I am trying to post php code from my messages table. But it is not posting. For example:
<textarea name="update">User can write php codes here for sending</textarea>
<div class="send">Send</div>
When i click send button the text code <?php echo $message;?> must be in my messages table row post_text . But post_text is empty, you can see it in the screenshot.
What is the problem here. What i shoud do to fix this problem? Anyone can help me here ?
<?php
include_once '../inc/inc.php';
if(isset($_POST['update'])) {
$update=mysqli_real_escape_string($db,$_POST['update']);
if($update){
$data=$DoDo->InsertText($uid,$update);
echo $update;
}
}
?>
InsertText function
public function InsertText($uid, $update) {
$time=time();
$ip=$_SERVER['REMOTE_ADDR'];
mysqli_query($this->db,"SET character_set_client=utf8") or die(mysqli_error($this->db));
mysqli_query($this->db,"SET character_set_connection=utf8") or die(mysqli_error($this->db));
$query = mysqli_query($this->db,"SELECT post_id,post_text FROM `posts` WHERE uid_fk='$uid' order by post_id desc limit 1") or die(mysqli_error($this->db));
$result = mysqli_fetch_array($query, MYSQLI_ASSOC);
$query = mysqli_query($this->db,"INSERT INTO `posts` (post_text, uid_fk,time) VALUES (N'$update', '$uid','$time')") or die(mysqli_error($this->db));
//The newquery to select for message
$newquery = mysqli_query($this->db,"SELECT M.post_id, M.uid_fk, M.post_text, M.time,U.username FROM posts M, users U where M.uid_fk=U.uid and M.uid_fk='$uid' order by M.post_id desc limit 1 ") or die(mysqli_error($this->db));
$result = mysqli_fetch_array($newquery, MYSQLI_ASSOC);
return $result;
}
Note: This problem will be come when i send just php code. If i send
normal text then normal text sending from post_text.
I want to send php code like this screenshot.
In your update query, you did not check the right variable;
$update=mysqli_real_escape_string($db,$_POST['update']);
if($update){
$data=$DoDo->InsertText($uid,$update);
echo $update;
}
also in your insert query you have a funny character, remove the N
VALUES ('$update', '$uid','$time')"
$query = mysqli_query($this->db,"INSERT INTO `posts` (post_text, uid_fk,`time`) VALUES ('$update', '$uid','$time')") or die(mysqli_error($this->db));
Do this below
<textarea name="update"><?php echo '<?php echo $message;?>';?></textarea>
Instead if($login){ use if($update){
change this
VALUES (N'$update', '$uid','$time')"
to
VALUES ('$update', '$uid','$time')"
wait, you literally want the string '<?php echo $message;?>' to be inserted, not the value of $message ?
if that is the case, you need to either make sure that PHP sees it as a string:
<textarea name="update"><?php echo '<?php echo $message;?>';?></textarea>
... or maybe it would be enough to post only the code, not the php tags
<textarea name="update">echo $message;</textarea>
Related
I'm new to PHP so this might be something obvious I missed.
Im trying to make a button which increments a value in my database:
<?php
$alist = mysqli_query($conn, "SELECT * FROM `posts` ORDER BY `posts`.`id` DESC");
$results = mysqli_num_rows($alist);
if ($results > 0){
while($row = mysqli_fetch_array($alist)) {
echo $row['uid']. " says: ".$row['postText']." <button onclick=".mysqli_query($conn, "UPDATE `posts` SET `postLikes` = postLikes+1 WHERE uid = ".$row['uid'])." name='likebtn'>👍</button>".$row['postLikes']."<br>";
}
}
?>
The part that makes the button is on line 6
I just want to find how I can use the mysqli_query on button click
by the way, I already tried this: "https://stackoverflow.com/questions/3862462/php-mysql-run-query-on-button-press-click" but with no result
Thanks in advance
if your current page is called first.php,
put inside button
<button></button>
<?php
if ( isset($_GET['p']) && $_GET['p']=="like") {
do your query
}
?>
if you dont want to reload then you need ajax,
hope this was helpful. :)
You have a syntax error here
echo $row['uid']. " says: ".$row['postText']." <button onclick=".mysqli_query($conn, "UPDATE posts SET postLikes = postLikes+1 WHERE uid = ".$row['uid'])." name='likebtn'>👍</button>".$row['postLikes']."<br>";
you can either do this
$q = mysqli_query($conn, "UPDATE posts SET postLikes = postLikes+1 WHERE uid = ".$row['uid']);
echo $row['uid']. " says: ".$row['postText']." <button onclick=".$q." name='likebtn'>👍</button>".$row['postLikes']."<br>";
I'm trying to create a website where anyone can post anything to it without creating an account, long as its just text. My problem is because every time I start the website and post something. Its sent to the bottom, where oldest posts are at the top and new posts are sent to the top. I want to see the new posts on top instead. This is my first time working with PHP, mySQL and databases in general so my code might look bad. Tell me if more information / code is needed. Thank you for your time.
<?php
function setPosts($conn){
if(isset($_POST['postSubmit'])){
$pid = $_POST['pid'];
$date = $_POST['date'];
$message = $_POST['message'];
$sql= "INSERT INTO post(pid, date ,message) VALUES ('$pid', '$date', '$message');";
$result = mysqli_query($conn, $sql);
}
}
function getPosts($conn){
$sql = "SELECT * FROM post";
$result = mysqli_query($conn, $sql);
while($row = $result->fetch_assoc()){
echo "<div class='post-box'>";
echo $row['date']."<br>";
echo nl2br($row['message'])."<br><br>";
echo "</div>";
}
}
You need to add "ORDER BY" to your "SELECT" to sort it.
$sql = "SELECT * FROM post ORDER BY date DESC";
The "DESC" is there so that new posts will be on top. We'd use "ASC" if we wanted older posts on top.
You need to use ODRER BY clause like below :-
$sql = "SELECT * FROM post ORDER BY date DESC";
Reference:- ODRER BY clause
Note:- Your insersion code is wide open for SQL Injection. Use mysqli prepared statements to prevent from it.
Reference:- mysqli::prepare
You need to sort mysql result by date and order it in descending order.replace mysql query to this
$sql = "SELECT * FROM post SORT BY date order BY DESC";
function getPosts($conn){
$sql = "SELECT date,message FROM post ORDER BY date DESC";
$result = mysqli_query($conn, $sql);
while($row = $result->fetch_assoc()){
echo "<div class='post-box'>";
echo $row['date']."<br>";
echo nl2br($row['message'])."<br><br>";
echo "</div>";
}
}
Require("dbconnect.php");//works is used on other another page
echo $Customer_id;//Displays correctly
Can anyone help?
First Check that use session variable is getting the data or not.
If the Customer id is of varchar then you are missing single inverted comma in where clause.
session_start();
$Customer_id = $_SESSION['id'];
Require("dbconnect.php");//works is used on other another page
$sql = "SELECT Job_id FROM Job";
$sql.= " WHERE Job_Customer_id = '$Customer_id'";
$stmt = $dbh->query($sql);
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$Job_id = $row['Job_id'];
echo $Customer_id;//Displays correctly
echo $Job_id;//Curently dose not display anything
Change the $sql.= line to this:
$sql.= " WHERE Job_Customer_id = '$Customer_id'"
with the ' around $Customer_id.
I am getting the below error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'testing order by id'
Here is the main page..
echo "<div ><a href='secondpage.php?title=".urlencode($row['title'])."'>".wordwrap($row['title'], 35, "<br />\n", true)."</a></div>";
and here is the second page the error appearing on. the address bar reads http://localhost/secondpage.php?title=more+testing
<?php
$mydb = new mysqli('localhost', 'root', '', 'test');
$sql = "SELECT * FROM test where urlencode(title) =".$_GET['title']" order by id ";
$result = $mydb->query($sql);
if (!$result) {
echo $mydb->error;
}
?>
<div>
<?php
while( $row = $result->fetch_assoc() ){
echo $row['firstname'];
}
$mydb->close ();
?>
</div>
You want to use urldecode to decode the encoded string in your query:
$title = urldecode($_GET['title']);
$sql = "SELECT * FROM test where title = '$title' order by id";
I'm assuming you have a column named title in your test table. I don't think MySQL has urlencode function unless you have a procedure by that name which functions exactly like PHP's urlencode.
Update:
Thanks to #GeorgeLund, who pointed out the point of SQL Injection. Important topic which I missed earlier during answering your question. Please have a look at: https://www.owasp.org/index.php/SQL_Injection
For the very least please update your code to following:
$title = urldecode($_GET['title']);
$title = mysqli_real_escape_string($title); // Addition
$sql = "SELECT * FROM test where title = '$title' order by id";
$sql = "SELECT * FROM test where urlencode(title) ='".$_GET['title']."' order by id ";
Try like
$sql = "SELECT * FROM test WHERE urlencode(title) = ".$_GET['title']." ORDER BY id ";
You missed . leads syntax go away.
As far as I know SQL does not have function urlencode and why would you even want to urlencode the column name?
Also to store the encoded title string which is received from the last page you should decode the encoded title
So here is what I think you meant to do.
$sql = "SELECT * FROM test WHERE title = ".urldecode($_GET['title'])." order by id ";
Please try this code using urldecode
$sql = "SELECT * FROM test where title =".urldecode($_GET['title'])" order by id ";
From a MySQL table called "submission" containing the fields "loginid, submissionid, title, url, datesubmitted, displayurl", I would like to print an HTML table thats contains all "title" and corresponding "datesubmitted" where "loginid" equals "$profile." The code I am trying to use is below. It isn't working. Any ideas why it isn't working?
Thanks in advance,
John
$profile = $_GET['profile'];
$sqlStr = "SELECT loginid, submissionid, title, url, datesubmitted, displayurl
FROM submission
WHERE loginid = $profile
ORDER BY datesubmitted DESC";
$result = mysql_query($sqlStr);
$arr = array();
echo "<table class=\"samplesrec\">";
while ($row = mysql_fetch_array($result)) {
echo '<tr>';
echo '<td class="sitename1">'.$row["title"].'</td>';
echo '</tr>';
echo '<tr>';
echo '<td class="sitename2">'.$row["datesubmitted"].'</a></td>';
echo '</tr>';
}
echo "</table>";
Your query is probably failing.
Try echoing the return from mysql_error(); after trying the query to see what the issue might be.
You should also protect your input against injection. If loginID is a username, you need to surround a string in a mySQL query with quotes - if loginID is a username. If it's an integer you may be okay.
There are more robust ways to do this but simply:
$profile = mysql_real_escape_string($_GET['profile']);
$sqlStr = "SELECT loginid, submissionid, title, url, datesubmitted, displayurl
FROM submission
WHERE loginid = '$profile'
ORDER BY datesubmitted DESC";
$result = mysql_query($sqlStr);
if($result) {
// Handle output
}
else {
echo 'query failed';
// don't leave this here in production!
echo mysql_error();
}
One problem I can see is you are not checking in the return value of mysql_query()
mysql_query() returns false if it fails to execute the query. So you need to do a check, something like:
$result = mysql_query($sqlStr);
if(! $result) {
//....error occured...prepare $message
die($message);
}
your question regards to debugging, the most important programming art. Noone can find an error for you, you have to do it yourself. With help of little tricks.
change $profile = $_GET['profile']; to $profile = intval($_GET['profile'];)
change $result = mysql_query($sqlStr); to
$result = mysql_query($sqlStr) or trigger_error(mysql_error()." in ".$sqlStr);
andd following 2 lines at the top of your code, run it again and see what it say. if still nothing, you don't have matching records in your table.
ini_set('display_errors',1);
error_reporting(E_ALL);