Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
i have code like this but when i click submit its give me error
mysqli_real_escape_string() expects parameter 2 to be string, array
given where should i do or put the mysqli_real_escape_string ?
if(!empty($_POST['poscon'])) {
foreach($_POST['poscon'] as $condition)
$condition=mysqli_real_escape_string($link,$_POST['poscon']);
Seeing you're not responding to comments, I'm posting this as an answer.
- Maybe you'll respond then.
You see your foreach($_POST['poscon'] as $condition)?
You're using the wrong parameter and passing the array instead of the $condition variable.
Do $condition=mysqli_real_escape_string($link,$condition);
When ever you taking user inputs from the view you should check.
mysqli_real_escape_string Definition
This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.
mysqli_real_escape_string Manual
Normal text
Early `$name = $_POST['name'];`
New Practice `$name = mysqli_real_escape_string($_POST['name'])`
URL
Early `$url = $_POST['url'];`
New Practice `FILTER_VALIDATE_URL` [Check Example](http://www.w3schools.com/php/filter_validate_url.asp)
E-Mail
Early `$email = $_POST['email'];`
New Practice `FILTER_VALIDATE_EMAIL` [Check Example](http://www.w3schools.com/php/filter_validate_email.asp)
More Useful Articles
Is mysqli_real_escape_string safe?
mysql(i)_real_escape_string, safe to rely on?
mysqli::real_escape_string, mysqli_real_escape_string
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 6 years ago.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Improve this question
I am a beginner at PHP and MYSQL. Here is my simple code to add data to a data base. it is not working
the connection.php(sets up the mysql connection variables) files have already been created and are working fine with other files and functions. Am receiving no errors while this code here does not add the data to the database
could someone please tell me where the problem could be?
<?php
if (isset($_POST['bookt']) & isset($_POST['type']) & isset($_POST['publisher']) & isset($_POST['year']) & isset($_POST['class']) & isset($_POST['subject'])) {
//set the values
$bookt= $_POST['bookt'];
$type= $_POST['type'];
$publ=$_POST['publisher'];
$year=$_POST['year'];
$class= $_POST['class'];
$subj= $_POST['subject'];
//INSERTING A ROW
$add_query= "INSERT INTO books ('Book Title','Type','Publisher','Yearp', 'Class','Subject')
VALUES ('$bookt','$type','$publ','&year','$class','$subj')";
//query
$result=mysql_query($add_query);
if (!$result) {die("couldn't perform query".mysql_error());}
if ($result) {echo " </ br> <p><script type='text/javascript'>alert('INSERT SUCCESSFUL!!!');</script></p><br /><br /> insert id was ".mysql_insert_id();}
};
?>
You have a lot of major problems with this code.
First, please don't use mysql_*; the mysql_* functions are outdated, deprecated, and insecure. They were removed entirely from PHP 7. Use MySQLi or PDO instead.
Second, the Boolean "and" operator is &&, not & (the bitwise "and" operator).
Third, it's $year, not &year.
Fourth, put column names in backticks, not single quotes ('...'):
$add_query= "INSERT INTO books (`Book Title`,`Type`,`Publisher`,`Yearp`, `Class`,`Subject'`)
VALUES ('$bookt','$type','$publ','$year','$class','$subj')";
Single quotes will cause your query to fail. This is why your query isn't working at all.
Fifth, you aren't doing any error checking or data validation.
Sixth, you are wide open to SQL injection. You need to use prepared statements and never put user input directly into SQL.
There may be even more issues, but these are the big ones.
If you want multiple conditions in your if-statement use a logical operator "&". Also mysql_ has been gone from PHP7 for a long time.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 6 years ago.
Improve this question
When I use a variable in my WHERE clause of Update the updation doesnt take place.
$eventid=$_GET['id'];
$sql = "UPDATE events SET name=:name WHERE id=:id";
$q = $conn->prepare($sql);
$q->execute(array(':name'=>$name,':id'=>$eventid));
When I echo $_GET['id'] I get the correct value.
$_GET['id'] is the value I have passed from another page
People are saying you're vulnerable to sql injection attacks because you're passing an id via a $_GET parameter to an update statement where you directly use the $_POST superglobal.
In order to make it more secure, you could start by passing the ID via $_POST as well, and not using $_POST directly in your SQL.
But that's not the question you asked.
I would hazard to guess it's not updating because you're passing ID as a string, which it probably isn't.
Try changing
WHERE id='".$_GET['id']."'");\
to
WHERE id=".$_GET['id']."");
Save your query to a string variable so you can debug what are you sending to db MySQL. Then try to run the result query direct on the db.
$DBcon->query(#strSQL);
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
I am parsing a file and pulling data out of it. One of the pieces of data is a decimal such as 1.9.
For some reason when I tried to save to my MySQL table it kept saving as 0. The field type is Decimal (6,2) in the table.
I attempted to manually cast it using various php functions such as...
settype(), (int), (float), (double) etc. Everytime I cast it, it would set it to zero or boolean. I used gettype to check it.
When parsing it I used trim() and str_replace() functions to remove spaces. What is odd is that I am using same method for pulling other values/decimals out of same file and php handled the casing itself.
Any ideas what could possible prevent me from casting this as a a number?
So this is what solved my problem for anyone who runs into this situation. Not sure it is the best way to handle it but it worked.
$dim = preg_replace("/[^0-9.]/", "", $dim)
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
This...
header("Location: fichaTorneioFinSub.php?id=" . $_GET['id'] . "");
The value of the GET is 1. But I always end up in this page:
fichaTorneioFin.php?id=%271%27
The id value gets these %27 around it. I know that means it's an encoded single quote but it shouldn't be there.
It would be a good idea to track down what's giving you the lone ', but this will ensure you're only working with digits:
$id = preg_replace('/\D/', '', $_GET['id']);
header("Location: fichaTorneioFinSub.php?id=".$id);
This will sound as stating the obvious: if it shouldnt be there, make sure it isnt. This means sanitizing your input ($_get data) into data you expect. Somehow the get variable already contains a single quote so i would suggest checking that first. To get it out you could for example
trim($_get ['id'], "'")
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
<?php echo mysql_real_escape_string('tientrer') ;?>
The above code is return an empty string in one server but is working fine in other servers. Why is it so?
Wildly random guess:
You are not connecting to a database using mysql_connect. mysql_real_escape_string needs a database connection to do its job (because you are escaping for the database; you are escaping this for a database query, right?!). If no connection exists yet, it'll try to establish one automatically using a standard username and password. On one server this standard password works, on another it doesn't.
you are escaping a string ?
you mean maybe like that
<?php echo mysql_real_escape_string($tientrer) ;?>
to escape the variable tientrer if its a variable.
EDIT:
then maybe the server which not working maybe the mysql is deprecated there , try change to mysqli or pdo