I am using the phpMyDataGird script to edit MySQL database tables through the web without using phpMyAdmin (I just use phpMyAdmin to manage the values but this script to manage the data)
The problem comes when I add HTML to a field. I want to be able to see them as code and not let them transform.
This is an example of how the script looks. If you click on a field you'll be able to edit it. In the first row, second column I wrote <i><b>someone</b></i> and as you can see it's not showing the code but is being bolded and italicized.
This is the main page of the script where I add my MySQL information and change settings, and this main page is connected to a page where all the script is written.
Can anyone take a look at these pages and tell me where to add the htmlspecialchars() call because I have been trying, but it's not working.
If You want to show the HTML special chars only in the grid (and they can stay as they are) try to edit the line 1612 in a 'page' script - that should be a mask function:
function mask($value,$mask,$datatype,$aselect,$row){
switch ($datatype){
...
default:
/*1612 line here --> */ return htmlspecialchars($value);
}
}
But I'm not sure if this is what You want to achieve...
EDIT: to also save the data in htmlspecialchar formatted value, try to change the line 927 from
$strUpdate = "UPDATE $this->tablename set $value=".magic_quote($nt)." $updWhere Limit 1";
to
$strUpdate = "UPDATE $this->tablename set $value=".htmlspecialchars(magic_quote($nt))." $updWhere Limit 1";
but again, I'm not sure... If this is OK, then You can remove the htmlspecialchars in previous example (line 1612).
Related
I have a database in phpMyAdmin that I have set up with XAMPP. I am working on a website that shows statistics from the user inputted scores in the database. Say that I would like to show the score percentile to the user after they submit their score: where do I write the query for that? In the HTML/PHP code? In phpMyAdmin? Somewhere else like a workbench or PopSQL?
I have successfully gotten the website to display the average score in any given table by writing this code to the HTML file:
<?php
$sql = "SELECT AVG(score) AS score FROM $input_subject";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_object($result) ;
echo nl2br("Average score for $input_subject: \n \n"
. round($row->score));
?>
It works, but when I search for tutorials for example for the percentile query or something like the CHECK function (to not accept anything less than 0 or more than 120) it seems that the queries are always written somewhere else than the HTML file.
Also, when I try to write the SQL code in phpMyAdmin, it always shows a bunch of error messages, even though I copy/pasted it in (changing the table names etc., of course).
So, do I need to look into some other programmes were to write the queries in or can I just write them into the HTML-file or in the phpMyAdmin? I'm a total newbie with this so anything helps!
Yes, you can write SQl queries(PHP) before your html code and also in between your html code, but make sure to change file extension to .php from .html otherwise PHP code will be printed on browser as it is.
"it seems that the queries are always written somewhere else than the HTML file."
we do this while using AJAX. we send data to server (a PHP file where we process data received) and server will give response. All this happens behind the scenes without page reloading.
in your case you can create a new PHP file lets say process.php, add your PHP code into it.
process.php
<?php
$sql = "SELECT AVG(score) AS score FROM $input_subject";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_object($result) ;
echo nl2br("Average score for $input_subject: \n \n"
. round($row->score));
?>
send user inputted scores from HTML file through ajax to PHP file (process.php) and response received from that file can be displayed in html file without page reloading.
you can go through the ajax api by following link jQuery-AJAX
I'm a bit new to this so sorry if this has been covered already but i'm going around in circles searching.
I've had a look around learn t how to edit htaccess and use the get function, I then even found a plugin called redirection that did similar.
What I would like to do is if I have a URL http://example.com/file.php?id=blue
is to grab the id which is "blue"
then in a href link dynamically add it to the end of another url
Link Example
If someone could help show me or point me in the right direction on how to get the id blue and add it into a href that would be great.
Many Thanks
You have to use $_GET. People might be dicks about it here - but I had a hard time when I was first learning to program too. You'll get it, don't worry.
This is how get works (at least, all you need to know about how it works):
if you have the file index.php
if you add a query string to the end of it like index.php?id=1
You can access id=1 by doing the following in your code:
$id = $_GET['id'];
Similarly if the query string contains the following index.php?id=1&page=5&par=3&club=putter&upnext=tigerwoods
On the left hand of the equal sign is the Key(id, page, par, club, upnext) and on the right side their value(1,5,3,putter,tigerwoods)
One thing to remember is that when retrieving numbers from the query string they will always be of the string type, so you cant do something like
if ( $_GET['page'] === 5 )
you'll have to do
if ( $_GET['page'] == 5 )
and to echo it into a link:
$club = $_GET['club'];
if ( $club == 'NRA' ) {
echo "Gun Show";
echo 'Buy tickets to my gunshow ^^';
}
Hope this helps!
You can also do things like set your website up so that it has one template and use the $_GET parameter to determine which files to include into the content sections of the site via a switch command. I do this, but not across my whole site. For my user control panel, I do this to simply include only the file necessary (change email, update password, delete account, update profile, etc)
Cah'piche?
Use the $_GET parameter.
YAY!!
I am editing a template to try and add some conditional logic to my page.
The page template shows topics related to a user.
I want to add a piece of code which will grab the user name from the page we are viewing and then use that in a string for my conditional statements.
The code I have put together is as follows, but it breaks my page so I am doing something wrong.
<?php global
// I query the ID and try and set that to the $userID - I think I am doing this wrong, but when I echo the ID it gets the correct info.
$userID = get_queried_object()->ID;
// This is the string I create using the userID which should be from the query above
$memberstatus = get_user_meta($userID,'member_status',true);
?>
later on I use IF statements to use thsi result (which i know work) so i won't post them. My problem is trying to get the above to work.
Any help?
damm, looks like when I remove 'global' from the php it works! I thought global had to be in this...ah well
I don't know how to title this...but anyway,
In my script if data doesn't exist, i insert a new row into a database and then check again for that row, for example:
1 search the db
2 if nothing
include(create.php) -> create entry
3 search the db for that row
Am I going to have to put in a usleep(1000000); between the include and the next search on the db? or is there something I am missing?
THanks!
Include the file create.php on top of your php script and call the functions you required inside this block
if ($number_of_rows < 1) { //call the functions from create.php you need here}
Seriously, why even have a create.php used in that manner anyway? Include create.php at the top of the page, put all the insert syntax into a function, and call it later on in your main script. That would work.
Or even better, don't even bother including it. Just run the queries straight in your main page. That way if you need to change something, you won't have to affect other pages.
You can use something like that
$query="Select * from table where id='23'";
$result=mysql_query($query);
if(mysql_num_rows($result)>0){
//result find in sql table
}else{
$query1="INSERT INTO table (schema) values(values)";
$result=mysql_query($query1);
}
sleep(1);
$query="select *...."
You can also use mysql INTERVAL query.It will automatic make a query after a particular interval and search for data.
Am fairly new to PHP and am making a basic CRUD style management system. I Have an update page and it displays data from a News table, and populates a form with it. The current picture ?(reference) is pulled through and displayed on the form. However if a user wants to change the picture they can press a 'delete' button and then I have written some PHP to display a upload button, set the values in the database for the image to null and hide the delete button, allowing the user to upload a new picture.
The Delete button only removes the reference (path) to the picture from the database, it doesn't delete the actual picture.
This is the HTML control to show the image and delete button. It also shows how the delete button works:
<td align="right">Image 1:</td>
<td align="left"><img src="uploads/newsimages/<?php echo $row["Image"]; ?>" width="230" border="0"> delete</td>
As you can see, when clicked it sets change=imagex and cid= the current news id.
There is then an if statement I have written, but it doesn't seem to only get activated when the delete button is clicked. Because I always get an error that 'cid' is undefined. It is as follows:
<?php
if (isset($_GET['change'] = "image1") {
$query = "UPDATE Table_Name SET Image = '' WHERE NewsID =".$_GET['cid']." ";
}
?>
I am pretty sure my lack of PHP knowledge is letting me down and I am trying to go about this the wrong way, because however I alter the if statement it always gives me an error. First it was cid is undefined so I changed to id but i already use that for something else, another query/function. I hope that all amde sense, can anyone tell me where Im going wrong?
You are missing a parenthesis + you have to specify individually:
if (isset($_GET['change'] = "image1") {
Change to:
if (isset($_GET['change']) && $_GET['change'] == "image1") {
Some more things to consider:
1) Don't use unsanitized values directly from $_GET in a mysql query
WHERE NewsID =".$_GET['cid']."
It is very easy to exploit this with some funky sql injection (see http://xkcd.com/327/ ).
If you are using numeric values for cid, you should cast your $_GET value to integer to prevent sql injection:
$cid = (int)$_GET['cid];
$query = '(...)WHERE NewsID = '.$cid.' limit 1';
Or even better:
$cid = (int)(array_key_exists('cid', $_GET) ? $_GET['cid'] : 0);
if ($cid) {
$query = (...)
}
If you need this kind of sanitizing in different places, you should think about writing a helper function for it to keep your code readable.
2) Don't use GET requests to change data on your server
Imagine a google bot browsing your site and following all those links that you use to delete images. Other scenarios involve users with prefetch plugins for their browsers (e.g. Fasterfox). Also, GET requests may be cached by proxies and browsers, so that the request won't hit the server if you click the link.
The HTTP specification comes with numerous request methods, the most important ones are:
GET to fetch content from the server
PUT to store new information on the server
POST to update existing information on the server
To update your news record (by removing the image) the appropriate method would be POST. To send a POST request, you can use the <form method="POST"> tag.
try this
<?php
if (isset($_GET['change']) && $_GET['change'] == "image1") {
$query = "UPDATE Table_Name SET Image = '' WHERE NewsID =".$_GET['cid']." ";
}
?>