mt_msg_id=$msgId, mt_date=". time(). ", mt_title='$title', mt_from_id=$from, mt_to_id=". $to. ", mt_vid_folder='in', mt_read=0, mt_owner_id=$to, mt_user_read=0") or die(mysql_error()); $db->query("INSERT INTO ibf_message_text SET msg_id=$msgId, msg_date=". time() .", msg_post='$text', msg_sent_to_count=1, msg_author_id=$from") or die(mysql_error()); $userq = $db->query("SELECT new_msg FROM ibf_members WHERE id = $to"); $userData = $db->fetch_assoc($userq); $msgCount = $userData['new_msg'] + 1; $db->query("UPDATE ibf_members SET new_msg=$msgCount, show_popup=1 WHERE id = $to") or die(mysql_error()); } Here's how that function is being called in the beginning of the page: Code: [Select] if($action =="banUser"){ $expire = time() + (3600000 * 24 * $_GET['duration']); $q = $db->query("SELECT * FROM ibf_message_topics ORDER BY mt_id DESC"); $lastMsg = $db->fetch_assoc($q); $mid = $lastMsg['mt_id'] + 1; $msgId = $lastMsg['mt_msg_id'] + 1; $title = "Notification"; $duration = $_GET['duration'] ." days"; if($_GET['duration'] == "1"){ $duration = "1 day"; } if($_GET['duration'] == "Forever"){ $duration = "forever"; } $temp = 0; if($expire > time()){ $temp = 1; } $body = "This automated message has been sent to notify you that your account has been banned $duration. To appeal this ban, click on Irc from the menu on the homepage and ask to speak to a moderator. If this ban is temporary, your account will be reinstated automatically at the appropriate time"; newPm($id, 3017, $title, $body); $msgCount = $_GET['msg'] + 1; $db->query("UPDATE ibf_members SET ban_level = $level, tempbanned = $temp, banned = 1, ban_expire='$expire', ban_reason='". $_GET['reason']."', ban_by='". $name."' WHERE id=$id") or die(mysql_error()); ?> <center><b>User banned!</b> (<a href="index.php?code=plyrmgmt">Back to Player Management</a>)</center> Hi everybody! I'm creating a site and none of my php-code works. I tried to do a simple php-code to test it but it doesn't work either. The simple php-code: <?php echo "hello"; ?> I've written a script where it counts the page impressions on my website. When a visitor lands on the page, it counts their impression and then sets a $_SESSION so that if they reload or return to the page it doesn't count it again. But the problem is it sometimes does. Does this mean that the $_SESSION isn't being set probably? That's what it seems to be. And if so, what would be the reason for that? Here's my basic code: Code: [Select] if(isset($_SESSION['userid'])){ $userid = $_SESSION['userid']; } else{ $userid = rand(1000, 10000000); $_SESSION['userid'] = $userid; } $date = date('Y-m-d'); $counters = mysql_query("SELECT * FROM counters WHERE userid='$userid' AND impressions='1' AND date='$date'") or die(mysql_error()); if(!mysql_num_rows($counters)){ mysql_query("INSERT INTO counters (userid, impressions, date) VALUES('$userid', '1', current_date)") or die(mysql_error()); } Hi guys, me again. I have been using mail to send emails ( With your great help ) successfully in about three websites. For some reason, my email doesn't want to work with the site I am busy with now. This is my code : Code: [Select] <html> <head> <title>Practice</title> </head> <body> <table border="1"> <tr> <td> <?php $emailto="hannes@ncc-cla.com"; $emailsubject="confirmation"; $emailfrom="footloose.sa@gmail.com; if(!empty($_POST['uname'])){ $yourname=$_POST['uname']; $yoursurname=$_POST['usurname']; echo "hello </td> <td>" ." " . "$yourname" . " " . "$yoursurname </td> </tr>"; $emailbody="hello </td> <td>" ." " . "$yourname" . " " . "$yoursurname </td> </tr>"; } else{ echo"<tr> <td> enter your name </td> </tr>"; $emailbody .="<tr> <td> enter your name </td> </tr>"; } if(isset($_POST['gender'])){ /*isset is what it is set to can be used */ $gender=$_POST['gender']; echo "<tr> <td> You are a </td> <td> " . " " . "$gender </td> </tr>"; $emailbody .="<tr> <td> You are a </td> <td> " . " " . "$gender </td> </tr>"; } else{ echo "<tr> <td> Select Gender </td> </tr>"; $emailbody .="<tr> <td> Select Gender </td> </tr>"; } if(isset($_POST['plang'])){ $plang=$_POST['plang']; echo "<tr> <td> You are interested in </td> <td> " . " " . "$plang </td> </tr>"; $emailbody .="<tr> <td> You are interested in </td> <td> " . " " . "$plang </td> </tr>"; } else{ echo "<tr> <td> Select Programming language </td> </tr>"; $emailbody .="<tr> <td> Select Programming language </td> </tr>"; } print "<tr> <td> Your qualification is </td> <td>"; $emailbody .= "<tr> <td> Your qualification is </td> <td>"; foreach ($_POST['qlevel'] as $level){ print "$level<BR>"; $emailbody .="$level<BR>"; } $headers='From:'. $emailfrom; mail($emailto,$emailsubject,$emailbody,$headers); ?> </td> </tr> </table> </body> </html> I'm trying to implement an email activation method for my registration script. For that I need the last inserted id straight off the query. This is how the part of my script looks like: // write into database $query = sprintf("INSERT INTO user (user_id, firstname, lastname, nickname, password, email, dob, doj, random, activated) VALUES (' ', '%s', '%s', '%s', '%s', '%s', '%s', now(), '$random', '0')", mysqli_real_escape_string($dbc, $firstname), mysqli_real_escape_string($dbc, $lastname), mysqli_real_escape_string($dbc, $nickname), mysqli_real_escape_string($dbc, $password), mysqli_real_escape_string($dbc, $user_email), $dob); echo $lastid = mysqli_insert_id($dbc) or die (mysqli_error($dbc)); The query itself WORKS, the data gets inserted correctly, the scripts dies right at the die of mysqli_insert_id. When I take away the "or die", then I always get printed out a 0 when trying to register, THOUGH the data entered into the registration page gets inserted correctly into the database as said. I've read on w3schools.com, that the connection ($dbc) is OPTIONAL in mysqli_insert_id($dbc), because it automatically takes the last active connection, but when I leave it empty I get an error saying that it needs at least one parameter. I must be doing something wrong, if you need more of the script let me know. Since the scripts dies at the die, I didn't post anything below, and everything above is just if statements to check the entered data. Another issue with trying to work on somebody else's script (and on no sleep!) I've got this mess of a page I'm trying to manipulate to add a feature to. When somebody goes to this page, it pulls all records. At the top, I added a way to refine the results by dates. That query works fine, I tested it in mysql. To avoid fighting with the original code, I created an if statement to create $query_selectAll. But when I put it in the page, it would just refresh with the same data. I echoed the query to make sure it is correct. Then I realized that there was another query, $query_selectAllItems, further down the page that was generating the results, and none of what I was doing made a difference. But I'm not sure why it's ignoring my query or how to work around this. I tried deleting the query $query_selectAllItems, thinking it would take mine, because it ends with the same: $result_all $result_all = mysql_query($query_selectall); or $result_all = mysql_query($query_selectAllItems); Code: [Select] <?php require_once('calendar/classes/tc_calendar.php'); include("include/auth.php"); include("include/conn.php"); @$a_row = mysql_fetch_array($result); // I added this if statement in to get my POST results, without having to make changes to the GET results he made. if (isset($_POST['view'])){ $view=$_POST['view']; } else { $view=$_GET['view']; } if ($view=="All") { $query_selectall = 'select * from tbl_registration'; echo $query_selectall; } elseif ($view=="dated") { $mydate = isset($_REQUEST["date5"]) ? $_REQUEST["date5"] : ""; $end_date = isset($_REQUEST["date6"]) ? $_REQUEST["date6"] : ""; $query_selectall = "SELECT * FROM tbl_registration WHERE reg_timestamped BETWEEN STR_TO_DATE('$mydate', '%Y-%m-%d') AND STR_TO_DATE('$end_date' , '%Y-%m-%d')"; echo $query_selectall; } else { $query_selectall = "select * from tbl_registration where category='$view'"; echo $query_selectall; } $result_all = mysql_query($query_selectall); @$numRows_all = mysql_num_rows($result_all); ?> <title>WYF Admin</title> <html> <head> <script language="javascript" src="calendar/calendar.js"></script> <link href="include/styles.css" rel="stylesheet" type="text/css"> <SCRIPT language="JavaScript"> <!-- function confirm_delete(idval) { var verify= confirm("Do you really want to delete this Registration?"); if (verify== true) { window.location="delete_registrations.php?action=delete&did=" + idval; } } //--> </SCRIPT> <script type="text/javascript" src="js/jquery-latest.js"></script> <script type="text/javascript" src="js/jquery.tablesorter.js"></script> <script type="text/javascript"> $(function() { $("table").tablesorter({debug: true}); }); </script> </head> <body leftmargin="0" rightmargin="0" bottommargin="0" topmargin="0" cellspacing="0" cellpadding="0" bgcolor="ffffff"> <table width="100%"><tr><td align="left"><img src="images/logo.jpg"></td></tr> <tr><td><hr></td></tr> </table> <table><tr><td valign="top"> <table cellspacing="1" cellpadding="0" bgcolor="#cccccc" border="0" width="300"> <tr><td> <table cellspacing="0" cellpadding="0" width="300" height="400" bgcolor="#ffffff" border="0"> <tr><td align="left" valign="top"> <table width="250"><tr><td valign="top"> <b>Welcome </b><br><br> <?php //$query_selectAllItems = "SELECT *, DATE_FORMAT(workshop_date, '%e-%m-%Y') as 'my_date' FROM tbl_workshops"; $query_selectAllItems = "SELECT * FROM tbl_registration"; $result_all = mysql_query($query_selectAllItems); $numRows_all = mysql_num_rows($result_all); ?> <? include "include/nav.php"; ?> </td></tr></table></center> </td></tr> <tr><td></td></tr></table></tr></td></table> </td><td valign="top"> <div style="float:left;padding-right:40px;"><a href="getcsv.php">export to csv</a></div><div> <div style="float:right;margin-right:100px;"><form name="form1" method="post" action="viewregistrations2.php"><div style="float:left;overflow:visible;padding-right:10px;">View between</div> <div style="float:left;overflow:visible;padding-right:10px;"> <?php $myCalendar = new tc_calendar("date5", true, false); $myCalendar->setIcon("calendar/images/iconCalendar.gif"); $myCalendar->setDate(date('d'), date('m'), date('Y')); $myCalendar->setPath("calendar/"); $myCalendar->setYearInterval(2000, 2015); $myCalendar->dateAllow('2008-05-13', '2015-03-01'); $myCalendar->setDateFormat('j F Y'); $myCalendar->setAlignment('left', 'bottom'); $myCalendar->setSpecificDate(array("2011-04-01", "2011-04-04", "2011-12-25"), 0, 'year'); $myCalendar->setSpecificDate(array("2011-04-10", "2011-04-14"), 0, 'month'); $myCalendar->setSpecificDate(array("2011-06-01"), 0, ''); $myCalendar->writeScript(); ?> </div> <div style="float:left;overflow:visible;padding-right:10px;"> and </div> <div style="float:left;overflow:visible;padding-right:10px;"> <?php $myCalendar = new tc_calendar("date6", true, false); $myCalendar->setIcon("calendar/images/iconCalendar.gif"); $myCalendar->setDate(date('d'), date('m'), date('Y')); $myCalendar->setPath("calendar/"); $myCalendar->setYearInterval(2000, 2015); $myCalendar->dateAllow('2008-05-13', '2015-03-01'); $myCalendar->setDateFormat('j F Y'); $myCalendar->setAlignment('left', 'bottom'); $myCalendar->setSpecificDate(array("2011-04-01", "2011-04-04", "2011-12-25"), 0, 'year'); $myCalendar->setSpecificDate(array("2011-04-10", "2011-04-14"), 0, 'month'); $myCalendar->setSpecificDate(array("2011-06-01"), 0, ''); $myCalendar->writeScript(); ?> </div> <div style="float:left;overflow:visible;padding-right:10px;"><input type="hidden" name="view" id="view" value="dated"><input type="submit" value="go!"> </div></form> </div><br><br><br><br> <table width="95%" border="1" cellpadding="3" cellspacing="1" bordercolor="#999999" id="rowspan" class="tablesorter" name="table"><thead> <tr bgcolor="#ffffff"> <th width="125">Name</th> <th width="125">Address</th> <th width="125">Phone</th> <th width="125">Email</th> <th width="125">Workshop</th> <td width="50"> </td> <td width="50"> </td><td> </td> </tr></thead> <tbody> <? //output each row while ($c_row = mysql_fetch_array($result_all)){ ?> <tr> <td><?= $c_row['reg_fname'] ?> <?= $c_row['reg_lname'] ?></td> <td><?= $c_row['reg_address'] ?></td> <td><?= $c_row['reg_phone'] ?></td> <td><?= $c_row['reg_email'] ?></td> <td> <?php $catid = $c_row['reg_workshopid']; $query="SELECT * FROM tbl_workshops where workshop_id = '$catid'"; //Run query; $result=@mysql_query($query); $row=mysql_fetch_array($result); ?> <?php echo($row['workshop_title']); ?> </td> <td width="50" bgcolor="#DEE1EB"><div align="center"><a href="edit_registration.php?id=<? print $c_row['reg_id'] ?>">edit</a></div></td> <td width="50" bgcolor="#DEE1EB"><div align="center"><a href="javascript://" onClick="confirm_delete(<? print $c_row['reg_id'] ?>); return false">delete</a></div></td> <td width="50" bgcolor="#DEE1EB"><div align="center"><a href="printregistration.php?regid=<? print $c_row['reg_id'] ?>">view all / print</a></div></td> </tr> <? } //end while ?> </tbody> </table><br><br> </td></tr></table> I just started with php and made an image. But when I try to open it in my browser, it shows a broken image icon. I have put the font in the same folder as the .php file, but it doesn't work. Can somebody help me solve this problem? Here is the code: Code: [Select] <?php $font_path = "nakedchick.TTF"; $font_size = 30; $img_number = imagecreate(300,50); $backcolor = imagecolorallocate($img_number,0,162,255); $textcolor = imagecolorallocate($img_number,255,255,255); imagefill($img_number,0,0,$backcolor); $number = " So your ip is $_SERVER[REMOTE_ADDR]? "; ImageTTFText($img_number, $font_size,10,5,5,$number,$font_path,$textcolor); header("Content-type: image/png"); imagepng($img_number); ?> And also the files: (.php in attachment) http://falcogerritsjans.nl/u/signature2.php http://falcogerritsjans.nl/u/nakedchick.ttf I have something like below Code: [Select] $j = explode("-", $ROW['options']); if(array_search("src_str", $j) == false) echo '_no'; // This doesn't work Also i tried Code: [Select] $j = explode("-", $ROW['options']); if(!in_array("src_str", $j)) echo '_no'; // This also doesn't work Is this bug or am i doing something wrong? Hi, when I output this, it's same order, I want it to be: email/message/to/toLastName please see code: $testArray=array("toLastName","to","message","email"); $reversedTestArray=rsort($testArray);//rsort returns TRUE on success //$strTestArrayReversed=implode(",",$testArray); print_r($testArray); Any idea what I am doingwrong, it looks fairly straightforward. Any help much appreciated! Im using func_get_args, but it gives an error?: Too few arguments?, when its correct (as the number of %s = the number of values within $args) <?php function sprintify() { global $urls; $args = func_get_args(); $input = $args[0]; unset($args[0]); return sprintf($urls[$input], implode(', ', $args)); } echo sprintify('default', 46, 464, 46); /* For your information: $urls['default'] = '%s/%s/%s'; */ ?> Hi, I am trying to get the previous id for the table xdocument, but browser outputs this warning: Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given for this code: Code: [Select] <?php //HELPER FCN used by FCN: writeXMLtoDBviaDOM function mysql_next_id($table) { $result = mysql_query('SHOW TABLE STATUS LIKE "'.$table.'"'); $rows = mysql_fetch_assoc($result); return $rows['Auto_increment']; } //TEST RUN: $_filePath="C:\dir\email.xml"; $node=basename($_filePath); $dom=new DOMDocument(); $dom->load($node); $labelPath=array(); mysql_connect("localhost","root"); mysql_select_db("dummydpev"); $isXdocExist=mysql_query("SELECT (file_Path,file_Name) FROM xdocument WHERE file_Path='$_filePath' AND file_Name='$node'"); $docId=0; if(mysql_num_rows($isXdocExist)==0) { mysql_query("INSERT INTO xdocument (file_Path,file_Name) VALUES ('$_filePath','$node')"); $docId=mysql_next_id("xdocument")-1; } else $docId=mysql_next_id("xdocument")-1; writeXMLtoDBViaDOM($dom->documentElement,$labelPath,$docId,$_filePath); ?> So I think my problem is with the multiple WHERE clause conditions, can I do it like what I have above? Any help much appreciated! Hello, I've been working on some stuff, and get the information parsed like this: Code: [Select] Value1,Value2,Value3 0.68,4377.54,11069.02So I'm trying to explode it and insert the latest numbers into the database. I'm using: $value = explode(",", $variable); $secondsplit = explode(" ", $value[2]); mysql_query("INSERT INTO table(row) VALUES('".mysql_real_escape_string($secondsplit[1])."')"); The problem is that it has something like an enter in the database, or a space. But I can't figure out how to get rid of that problem. Does anyone know what's wrong? Regards, NLCJ I've been puzzling over this all morning. No matter what I do i keep getting these errors: Quote
[01-Oct-2019 21:45:32 UTC] PHP Warning: Use of undefined constant PASSWORD_BCRYPT - assumed ' PASSWORD_BCRYPT' (this will throw an Error in a future version of PHP) in /home/ijwe4nfwf9ei/public_html/blog-approval.php on line 7 Here's my code: <?php echo phpinfo(); $pass=password_hash ("password", PASSWORD_BCRYPT); ?> I checked and I'm using php 7, so why do I keep getting this error? I had it print out my php info so I could check.. https://pyro-creations.com/tester.php I even read the manual and tried the examples and I still get those errors. How can I fix this? [please use code tags.] I have some code which deletes a record from my database (which has been selected from the previous page). Only problem is, it comes up with error code, but still deletes from the database? Error: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /www/110mb.com/t/h/e/b/l/a/c/k/theblackwatch/htdocs/150749deleted.php on line 28 Code: Code: [Select] <?php $id = $_GET[id]; // Start the connection to the database $conn = mysql_pconnect("***", "***", "***"); // Select the database to use mysql_select_db("***", $conn); // Create the MySQL command to retrieve all records $sql = "DELETE FROM **** WHERE id ='$id'"; $result = mysql_query($sql, $conn); $array = mysql_fetch_array($result); // Echo each entry as the value of the text boxes. This brings in the current info in the database echo "<p>Entry has been deleted.</p>"; ?> Any way round it? Hey, I have made a audio button in dreamweaver and copied the code into my php panel: <script language="JavaScript" src="http://www.MYWEBSITE.com/myname/audio/audio-player.js"></script> <object type="application/x-shockwave-flash" data="http://www.MYWEBSITE.com/media_folder/audio/player.swf" id="audioplayer1" height="24" width="290"> <param name="movie" value="http://www.MYWEBSITE.com/media_folder/audio/player.swf"> <param name="FlashVars" value="playerID=audioplayer1&soundFile=http://www.MYWEBSITE.com/media_folder/audio/Reconstructed Ancient Egyptian Melody.mp3"> <param name="quality" value="high"> <param name="menu" value="false"> <param name="wmode" value="transparent"> </object> However once I press save, all that is saved is: <script language="JavaScript" src="http://www.MYWEBSITE.com/myname/audio/audio-player.js"></script> <object type="application/x-shockwave-flash" data="http://www.MYWEBSITE.com/media_folder/audio/player.swf" id="audioplayer1" height="24" width="290"> <param name="movie" value="http://www.MYWEBSITE.com/media_folder/audio/player.swf"> The audio button works however because the code which includes the mp3 file never saves, it can never find the audio file. Can anyone tell me why the audio file part of the code doesn't save? Thanks. |