How can i get this to work properly:
if ((empty($page_name))
&& ($currentid == '$storedid')) { // PHP If Statement with multiple Checks
require_once("1.php");
} else { // PHP Else
require_once("2.php");
}
Right now regardless its showing me 2.php....
$page_name is a value for a db table. $currentid is session_id and $storedid is the stored id in the db for the $page_name.
Remove the single quotes in ($currentid == '$storedid')
to
($currentid == $storedid)
Your solution compares $currentid with a static string. Because of the single quotes $storeid is interpreted as a string.
Remove the single quotes surrounding $storeId, or put it in double quotes.
Where you are using '$storedid', it should be double quoted or not quoted at all. PHP is interpreting this as the literal string $storedid instead of parsing it as a variable.
Related
I am retrieving some product options from my database, if a product has those options then a json object is saved to my db but if it does not have any options the column just contains "".
I tried to filter it out with :
if(!empty($artikel['aantalkuub']){
}
But its not empty or NULL because the double quotes are in it, so I tried this:
if(!empty($artikel['aantalkuub']) OR $artikel['aantalkuub'] != '""'){
}
But that also is not working.
How can I check on those double quotes? And only if that is all there is, because a product that does have the options has the json object between those quotes.
You could trim the " from the string and check if it is empty:
if (!empty(trim($artikel['aantalkuub'], '" '))) {
}
you can replace double quotes like below then check if it's empty
if(!empty(str_replace('"', "", $artikel['aantalkuub']))){
....
}
UPDATE: So I spent the day reading various posts on SQL injection and parameterized queries. I've come up with something that works and I think it's a reasonable update to my approach.
$query = "UPDATE message_bundles SET bndName = ?, bndTagId = ?, bndSequence = ?, bndKeyboardArr = ? WHERE id = ?";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, 'siisi', $bnd_name, $bnd_tag_id, $bnd_sequence, $bnd_keyboard_arr, $id);
$result = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
But, I still have the issue described in this original question. When I echo out the data, it's still breaking with the very first single quote it encounters; whether I use htmlspecialchars or htmlentities. Additional comments would be appreciated.
ORIGINAL: Normally when I save strings to MYSQL in PHP I run a function (below) that escapes quotes. I am doing the same thing but just after I serialize an array of strings before inserting into MYSQL. But when I retrieve the array and unsearialize it, only the first string with a single quote echo's inside an input field. Then the rest of the strings in the array won't echo.
Here is my loop through post to build array (note that the 3 values being added to an array are 1) string, 2) int, 3) string; maybe this is where my issue is):
foreach ($bnd_keyboard as $key) {
if ($key['keyboard']) {
$keyboard = $key['keyboard'];
$target_bundle = $key['targetBundle'];
$code_execute = $key['codeExecute'];
$bnd_keyboard_arr["keyboards"][$keyboard] = array(
"targetBundle" => $target_bundle,
"codeExecute" => $code_execute
);
}
}
Then my function to escape quotes (note that it's an older function that might need to be updated, but hasn't caused me any issues until now):
function mysqli_prep($value) {
global $connection;
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysqli_real_escape_string"); // i.e. PHP >= v4.3.0
if($new_enough_php) { // PHP v4.3.0 or higher
// undo any magic quote effects so mysql_real_escape_string can do the work
if($magic_quotes_active) {$value = stripslashes($value); }
$value = mysqli_real_escape_string($connection, $value);
} else { // before PHP v4.3.0
// if magic quotes aren't already on then add slashes manually
if(!$magic_quotes_active) {$value = addslashes($value); }
// if magic quotes are active, then the slashes already exist
}
return $value;
}
Then I run this function on the array and serialize it:
$bnd_keyboard_arr = mysqli_prep(serialize($bnd_keyboard_arr));
Serialized data before insert into MYSQL looks like this:
a:1:{s:9:\"keyboards\";a:1:{s:5:\"aaa\'s\";a:2:{s:12:\"targetBundle\";s:2:\"93\";s:11:\"codeExecute\";s:3:\"aaa\";}}}
When I go to retrieve the data, unserialize it and echo into my page, If the 1st field (which is actually the KEY for an array within the array) has a quote, then it echo's ok, but then the next 2 values break and won't echo (either in a normal text echo, or within an input field).
If none of the 3 values have single quotes, then all 3 echo out properly inside the input's.
If the 3rd value has a single quote, then all three echo fine. Basically when my page encounters a single quote, even after htmlentites or htmlspecialchars is used, it breaks the rest of the values being echoed from the array.
I'm really stumped.
Well, I solved it. Good exercise for me though b/c it forced me to upgrade the way I send queries to MYSQL. I think that's way upgraded, although it turns out that had nothing to do with my original issue.
The problem, stupid as it always is, was this:
I was creating a htmlspecialchars string just fine like:
$keyboard = htmlspecialchars($keyboard, ENT_QUOTES);
Then I was grabbing a value from an array, except that used my $keyboard value like this:
$keyboard_arr = $bnd_keyboard_arr['keyboards'][$keyboard];
So of course if I was converting the $keyboard string using htmlspecialchars prior to inserting that string in my array key, well, it would break $keyboard_arr
The solution was to just move the $keyboard_arr = $bnd_keyboard_arr['keyboards'][$keyboard]; to one line after the $keyboard_arr = $bnd_keyboard_arr['keyboards'][$keyboard];
Yup. Like I said, JV.
I have a script that I wrote to look up an ID based on uniqueID
if ($_REQUEST['uniqueId'] != ""){
$qA = "SELECT id FROM customerdata WHERE uniqueId = \"". $_REQUEST['uniqueId']."\"";
$rA = mysql_query($qA);
list($id) = mysql_fetch_row($rA);
echo $id;
exit;
if ( mysql_num_rows ($rA) > 0) {
header('Location:response-en.php?id=$id');
}
else
{
header('Location:not-found.php');
}
}
Rather than sending the user to response-en.php?id=1 it sends them to response-en.php?id=$id
Any idea why this is happening? Any help would be greatly appreciated! Thank you!
Use:
header('Location:response-en.php?id='.$id);
When you use a single quote: '
This is a string literal. Everything (and I mean EVERYTHING) inside that string is taken wholesale. If you did this: $something = 'Location:response-en.php?id=$id';, the value of $something is: Location:response-en.php?id=$id In order to add a variable into the string, you use the concatenation operator .. Thus, the value of $something after $something = 'Location:response-en.php?id='.$id; would be Location:response-en.php?id=5 (assuming $id = 5)
See: http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.single
When you use double quote: "
PHP will search inside your sting to find any variables. It will then replace the variable name with the value of the variable. If you did this: $something = "Location:response-en.php?id=$id";, the value of $something is: Location:response-en.php?id=5 - note the use of double quotes.
See: http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.double
Also, I wanted to add that your script is vulnerable to SQL-injection attack. Always sanitize query-string values before using them in an SQL query. For more info on sanitizing values for sql, see the docs for mysql_real_escape_string.
Variables inside a single-quoted string are not parsed. Variables inside double quotes are. Check out:
http://www.php.net/manual/en/language.types.string.php
You need double quotes to process variables in a string. Not single quotes.
You have to use " in stead of '
header("Location:response-en.php?id=$id");
or:
header('Location:response-en.php?id='.$id);
Try enclosing your string with double quotes instead of single quotes for correct variable parsing:
"Location:response-en.php?id=$id"
or use complex syntax with curly braces surrounding your variables:
"Location:response-en.php?id={$id}"
See manual.
I have a piece of code that looks like this:
$result = mysql_query($queryc) or die(mysql_error());
if(mysql_num_rows($result) > 0)
{
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
echo $row['$field'];
}
}
Say that code was in a function and I wanted to pass $field to the $row[''] how would I accomplish that?
In other words I'm attempting to use $row['$field']; and $field is defined elsewhere
suppose you have this function definition:
function foo($field) {
// from that code you have given
....
echo $row[$field]; // no need of the quotation marks around $field
....
}
You'd not put any quotes around $field... like this:
echo $row[$field];
Variables are not expanded in single quotes; they are only expanded in double quotes or in the heredoc syntax:
When a string is specified in double quotes or with heredoc, variables are parsed within it.
So either use double quotes or, even better, just omit them:
$row[$field]
Single quotes inhibit variable substitution.
echo $row["$field"];
or just
echo $row[$field];
The latter is highly recommended as it does not require PHP to parse $row["$field"] into $row[$field]. Saves you some microtime in each iteration.
Which one below is correct? First code has no quotes in the $_GET array and the second one does, I know you are supposed to have them when it is a string of text but in this case it is a variable, also what about if the key is a number?
no quotes
function arg_p($name, $default = null) {
return (isset($_GET[$name])) ? $_GET[$name] : $default;
}
with quotes
function arg_p($name, $default = null) {
return (isset($_GET['$name'])) ? $_GET['$name'] : $default;
}
The first one will use the value of $name as key while the second will use the literal string '$name' as key.
With PHP, $_GET["$name"] and $_GET[$name] are identical, because PHP will evaluate variables inside double-quotes. This will return the key of whatever the variable $name stores.
However, $_GET['$name'] will search for the key of $name itself, not whatever the variable $name contains.
If the key is a number, $_GET[6], $_GET['6'], and $_GET["6"] are all syntactically equal.
if the key is a variable
$array[$key];
you don't have to quote it.
but if it a literal string you must (it is not a string if you don't wrap it in quotes)
$array['myKey'];
and you will get an notice if you do it like this
$array[mykey];