I'm trying to use a function to make all my variables for an SQL statement im making in order to reduce code length. Unfortunately, this isn't working at all.
The result I get is that $sql ends up with the value -45. I'm not sure what I'm doing wrong, but I believe there is an issue with the declaration of variables. However, the echo statement that you can see inside the function prints the variables exactly how they are supposed to be printed. Maybe I need to return something?
/*
/ Get Variables
*/
function get($fname,$disp)
{
$NAME = $fname;
$$NAME = $_GET[$NAME];
echo $disp . ' : <font color="00ff00">' . $$NAME . '</font><br>';
}
get("User-ID","User-ID");
get("toon","Name");
get("C_Select","Class");
get("P-Level","P-Level");
get("Sex","Gender");
get("Race","Race");
get("P-Gs","Gearscore");
get("Str-Input","Strength");
get("Int-Input","Intelligence");
get("Con-Input","Constitution");
get("Wis-Input","Wisdom");
get("Dex-Input","Dexterity");
get("Chr-Input","Charisma");
get("HP","Health");
get("AC","Armor Class");
get("Power-S","Power");
get("Def","Defense");
get("Prof-1","Alchemy");
get("Prof-2","Artificing");
get("Prof-3","Jewelcrafting");
get("Prof-4","Leadership");
get("Prof-5","Leatherworking");
get("Prof-6","Medium Armoring");
get("Prof-7","Heavy Armoring");
get("Prof-8","Tailoring");
get("Prof-9","Weaponsmithing");
get("Crit","Critical Strike Rating");
get("Recov","Recovery");
get("AP","Armor Penetration");
get("Regen","Regeneration");
get("HS","Life Steal");
get("Defl","Deflection");
get("Move","Movement");
$sql = 'INSERT INTO def_nwgr_chars (user_id,name,race,level,sex,str,con,dex,int,wis,char,hit_points,ac,power,defense,crit,recovery,ap,regen,life_steal,deflection,movement,alchemy,artificing,jewelcrafting,leadership,leatherworking,mailsmithing,platesmithing,tailoring,weaponsmithing) VALUES (' . $User-ID . ',' . $toon . ',' . $Race . ',' . $P-Level . ',' . $Sex . ',' . $Str-Input . ',' . $Con-Input . ',' . $Dex-Input . ',' . $Int-Input . ',' . $Wis-Input . ',' . $Chr-Input . ',' . $HP . ',' . $AC . ',' . $Power-S . ',' . $Def . ',' . $Crit . ',' . $Recov . ',' . $AP . ',' . $Regen . ',' . $HS . ',' . $Defl . ',' . $Move . ',' . $Prof-1 . ',' . $Prof-2 . ',' . $Prof-3 . ',' . $Prof-4 . ',' . $Prof-5 . ',' . $Prof-6 . ',' . $Prof-7 . ',' . $Prof-8 . ',' . $Prof-9 . ');';
From what I gather, there are a few issues:
First of all, the variables that you make with $$NAME are only in scope for the length of the function, so you cannot reference them outside of it without somehow returning them.
Second, you are trying to use variable names with operators in them. Namely, the "-" sign. This (to my best knowledge) is invalid.
Third, you should not be putting variables directly into your SQL without in some way ensuring that someone cannot arbitrarily insert data into them.
Lastly, do not use $$ whenever possible. It is very hard to debug, and can cause some sneaky errors and programming mistakes.
From LDAP I'm querying my users and this code sets them as a variable in the quoted format I need to run the MySQL query which would be 'username','other_username', etc...
foreach ($prefs as $who => $pref) {
if (strpos($who, 'public') === false) {
$team_users_string .='\'' . $who . '\',';
}
When I try to sanitize the command with the following code it converts the string to \'username\',\'other_username\', what can I do to correct this?
$team_users = rtrim($team_users_string, ",");
$start_date = $_POST['start_year'] . '-' . $_POST['start_month'];
$end_date = $_POST['end_year'] . '-' . $_POST['end_month'];
echo 'Welcome, <strong>' . $user . '</strong><br />';
echo '<br />';
echo '<strong>Selected Start Date:</strong> ' . $start_date . '<br />';
echo '<strong>Selected End Date:</strong> ' . $end_date . '<br />';
mysql_real_escape_string($team_users),
mysql_real_escape_string($start_date),
mysql_real_escape_String($end_date));
$query = "SELECT * FROM vacation WHERE user_name in ($team_users) AND day BETWEEN '$start_date-01' AND '$end_date-31'";
Your problem is that you're adding the quote characters before you pass the string to mysql_real_escape_string(). So the literal quotes become escaped by that function.
You could avoid this by using mysql_real_escape_string(), and then delimiting the result in quotes.
Also I'd use an array and implode() the array to get commas, instead of being forced to rtrim() the last comma.
foreach ($prefs as $who => $pref) {
if (strpos($who, 'public') === false) {
$team_users_array[] = "'" . mysql_real_escape_string($who) . "'";
}
}
$team_users = implode(",", $team_users_array); // no rtrim needed
I'm trying to understand how to fix this error.
Warning: prev() expects parameter 1 to be array, string given in
Its in the if statement below. Is this happening since the first value doesn't have a previous and I need to deal with that condition? Weirdly this worked in regular .php but not in the framework I have it in now.
I'm trying to generate an XML file based on a result set returned for a query. (I'm open to better ideas)
$export.= '<Campaigns>';
while ($line = mysql_fetch_assoc($result) ) {
//echo '<Email Timestamp="' . $line['EmailTimeStamp'] . '" ';
$export.= '<Campaign Info="' . $line['EmailTrackingNumber'] . '" EmailId="' .$line['EmailId'] . '">';
$export.= '<Emails>';
if (prev($line['EmailTrackingNumber']) == current($line['EmailTrackingNumber'])) {
$export.= '<Email Timestamp="' . $line['EmailTimeStamp'] . '" ';
$export.= 'City="' . $line['City'] . '" ';
$export.= 'Zip="' . $line['Zip'] . '"';
}
$export.= '</Emails></Campaign>';
}
$export.= '</Campaigns></EmailTrackingData>';
//echo $export;
file_put_contents('DateOfFile-export.xml', $export);
This
prev($line['EmailTrackingNumber'])
is not an array but a string. This
prev($line)
makes more sense. It returns the array entry which is before the current entry of $line.
But I think you would like to compare the last record with the current record. But that does not work like this. You can only access the columns of the current record. You have to temporarly save your last record.
$export.= '<Campaigns>';
$lastLine = null;
while ($line = mysql_fetch_assoc($result)) {
//echo '<Email Timestamp="' . $line['EmailTimeStamp'] . '" ';
$export.= '<Campaign Info="' . $line['EmailTrackingNumber'] . '" EmailId="' .$line['EmailId'] . '">';
$export.= '<Emails>';
if ($lastLine['EmailTrackingNumber'] == $line['EmailTrackingNumber']) {
$export.= '<Email Timestamp="' . $line['EmailTimeStamp'] . '" ';
$export.= 'City="' . $line['City'] . '" ';
$export.= 'Zip="' . $line['Zip'] . '"';
}
$export.= '</Emails></Campaign>';
$lastLine = $line;
}
$export.= '</Campaigns></EmailTrackingData>';
//echo $export;
file_put_contents('DateOfFile-export.xml', $export);
How can I add variables and quotes to a variable?
in the output it just prints the variables
This is the code I have tried
$pl2 = '{"comment":"' . $nmp3 . '","file":"' . $pmp3 . '"},';
Try with:
$pl2 = json_encode(array(
'comment' => $nmp3,
'file' => $pmp3
));
Try this, it should work:
$p = ' {"comment": ' . $nmp3;
$p = $p.' "," file " : " ' . $pmp3;
$p=$p.' "}," ';
echo $p;
$brand_condition = ' AND ' . mysql_real_escape_string($brand_selection) . ' IN ';
$brand_condition .= $quote10 . '"'. mysql_real_escape_string($brand_value) . '"' .$quote9;
$brand_conditions[] = $brand_condition;
$query .= implode(' AND ', $brand_conditions) . '';
This produces: AND manufacturer IN ("brand1,brand2")
Since I'm using the IN statement, I need the values to be quoted. At the same time, I am escaping potential quotes with mysql_real_escape_string.
Does anyone see a simple way to get around this small problem?
function quote_escape(&$str) {
$str = '"' . mysql_real_escape_string(chop($str)) . '"';
}
$brands = explode(',', $brand_value);
array_walk($brands, "quote_escape");
$brands = implode(',', $brands);
or
function quote_escape($str) {
return '"' . mysql_real_escape_string(chop($str)) . '"';
}
$brands = implode(',', array_map("quote_escape", explode(',', $brand_value)));
How about $brand_conditions[] = '"'.$brand_condition.'"'; so your adding quotes right before you add the brand_condition in your array.
$concurrent_names = array("O'reilly", 'Tupac "MC New York" Shakur', 'Nemoden');
$escaped_concurrent_names = array_map('mysql_real_escape_string', $concurrent_names);
$condition = 'WHERE name in ("'.implode('", "', $escaped_concurrent_names).'")';
Use this to add quotes for imploded string.
$values = implode( " ',' ", array_values($values) );
$brands=array(nokia,samsung,xiomi);
$brands=implode(" ',' ",$brand);
//$brands='nokia','samsung','xiomi';
WHERE column_name IN ($brands)