Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
How can I submit any kind of symbols to php and update it into my database tables? When I use some symbols ('!##$%^&*()_+=), it does not update the database table.
Can anybody help me?
You can use the htmlspecialchars() in which you can find the documentation here.
http://us.php.net/htmlspecialchars
Use function htmlentities()
The values will not be stored in the database as they are like ('!##$%^&*()_+=) but this function will change your " to " and other characters respectively.
Keep aware yourself of SQL Injection and XSS. If you do not filter your inputs properly then your code will be vulnerable to script kiddies.
You could use the htmlentities() function. It's the best solution I think.
If you really really don't want to use this function for some reason you can always change the column type to text instead of varchar.
Edit: sorry for using the wrong function. You guys are right. Maybe mysql_real_escape_string() does the job but probably it would only take care of the quotations.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
i'm working on project that some people can make post
and this post can have a code like php css html javascript ect
how can i insert php and another programming code to my database without any effect
(i mean by safety )
for me i'm using pdo with mysql database
i tried to upload the code to my database and when i fetch the information my html and css page changed to something else like what i upload from css
and i dont know if there was any php effect for this.
again what i mean is something like what stack-overflow use for to secure his database when we insert code to our post
is there is any library or something that i don't know ?
thank you soo much :)
for php code there is no problem after fetching the code if you are using pdo prepared it wana be just like any value you echo it
for the other hand you can use echo htmlspecialchars()
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I got input type field and value in that field is changing when I move bar on range slider.
Can someone help me to write some if condition.
I want when the value is 1 to echo "one"... when value is 2 to echo "two"...
here is range slider and input type="text" with values.
link to page I am trying to do :)
Thanks!
bored enough to bother:
$out=array('1'=>'one','2'=>'two'); //etc
echo $out[$_POST['selected']];
Your question, as phrased, is going to be difficult to answer. Here's why:
You are working with an interaction between an HTML web form and a PHP script. However, you didn't provide any example code, so it's impossible to know how you are setting up this interaction.
It might be better to approach this purely as a javascript or jQuery solution - but without knowing what you are doing with the end result, it's impossible to make that judgment or offer guidance.
If you are hoping for a strict PHP solution, how would you like the data returned - if you need it returned at all. A PHP script to do what you ask is fairly simple - but the return portion can be involved.
Perhaps you're simply looking for the PHP switch statement?
Are you actually trying to convert an int or float to it's string text? Take a look at this answer...
Finally, you might want to review the write-up on asking questions. You'll get better answers.
mnr
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
How can I fix contractions in php so they do not show up with the backslash? It is showing up with the slash in my iOS and android applications, so I have checked the backend but I am not sure what to do.
I'm guessing you have magic_quotes enabled to your server. That mean's if you $_POST some data, it auto*magic*ally adds quotes to your $_POST data. (It sucks, i know, that's why it's deprecated by now). That means if your data is going into your database from a php $_POST that's the source of the problem.
Turn off that thing http://php.net/manual/en/security.magicquotes.disabling.php and then clear your already "magic-quoted" data in your MYSQL database by doing a REPLACE
UPDATE your_content_table SET your_content_column = REPLACE(your_content_column, '\\\'', '\'');
This way, your problems will go away and never happen again.
Data that resides in database must be in pure form, without any escaping. The escaping prior to display is not something for the database to do, its a display problem and you need to handle that wherever you display something.
If the above is not the case, then just perform stripslashes($yourstring) to get a string without that backslash. But this is just a bandaid, you need to fix the problem at its source.
You can use php's function stripslashes:
<?php
$str = "Is your name O\'reilly?";
// Outputs: Is your name O'reilly?
echo stripslashes($str);
?>
http://fr2.php.net/manual/en/function.stripslashes.php
EDIT
As per #Quentin\'s comment below, better if the slashes weren't added in the first place.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I've just started using TinyMCE and I've looked around in the forums for an answer to my question but all i found was an outdated plugin that could solve my problem.
So back to the question, is it possible to somehow type i.e. in the textarea and then make it call the function when i retrieve the information from the database?
I've thought about making some type of BBCode ([php] callFunction(); [/php]) to make this work, am I on the right track?
just to make myself clear, please just point me in the right direction!
Yes if you use [php] callFunction(); [/php] you can use preg_match() to find the php code, then use exec() to run it.
Make sure you have great security and validate who is logged in and what functions they are trying to run.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I have a javascript-based rich text editor.
What is the safest way to save the tags it generates?
I'm using MySQL as my database.
I'm not sure if using mysql_real_escape_string($text); is safe.
I can't think of a reason to use htmlentities here. mysql_real_escape_string is vital here because it prevents people from injecting malicious SQL code like ';DROP * FROM table foo;-- into you database. I'd try it without htmlentities, if you find that you need to convert to entities then you could try htmlspecialchars instead which only converts special characters.
If you want to limit the allowed HTML in your form you might also want to look into the strip_tags function.
Relevant documentation:
http://us2.php.net/manual/en/function.htmlentities.php
http://us2.php.net/manual/en/function.htmlspecialchars.php
Good luck
I'd recommend that you use mysqli to interface with the database, that way you don't need to escape data and get a complete protection against SQL injections. You may of course still need to protect against HTML injections.
You do not need to write the string of text to a JavaScript file. If you need it to be handled by JavaScript I suggest that you fetch the data using an XMLHttpRequest (which contrary to what the name suggests does not require your data to be in XML form).