This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I'm adding some html code to a database through a mysql_query. So, a basic query looks like this $qry = "UPDATE Pages SET ".$column."='$value' WHERE id='$id'";
If this is called, an actual query might look like this: $qry = "UPDATE Pages SET content_en='<h1>This is a title</h1>' WHERE id='12'"; However, if the HTML code looks like this: <h1 style='color:red;'>This is a title</h1>, it'll break the query because of the semi-colon. Is there any way to solve this?
Use mysql escaping function over your content, like that :
$value = mysqli_real_escape_string($value);
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
I'm working on a website, and I have encountered with an strange MySQL behaviour. I'm trying to use an MySQL Update Query with multiple WHERE Clauses.
$name = $_POST['username'];
$updatequery1 = "UPDATE OTP SET 'Project' = 'ANETSignupUsed' WHERE Name = '$name' AND HashedOTP = '$hashedotp' ";
$sqlconnection->query($updatequery1);
die("DONE");
Note that I've already defined $hashedotp.
When I try doing the same thing in MySQL Console it works pretty well, and I've made sure that the user used to define $sqlconnection has Update rights.
I've tried solutions DESCRIBED
HERE
HERE
I've spent hours searching about it, but to no avail.
Thanks a lot in advance!
Try this Remove single quote from your query
$updatequery1 = "UPDATE OTP SET Project = 'ANETSignupUsed' WHERE Name = '$name' AND HashedOTP = '$hashedotp' ";
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
I have a problem calling the database in the URL with MYSQL,
where I call the url post
/post/**how-to-noodle-with-egg**
why does the database call an error with a strip at the URL?
if me display in page use
$_GET['title'];
why only get "how"? why not get full url? so page post me not found data because only get "how" not full text with strip
My code :
$a = $_GET['title'];
"SELECT * FROM `post` WHERE title = '$a";
in my database
title : how-to-noodle-with-egg ( use strip )
maybe someone here can help my problem
Your SQL query is missing trailing ':
"SELECT * FROM post WHERE title = '$a";
Should be:
"SELECT * FROM post WHERE title = '$a'";
I'd also strongly suggest to properly escape $a to avoid SQL injections.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
I generate a mysql query via $_GET in PHP via concatenation assignment (.=).
take a look:
$sql='SELECT * FROM table WHERE ';
$sql.='ID='.$_GET['id'].'';
$query=$PDO->prepare($sql);
how can i prevent mysql injection?
i use bind values for direct queries but in this case,i don't have any idea how i should write my code to be safe enough.
note that i use PHP 7 and i can't use mysql_real_escape_string(); as it's not available in PHP7.
You could use something like the following:
<?php
$sql = $PDO->prepare("SELECT * FROM table WHERE ID=?");
if ($sql->execute(array($_GET['id']))) {
while ($row = $sql->fetch()) {
print_r($row);
}
}
?>
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 6 years ago.
How can I select the 'description' row from my 'users' table? I want to just grab the description row depending on what user is logged in.
So far I have this code
$sql = "SELECT description FROM users WHERE uid="$_SESSION['uid']";
but I get this error:
Parse error: syntax error, unexpected '$_SESSION' (T_VARIABLE) in /Applications/XAMPP/xamppfiles/htdocs/login_sys/includes/profile.inc.php on line 19`
That's because your code is syntaxically wrong.
The correct code would be this:
$uid = $_SESSION['uid'];
$sql = "SELECT description FROM users WHERE uid='$uid'";
(I put the $_SESSION['uid'] in a variable to avoid the problem with lots of quotes in the query).
However, this solution is also wrong, in that you should never use a variable directly in the database like this, even when it's a session. You should read up on prepared queries, and make sure you use either mysqli_ or PDO as a database-handler in PHP.
you are getting this error beacause you are missing one " at end of query
$sql = 'SELECT description FROM users WHERE uid="$_SESSION['uid']"';
but always use prepare queries or pdo's as you query this is vulnerable to sql
injection
this should work
$sql = "SELECT description FROM users WHERE uid='$_SESSION[uid]'";
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I'm trying to change the content of a string (from user's input), I'd like to remove any character that will let my query fail. For example, if I insert a second name with a " ' " in it, the query will fail.
Since I have to then output these rows from the DB, I'm wondering if there's any way to insert the string in the database while replacing the special character with its HTML value so that when I'm outputting it, the browser will do the rest.
I'm leaving you an example:
$string = $_POST['user_input']; // Let it be Lol'd
$sql = "INSERT INTO table(field) VALUES('$string')";
Now without anything done to the string I'd get the query as:
INSERT INTO table(field) VALUES('Lol'd')
What I'm looking for is something to turn the ' into ' so that in the DB it's saved Lol'd but when I echo it it'll just print Lol'd
There are lot of solutions. You can use a function like htmlentities():
$string = htmlentities($_POST['user_input']); // Let it be Lol'd
$sql = "INSERT INTO table(field) VALUES('$string')";
To read the string from your MySQL table, use html_entity_decode()
try this
$string = str_replace("'","\'",$_POST['user_input']);
$sql = "INSERT INTO table(field) VALUES('$string')";