When I type don't, it save don\'t to database. I tested the code on wamp offline server and it save don't. But when I test the code on online hosting, it save don\'t. How to make online hosting don't use excape string?
Codes :
<?php
if (isset($_POST['btn_edit'])) {
$description = $_POST['description'];
}
$sql = "UPDATE expense
SET description=?
WHERE spender_id=?";
$q = $conn->prepare($sql);
$result = $q->execute(array($description, $_SESSION['user_id']));
?>
<input type="text" name="description" size="70" value="" />
Sounds like your host has Magic Quotes activated. See the manual on how to disable them: http://php.net/magic_quotes
disable magic_qoutes or change this statement
$description = $_POST['description'];
as
$description = stripslashes($_POST['description']);
Related
I am trying to create a basic form to list inventory on a website using PHP and MySQL. I keep getting errors when I follow some of the guides here on stackoverflow. Any help would be greatly appreciated.
My question is: My insert statement keeps failing when I use it through the PHP form but when I do it through phpMyAdmin it works. How do I figure out where my error is and how do i solve it.
Form:
<form action="add.php" method="post" enctype="multipart/form-data">
Item Type: <input type="text" name="type" /><br>
Description: <input type="text" name="description"/><br>
Price: <input type="text" name="price" /><br>
Date: <input type="text" name="date" /><br>
Pic:<input type="file" name="image"> <br/>
<input type="submit" >
</form>
add.php:
<?php
$type = $_POST['type'];
$desc = $_POST['description'];
$price = $_POST['price'];
$date = $_POST['date'];
$file = $_FILES['image']['tmp_name'];
$image = addslashes(file_get_contents($_FILES['image']['tmp_name']));
$image_size = getimagesize ($_FILES['image']['tmp_name']);
$host = "localhost";
$user = "root";
$password = "";
$cnn = mysql_connect ( $host, $user, $password );
mysql_select_db('inventory');
$insert = mysql_query("INSERT INTO 'newitems' ('ID', 'ItemType', 'Description', 'Price', 'Date', 'Pic')VALUES ('','$type','$desc','$price','$date', '{$image}')");
if (!mysql_query($insert)) {
echo "Something went wrong! :(";
echo '<img src="data:image/jpeg;base64,' . base64_encode( $image ) . '" />';
}
?>
Table Updated with Auto-Number
If your ID column in that schema has a UNIQUE constraint, then it's no wonder the query will fail the second time around since you're inserting every row with the same id (4). Use AUTO_INCREMENT instead and let the dbms assign the ID.
Important Information About Your Code
Also, it's probably crucial that you are aware of a number of critical issues in your code.
You are using a deprecated extension for talking to your mysql database
Your code is vulnerable to SQL injection by using addslashes
You really shouldn't be storing images in your database
Reasons why you shouldn't store binary data in your RDBMS
The filesystem is faster/better at storing binary data
You don't have to carry the blob data in PHP to get it to the user saves CPU and memory
Seperate the webhost and the dbhost, moving blobs back and forth over a database connection is going to be expensive in computation and bandwidth
Single point of failure (even with master/slave replication you are going to incur massive replication lag at scale) where there are much cheaper redundancy solutions like a CDN
I've very annoying problem with hosting of well known company however
I've website and at its back-end there is form has textarea field where it should be for google adsense code when i submit it does not respond at all and keep loading
but when i type anything else then adsense ads code it accepted so i noticed it not allowing for html
Form code
<form method=post action="1.php" name="adsense" id="adsense">
The Code : <textarea id="ad" name="ad">Put your code here</textarea>
<input type="submit" name="submit" value="Save">
</form>
1.php Code
<?PHP
include "header.php"; // connect to db
if(isset($_POST[submit])){
$qma = "update webads set
ad = '$_POST[ad]'";
$rma = mysql_query($qma) or die(mysql_error());
echo 'Thanks';
}
?>
The problem when i put adsense ads code it not respond and not save it in database but if i put any text it save it normally
so i've been thinking to addslashes() but it also didn't worked after i made such changes
ad1 = 'addslashes($_POST[ad1])'
here is example of unaccepted google adsense code
<script type="text/javascript">
google_ad_client = "pub-0000000000000000";
google_ad_width = 250;
google_ad_height = 250;
google_ad_format = "250x250_as";
google_ad_type = "text";
google_ad_channel = "0000000000";
google_color_border = "FFFCE1";
google_color_bg = "FFFCE1";
google_color_link = "FFFCE1";
google_color_text = "FFFCE1";
google_color_url = "FFFCE1";
</script>
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
One last note
the database field structure is text NOT NULL
CREATE TABLE `webads` (
`id` varchar(50) NOT NULL default '',
`ad` text NOT NULL
PRIMARY KEY (`id`))";
so any idea how to save it ! but it must be easy to recall it back without being altered
i don't know if it stupid or not but if i didn't got any answer how to do it, been thinking to base_64 encoder before save it then when i call it back will base_64 decode it but this sound last hope i can do
Thanks a lot
You need to escape the posted variable for MySQL - the best way to do this is to use PHP's built in function as it will do it correctly for your version of MySQL
$qma = "update webads set ad = '" . mysql_real_escape_string($_POST[ad]) . "'";
You have to use htmlentities before storing data to database.
and you can't use function inside string.
$ad = htmlentities($_POST['ad']);
Also when using addslashes you'd better first check if it's automatically enabled by server configuration, not to over-quote strings. See get_magic_quotes_gpc
if(!get_magic_quotes_gpc()) {
$ad = addslashes($ad);
}
...
$qma = "update webads set ad = '$ad'";
Alternately, you can use
$ad = htmlspecialchars($_POST['ad']);
$qma = "update webads set ad = '$ad'";
When I work with MySQL Workbench and I do something like update webads set
ad = '$_POST[ad]' it throws an error because of the safe mode. My SQL query doesn't have an ID. Maybe the safe mode is on?
If you want to bypass it, just add WHERE ID != -1 but I don't recommend doing this.
Don't forget to sanitize your input.
I'm having issues updating a row in my mysql database.
I created a textarea which contains data from a news article. If i edit the data and try to update it, nothing happens.
I'm aware that the mysql extension is depreciated so please dont comment on that.
<?php
include 'db.php';
$data = mysql_query("SELECT news_content FROM news WHERE id= 1") ;
$info = mysql_fetch_array($data);
$news= $info['news_content'];
?>
<h3>EDIT NEWS ARTICLE</h3>
<form id="EditNews" name="EditNews" method="POST"action="edit.php">
<textarea rows="40" cols="90" name="editnewstext"><?php echo $news?></textarea>
<input type="submit" name="Edit_News" id="Edit_News">
<?php
if(isset($_POST['Edit_news'])) {
$contents= $_POST['editnewstext'];
$sqlupdate = "UPDATE news SET news_content ='$contents' WHERE id=1";
mysql_query($sqlupdate) or die(mysql_error());
}
<input type="submit" name="Edit_News" id="Edit_News">
^^^^^^^^^^
if(isset($_POST['Edit_news'])) {
^^^^^^^^^
Case mis-match. PHP array keys are CASE-SENSITIVE.
That being said, your code is wide open for SQL injection attacks. Enjoy getting your server pwn3d.
After writing a whole lot of much more complicated code that works beautifully, THIS is the code that is giving me issues.
Simple form
<form action="res/scripts/editsubscriber.php" method="post">
<label for="name">Name: </label>
<input name="name" type="text" value="<?php echo $name; ?>">
...etc, etc...
</form>
Submits to this script:
include('appvars.php');
if(isset($_POST['submit'])){
$id = $_POST['id'];
$name = $_POST['name'];
$email = $_POST['email'];
$month = $_POST['month'];
$day = $_POST['day'];
$year = $_POST['year'];
$date = $_POST['date'];
$time = substr($date, 0, (stripos($date, " ")+1));
$time = str_replace($time, '', $date);
$created = $year.'-'.$month.'-'.$day.' '.$time;
$query = "UPDATE newslettersubscribers SET name = '$name', email = '$email', created = '$created' WHERE id = $id)";
mysqli_query($dbc, $query);
}
It posts, I've echoed all of the variables, they change just fine, but it still won't update the database. Someone please tell me what i'm missing...
remove extra ) on your update statement
read article to avoid SQL Injection
Best way to prevent SQL injection in PHP?
You got a strange trailing ) in your SQL query. Have you executed it in a SQL client ?
Do you have an ID form input?
<input name="id" type="text" value="<?php echo $id; ?>">
Also, you're not escaping sql/html.
This code will compromise your database's security severely. Since none of the parameters are sanitized before being included in the query, anyone with basic security knowledge can take over your application in seconds.
To address the security issues and your bug, you may want to look into
http://php.net/manual/en/pdo.prepared-statements.php
In one of my scripts, the php $_POST is declaring properly into a variable. When I echo the variable, it displays correctly, however, when I check the database it does not insert correctly. It appears blank. So my guess is that it isn't a problem with the variable, because it is being called back properly. I do not know what the problem is when it inserts.
If needed this is a twilio app, so the application is pulling the recording url from the twilio app, and I am passing a value from the form in which you record. I am just stating this for those who are familiar with twilio Apps.
$sayid = $_SESSION['id'];
$hearid = "01";
$sayurl = $_REQUEST['RecordingUrl'];
$topic = $_POST['topic'];
mysql_query("INSERT INTO says (say, hear, sid, time_sent, happy)
VALUES('$sayid', '$hearid', '$sayurl.mp3', now(), '$topic' )");
echo $topic;
I am open to suggestions, I will try them, and tell you if they work or now.
EDIT if I change the vaiable $topic to = "whatever" it will post "whatever" to the database properly, but once I change it to $_POST['topic'] it begins to post a blank value again. But If I echo $topic anywhere it will post the correct $_POST value
EDIT #2 okay new update, so I changed the variable declaring to $sayid = "20"; $hearid = "01"; $topic = $_POST['topic']; $sayurl = $_REQUEST['RecordingUrl']; instead of $sayid = "20"; $hearid = "01"; $sayurl = $_REQUEST['RecordingUrl']; $topic = $_POST['topic']; and I am now getting an output of the php script CREATING 2 NEW RECORDS, one of them has everything on it except for the $topic, and the other has just the $topic, so they are apparently posting all fields, but in two different rows! lol wow what the hell is going on
Use:
$sayid = mysql_real_escape_string($_SESSION['id']);
$hearid = "01";
$sayurl = mysql_real_escape_string($_REQUEST['RecordingUrl']);
$topic = mysql_real_escape_string($_POST['topic']);
$topic2 = mysql_real_escape_string($_POST['topic']);
$query = "INSERT INTO says
(say, hear, sid, time_sent, happy, sad)
VALUES
('$sayid', '$hearid', '$sayurl.mp3', now(), '$topic', '')";
if (!mysql_query($query)) {
// Handle error here
// e.g.
// echo "Oh no! The query failed! Error: ".mysql_error();
}
This will probably fix the problem, and will prevent SQL injection attacks.
You're missing the value for "sad". You can see if there was an error executing the previous SQL statement using mysql_error().
Does
<form action="test.php" type="post">
<input type="text" name="topic" />
</form>
and
<?php
$input = $_POST['topic'];
echo $input;
mysql_query("INSERT INTO balbal VALUES ('".$input."')") or die (mysql_error());
?>
work for you?