I am trying to integrate a PHP plugin with my web app, but I am stuck with storing the values that I receive from an XML file to a table in my database.
This is what I have so far, but when I run the PHP script it does not save to the database. I have created a table in my database with one column (type=text, name=test)
global $mysqli;
$str = serialize($Items);
printF($str);
$result = $mysqli->query("INSERT INTO nepremicnine (test) VALUES ('$str');");
$Items probably contains some strings with single quotes, and this is causing a syntax error when you substitute it into the INSERT query. Use a prepared statement to avoid problems with special characters.
$stmt = $mysqli->prepare("INSERT INTO nepremicnine (test) VALUES (?);");
$stmt->bind_param("s", $str);
$result = $stmt->execute();
Related
It sounds strange to me. I have a simple PHP script that inserts data into MYSQL table.
Upon receiving the content from the client via AJAX the data is stored in a variable:
$content=$_POST['content'];
$sql="insert into contents values('$content')";
mysql_query($sql);
The problem is that if the content contains a '&' symbol,the sub-string before & is stored in MYSQL and the rest of the string is discarded. If I try directly in MYSQL then it stores complete string containg & symbol.why?
The problem is that mysql regocnizes '&' as AND. Check this out:
$content = mysql_real_escape_string($_POST['content']);
$sql = "insert into contents (column) values('$content')";
mysql_query($sql);
First off if this site is live take it down lol. This is classic sql injection vulnerability.
You need to be using mysqli now instead of mysql.
The way you use this is the same but it has this REALLY cool feature called 'real escape string'
What it does is parameterize the data before you pass it into the database
$content = $_POST['content'];
$connection = new mysqli('ipaddress','username','password','database');
$content = $connection->real_escape_string($content);
$sql="insert into contents values('$content')";
$connection->query($sql);
This is a much safer way of passing in data
The following topic is close to what I'm trying to ask, but it's outdated considering the mysql functions are deprecated in php now and there are prepared statements for preventing sql injection. insert all $_POST data into mysql using PHP?
Basically, I have a huge number of columns in my database that all need to get filled up when I submit this form. The form matches each column with an input field of the same name (the name attribute on the input field is the same as the column name it belongs in. So $_POST['firstName'] goes in the firstName column, and so on).
Is there a way using mysqli or PDO that I could easily just take all my POST data and automatically insert it into the MySQL table without going through each field by hand? I could code them all out using prepared statements, but there are a ton of columns and I'd like to get them done all at once if possible.
This is the beginning of the long version I don't really want to have to complete.
$stmt = $connection->prepare("INSERT INTO area_retreat
(user,firstName,lastName,...etc)
VALUES
(?,?,?,...etc)
ON DUPLICATE KEY UPDATE
user=VALUES(user),
firstName=VALUES(firstName),
lastName=VALUES(lastName),
...etc
");
$stmt->bind_param("sss",
$username,
$_POST['firstName'],
$_POST['lastName']
);
$stmt->execute();
INSERT INTO area_retreat VALUES (?, ?, ...) -- however, you have to match ALL columns as shown in the database.
If you have an auto increment ID, you will need to provide NULL for that column in the proper column order.
To avoid errors you definitely need to store the list of variables one way or another. It could be as simple as an array:
$fields = array('firstName', etc.);
Then you can loop through your array to generate your sql statement dynamically and using named placeholders instead of question marks, you only need to bind them once. You can also store the values in an array and send that array as a parameter to execute():
// start of query
$values = array();
$query = '...';
foreach ($fields as $field)
{
if (isset($_POST[$field]))
{
// add to query
$query .= "...";
// add value to array so that you can feed the array to `execute`
$values[':' . $field] = $_POST[$field];
}
}
// add end of query
$query .= '...';
$stmt->execute($values);
If you want to use the same variables in an ON DUPLICATE KEY UPDATE section, you can do another loop or build an insert section that you can use twice after looping once.
I am using this method to store data in database:
$content = $_POST['content'];
$content = mysqli_real_escape_string($mysqli,$content);
$stmt = $mysqli->prepare("INSERT INTO na_posts(postuid,content) VALUES (?, ?)");
$stmt->bind_param("ss",$post_id,$content);
$stmt->execute();
$stmt->close();
And I use this code to get data from the database:
$sql = "SELECT * FROM na_posts WHERE postuid = '" . $id . "'";
$stmt = $mysqli->query($sql);
$row = $stmt->fetch_Object();
echo nl2br($row->content);
but the output is like this:
hey this is line one \r\n this is line two
Why are the new lines show up like this \r\n?
It works if I remove the call to mysqli_real_escape_string() which is important for security as i have read.
mysqli_real_escape_string is not needed if you're using bind parameters, as you are here with bind_param. It's one or the other, you don't need both. Bind parameters are better for various reasons, mainly that it's easier to build the SQL and the database can also be more efficient (since it can be more efficient at executing the same query twice even if the bound values vary).
For outputting the value, in HTML you should use something like htmlspecialchars as mentioned by Alamri. Most decent templating engines will allow you to escape values by default so that you don't have to remember to escape every time. Symfony for example will escape values by default in its templates (other PHP web frameworks are available).
Hi when ever I want to insert a comment into my database, I sanitize the data by using Mysql Escape String function this however inserts the following verbatim in field. I print the comment and it works fine and show me the text however when ever I sanitize it, it literally inserts the following into my db
mysql_real_escape_string(Comment)
This is my insert statement, The Id inserts correctly however the comment doesn't it just inserts the "mysql_real_escape_string(Comment)" into the field. what can be wrong?
foreach($html->find("div[class=comment]") as $content){
$comment = $content->plaintext;
$username = mysql_real_escape_string($comment);
$querytwo = "insert into Tchild(Tid,Tcomment)values('$id','$username')";
$resulttwo = $db -> Execute($querytwo);
}
If I'm reading the documentation correctly, you should make the call like this:
$db->Execute("insert into Tchild(Tid,Tcomment)values(?, ?)", array($id, $username));
That will account for proper escaping. Having unescaped values in your query string is dangerous and should be avoided whenever possible. As your database layer has support for SQL placeholders like ? you should make full use of those any time you're placing data in your query.
A call to mysql_real_escape_string will not work unless you're using mysql_query. It needs a connection to a MySQL database to function properly.
Since you're using ADODB, what you want is probably $db->qstr(). For example:
$username = $db->qstr($comment, get_magic_quotes_gpc());
See this page for more information: http://phplens.com/lens/adodb/docs-adodb.htm
Just wondering, to sanitize user input, I use mysql_real_escape_string() on data before it is inserted into a table. Therefore when a user enters something like this:
Hi I'm just testing this
It gets placed into the table just fine, exactly as above. Question is, if I were to pull that data and place it into a variable via PHP, say $string, what would happen if I then used that variable to insert data into a new row in the table? Such as:
<?php
$result = mysql_query( "SELECT data FROM table WHERE id='1'" ); //data = Hi I'm just testing this
$result_array = mysql_fetch_array( $result );
$string = $result_array['data']; //string = Hi I'm just testing this
$insert = mysql_query( "INSERT INTO table (data) VALUES ('$string')" ) or die(mysql_error());
?>
Would the single quote (') cause problems in this scenario? Should I be using $string = mysql_real_escape_string( $result_array['data'] ) in this case as well?
Thanks!
Once the data's pulled out of MySQL, it's just like any other piece of data that you want to use in a query: You have to do proper escaping/quoting, or use a prepared statement. There's no magical flag within PHP that says "this came from the database and shall return whence it came".
The alternative is to use the INSERT INTO ... SELECT FROM syntax to do the operation completely within the database, if you can meet the conditions.
mysql_real_escape_string() simply prepares it for insertion into the database, once you request that data again it will be in its original form, i.e. you will have to sanitize it again before trying to insert it like your example above.