I've very annoying problem with hosting of well known company however
I've website and at its back-end there is form has textarea field where it should be for google adsense code when i submit it does not respond at all and keep loading
but when i type anything else then adsense ads code it accepted so i noticed it not allowing for html
Form code
<form method=post action="1.php" name="adsense" id="adsense">
The Code : <textarea id="ad" name="ad">Put your code here</textarea>
<input type="submit" name="submit" value="Save">
</form>
1.php Code
<?PHP
include "header.php"; // connect to db
if(isset($_POST[submit])){
$qma = "update webads set
ad = '$_POST[ad]'";
$rma = mysql_query($qma) or die(mysql_error());
echo 'Thanks';
}
?>
The problem when i put adsense ads code it not respond and not save it in database but if i put any text it save it normally
so i've been thinking to addslashes() but it also didn't worked after i made such changes
ad1 = 'addslashes($_POST[ad1])'
here is example of unaccepted google adsense code
<script type="text/javascript">
google_ad_client = "pub-0000000000000000";
google_ad_width = 250;
google_ad_height = 250;
google_ad_format = "250x250_as";
google_ad_type = "text";
google_ad_channel = "0000000000";
google_color_border = "FFFCE1";
google_color_bg = "FFFCE1";
google_color_link = "FFFCE1";
google_color_text = "FFFCE1";
google_color_url = "FFFCE1";
</script>
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
One last note
the database field structure is text NOT NULL
CREATE TABLE `webads` (
`id` varchar(50) NOT NULL default '',
`ad` text NOT NULL
PRIMARY KEY (`id`))";
so any idea how to save it ! but it must be easy to recall it back without being altered
i don't know if it stupid or not but if i didn't got any answer how to do it, been thinking to base_64 encoder before save it then when i call it back will base_64 decode it but this sound last hope i can do
Thanks a lot
You need to escape the posted variable for MySQL - the best way to do this is to use PHP's built in function as it will do it correctly for your version of MySQL
$qma = "update webads set ad = '" . mysql_real_escape_string($_POST[ad]) . "'";
You have to use htmlentities before storing data to database.
and you can't use function inside string.
$ad = htmlentities($_POST['ad']);
Also when using addslashes you'd better first check if it's automatically enabled by server configuration, not to over-quote strings. See get_magic_quotes_gpc
if(!get_magic_quotes_gpc()) {
$ad = addslashes($ad);
}
...
$qma = "update webads set ad = '$ad'";
Alternately, you can use
$ad = htmlspecialchars($_POST['ad']);
$qma = "update webads set ad = '$ad'";
When I work with MySQL Workbench and I do something like update webads set
ad = '$_POST[ad]' it throws an error because of the safe mode. My SQL query doesn't have an ID. Maybe the safe mode is on?
If you want to bypass it, just add WHERE ID != -1 but I don't recommend doing this.
Don't forget to sanitize your input.
Related
I am working on a program that takes HTML code made by a WYSIWYG editor and inserting it into a database, then redirecting the user to the completed page, which reads the code off the database. I can manually enter code in phpmyadmin and it works but in PHP code it will not overwrite the entry in the code column for the ID specified. I have provided the PHP code to help you help me. The PHP is not giving me any parse errors. What is incorrect with the following code?
<?php
//POST VARIABLES------------------------------------------------------------------------
//$rawcode = $_POST[ 'editor1' ];
//$code = mysqli_real_escape_string($rawcode);
$code = 'GOOD';
$id = "1";
echo "$code";
//SQL VARIABLES-------------------------------------------------------------------------
$database = mysqli_connect("localhost" , "root" , "password" , "database");
//INSERT QUERY DATA HERE----------------------------------------------------------------
$queryw = "INSERT INTO users (code) VALUES('$code') WHERE ID = '" . $id . "'";
mysqli_query($queryw, $database);
//REDIRECT TO LOGIN PAGE----------------------------------------------------------------
echo "<script type='text/javascript'>\n";
echo "window.location = 'http://url.com/users/" . $id . "/default.htm';\n";
echo "</script>";
?>
Your problem is that mysql INSERT does not support WHERE. Change the query to:
INSERT INTO users (code) VALUES ('$code')
Then to update a record, use
UPDATE users SET code = '$code' WHERE id = $id
Of course, properly prepare the statements.
Additionally, mysqli_query requires the first parameter to be the connection and second to be the string. You have it reversed. See here:
http://php.net/manual/en/mysqli.query.php
It should also be noted that this kind of procedure should be run before the output to the browser. If so, you can just use PHP's header to relocate instead of this js workaround. However, this method will still work as you want. It is just likely to be considered cleaner if queries and relocation is done at the beginning of the script.
I have a button on a webpage that allows users to add a video on that page to their list of favourites. behind this button is a form and some php. The PHP code uses a session variable to retrieve the username. This information is used to get the relevant user id from the database and store its value in a variable. Using the input value from the form it was possible to retrieve the tuple from the videos database table that related to the video in question and store the values of the video title and URL attributes in variables. The code then checks if the user has already added the video as a “favourite”. The favourites database entity is checked for tuples containing both the user id and video id. If both are contained in a single row of the database table the user has already added the video and is notified of this. Otherwise, the user id, video id, video title and URL are inserted into the favourites database entity and the user is informed that the video has been added
this all works fine in chrome or safari but does nothing in ie or firefox. The database is updated and message is displayed only in Chrome and safari. I've attached the code, please note the session has already been started in earlier code on the webpage. Any assistance would be greatly appreciated.
<div id="addfav">
<form action="python.php" method="post">
<input name="add" src="images/add.png" type="image"
value="3">
</form>
<?php
$user=$_SESSION['user'];
if ( isset( $_POST['add'] ) )
{
$vid = $_POST["add"];
$sql = "SELECT * FROM `users` WHERE username = '$user'";
$result = mysql_query($sql) or die(mysql_error());
$row = mysql_fetch_array($result);
$uid= $row['user_id'];
$sql = "SELECT * FROM `Video` WHERE Video_id = '$vid'";
$result = mysql_query($sql) or die(mysql_error());
$row = mysql_fetch_array($result);
$url=$row['URL'];
$title=$row['Title'];
$check = mysql_query("SELECT * FROM `favourites` WHERE Uid = '$uid' AND vid_id = '$vid'") or die (mysql_error());
$r = mysql_num_rows($check);
if ($r>=1)
{
echo "already added to favourites";
echo '<script type="text/javascript">window.alert("Already added to favourites")</script>';
//'<span style="color: red;" />Already added to favourites </span>' ;
}
else
{
mysql_query("INSERT INTO `favourites` (`Uid`,
`vid_id`,`url`,`title`) VALUES ('$uid',
'$vid','$url','$title')")or die(mysql_error());
echo "Added to favourites";
}
}
?>
</div>
(Just a debug idea) Try to change your input image to a hidden element like this :
<form action="python.php" method="post">
<!-- I don't remove this, to keep the image shown-->
<input name="addimg" src="images/add.png" type="image" value="3">
<input type='hidden' name='add' value='3' />
</form>
Does it works now?
PHP is run server-side. This means that regardless of what browser you're using, it works as expected. The problem is definitely from HTML codes you've written if IE and Firefox can connect to your website without any problem.
I think the problem is inside your form tag because I think it's not standard you can either use a GET method inform that your form is submitted, or use a hidden input indicating it.
P.S. I think your code has security issues. (SQL Injection)
When user clicks on <input type="image" /> browser will pass coordinates of a click. Chrome will send three values:
add.x = x_coord
add.y = y_coord
add = input_value (3 in your case)
Note that in php you can access add.x/add.y value with $_POST["add_x"]/$_POST["add_y"] (see dot replaced with underscore)
At the same time, IE will not pass third value. That is why your if ( isset( $_POST['add'] ) ) will never return true. Option is to put video id value into some hidden field and use its name in that if.
You can easily check that behavior by doing var_dump($_POST); in php
PS:
You should never use values received in request without them being sanitized in sql queries. Right now code below is opened to sql injections:
$sql = "SELECT * FROM `Video` WHERE Video_id = '$vid'";
You should, at least, user mysql_real_escape_string function before value is inserted into a query:
$sql = "SELECT * FROM `Video` WHERE Video_id = '".mysql_real_escape_string($vid)."'";
And take a look at warning message on top of php manual page linked above: mysql_* functions are deprecated and you should better use PDO or mysqli extension.
I want users of my site to be able to update their profile information by clicking into a textarea. When they type in some text and click out of the text area (on blur), I want this to update a table in my database called 'bio'.
I have been working on this for several days, I'm ashamed to admit but I am really new to php and sql so I am learning as I go along. I have tried to make sense of a script but it's probably completely wrong. Can someone please advise me of what I need to do?
Here's my code:
<textarea id="bio" style="width: 456px;
margin-top:3px;
text-align:left;
margin-left:-2px;
height: 120px;
resize: none;
border: hidden;" textarea name="bio" data-id="bio">
<?php echo $profile['bio'] ?>
</textarea>
<script type="text/javascript">
$('textarea').on('blur',function () {
var bioVal = $(this).val(),
id = $(this).data('id');
$.ajax({
type: "POST",
url: "includes/changebio.php",
data: {bio:bioVal , id:id},
success: function(msg) {
$('#bio-' + id).val(msg);
}
})
});
</script>
Here's the url php file that should do the work:
function update_profilebio() {
global $connection;
global $profile_id;
$query = "UPDATE ptb_profiles
SET bio=''
WHERE ptb_profiles.user_id = \"$profile_id\"
AND ptb_profiles.user_id = ptb_users.id";
$update_profilebio_set = mysql_query($query, $connection);
confirm_query($update_profilebio_set);
return $update_profilebio_set;
}
I checked HTML+JavaScript code and AJAX POST request is sending data correctly to the PHP script (You may check this in Chrome Developer Tools or with Firebug add-on).
This changebio.php script has only definition of this update_profilebio() function ? Definition alone won't execute this function, you need to call it.
<?php
update_profilebio(); // tells php to call the function, defined below
function update_profilebio() {
global $connection;
global $profile_id;
$query = "UPDATE ptb_profiles
SET bio=''
WHERE ptb_profiles.user_id = \"$profile_id\"
AND ptb_profiles.user_id = ptb_users.id";
$update_profilebio_set = mysql_query($query, $connection);
confirm_query($update_profilebio_set);
return $update_profilebio_set;
}
?>
Also, SQL query has two conditions and I don't understand this part "...AND ptb_profiles.user_id = ptb_users.id ". You update only one column in one table, the only thing you need is user id which you provide in first where condition.
Your HTML + jQuery code looks ok, just cheng php output <?php echo $profile['bio'] ?> by adding htmlspecialchars, that will help you avoid some trouble
<?php echo htmlspecialchars($profile['bio']); ?>
The thing that fails in your code is SQL query; you are setting bio to empty text. Also you have condition on matching user_id with other table id, but you have not joined this table in your query. Just requiring user_id to be equal to given integer is enough. Also remember to escape user input properly, to prevent them from injecting malicious code into your database.
SQL should look like this:
$bio = mysql_real_escape_string($_POST['bio']);
$query = "
UPDATE
ptb_profiles
SET
bio='{$bio}'
WHERE
ptb_profiles.user_id = " . intval($profile_id);
You got your quoting wrong, try something like this
$query = "UPDATE ptb_profiles SET bio='".$_REQUEST['bio']."'
WHERE ptb_profiles.user_id = ".$profile_id;
SQL usually uses single quotes, PHP uses both.
I'm currently learning PHP. I've code a simple bucketlist script with a admin panel, sessions etc just to see if I can do it.
The last page I am coding is the "edit.php" & "editone.php" I have a table which returns all data within the database "ID, Goal & Rating" my fourth column returns "EDIT" as a link which will link off to: editone.php?id=xx
editone.php currently is not a page. For the life of me I cannot figure out how I code the editone so I can grab the data and UPDATE mysql. I'm almost there just cannot piece together the puzzle.
Here's the core of my code for the edit page.
<?php
while ($query_row = mysql_fetch_array($query))
{
echo "<tr>";
echo "<td>".$query_row['id']."</td><td>". $query_row['goals']."</td><td><span class='label label-inverse'>". $query_row['rating']."</span></td><td><a href='editone.php?id=".$query_row['id']."'>Edit</a></td>";
echo "<tr>";
}
?>
Any assistance would be really appreciated.
Send all the parameters through POST method to editone page. I mean in your edit page, you are getting all the variables from database. You can show them in a form having a submit button and of type "POST". So now when someone submits, it goes to editone.php page.
Get all the variables first through $_POST method. Then write a update query.
$sql = "UPDATE tablename SET goals = '$goal', rating='$rating' WHERE id = $id";
make sure to escape your post variables as said in the comment.
This is how should be your PDO Update statement.
// database connection
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
// new data
$goals = 'Some goals';
$rating = 'whatever rating';
$id = 3;
// query
$sql = "UPDATE tablename
SET goals=?, rating=?
WHERE id=?";
$q = $conn->prepare($sql);
$q->execute(array($goals,$rating,$id));
If I understood you correctly, what you want is a page that first displays a single row (so it can be edited) and then saves it once you're done. So you start out by writing the HTML form with no data in it.
Next, you read the ID from the query string:
<?php
$rowId = $_GET['id'];
and then query for the data:
// database connection example borrowed from Abhishek
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
$sql = "SELECT goals, rating FROM tablename WHERE id = ?";
$query = $conn->prepare($sql);
$query->execute(array($rowId));
$row = $query->fetch();
Now, you can use the data to populate your form. This gets you about halfway there. :-)
You'll want the actual save to be in response to a POST request, not GET. There's a long and somewhat complicated explanation on why that is, but the simplified version is that you use POST whenever you're making changes for the user, and GET when you're just reading data -- there's a bunch of browser and proxy behavior and whatnot tied to these assumptions, so it's a good idea to start doing things the right way early on.
When you process the POST request -- you can do it on the same page -- you'll have the updated form values for grabs, and you can use them to update your database:
// This can be a hidden field on the form...
$rowId = $_POST['id'];
$goals = $_POST['goals'];
$rating = $_POST['rating'];
// database connection example borrowed from Abhishek
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
$sql = "UPDATE tablename SET goals = ?, rating = ? WHERE id = ?";
$query = $conn->prepare($sql);
$query->execute(array($goals, $rating, $rowId));
After this, your database should be updated. To finish things off, you'll probably want to redirect back to the page to make sure the form can't be double-submitted accidentally.
I haven't covered quite everything here, a bit on purpose. It's more fun when there are some blanks to fill in. :-)
You probably want your second <tr> to be </tr>.
The most common solution is to use an html form. The input values of this form are a select with the id in query string. When a submit button is pressed to save this, make a update. But I want share with you a good and complete web 2.0 example.
Hi I am newish to php and I have created an update page for Content Management System. I have a file upload in this case a picture. I have other inputs that contain text and I can get them to populate my form and thats fine and works great because the user can see what has already been entered. But the file name for the photo can not have a value so if the user doesn't pick the picture from the directory again it will update minus the picture. What I think I need is a isset function that says if the file (picture) input is left blank don't update this field and use whatever what already in the database for it, that way if it was left blank when created it will still be, and if the user has changed it this time it will change; or if they want to leave it the same it won't leave their picture blank. Hope that makes sence.
Here is my coding currently for the Form:
<p>
Photo:
</p>
<input type="hidden" name="MAX_FILE_SIZE" value="350000">
<input type="file" name="photo"/>
Below is my php code for my update if the update button is pressed:
$con = mysql_connect("localhost","******","********");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("*******", $con);
// run this only, once the user has hit the "Update" button
if (isset($_POST['update'])) {
// assign form inputs
$name = $_POST['nameMember'];
$position = $_POST['bandMember'];
$pic = $_POST['photo'];
$about = $_POST['aboutMember'];
$bands = $_POST['otherBands'];
// add member to database
$result = mysql_query("UPDATE dbProfile SET nameMember='".$name."',bandMember='".$position."',photo='".$pic."',aboutMember='".$about."',otherBands='".$bands."' WHERE id='".$id."'");
mysql_close($con);
Header("Location: listMember.php");
exit;
}
else { // read member data from database
$result = mysql_query ("SELECT * FROM dbProfile WHERE id='".$id."'");
while($row = mysql_fetch_array($result))
{
$name = $row['nameMember'];
$position = $row['bandMember'];
$pic = $row['photo'];
$about = $row['aboutMember'];
$bands = $row['otherBands'];
}
}
mysql_close($con);
?>
If you could help I would be very please and greatful.
You have to use the $_FILES variable for uploaded files. For further information, see Handling file uploads in the PHP manual.
Try:
if(is_uploaded_file($_FILES['photo']['tmp_name']))
From the manual:
Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd.