Hey guys, I'm using smarty and php I am trying to make this function work
{foreach $rows as $row}
<input type="checkbox" name="likes[]" value="{$row.ID}">{$row.Interests}<br>
{/foreach}
That there is the html/template for checkboxes, it grabs data from a table in my database
Now I am trying to store data into my database
// $likes = mysql_escape_string($likes);
$connection = mysql_open();
$insert = "insert into Users " .
"values (null, '$firstName', '$lastName', '$UserName', '$email', from_unixtime('$DOB'), '$join', '$gender')";
$result = # mysql_query ($insert, $connection)
or showerror();
$id = mysql_insert_id();
//echo $id; testing what it gets.
mysql_close($connection);
$connection = mysql_open();
foreach($likes as $like)
{
$insert3 = "insert into ProfileInterests " .
"values ('$id', '$like', null)";
$result3 = # mysql_query ($insert3, $connection)
or showerror();
}
mysql_close($connection)
or showerror();
}
That there is the script I am using to enter data into my database...there is more above which is just cleaning the user input really.
mysql_open() is my own function, so don't worry too much about that.
$likes = #$_POST['likes'];
that is what I am using to get the likes....I feel that this is wrong. I am not sure what to do....
I get this error at the moment. Invalid argument supplied for foreach()
I think this is completely to do with the variable $likes, I think it's not being treated like an array...any idea on what I should do.. I am quite a newbie.
The following line :
$likes = join(",",$likes);
is transforming your $likes array to a $likes string, containing the values and separating them by commas.
So, later, when you try to loop over $likes, its no longer an array : it's a string -- which explains the Invalid argument supplied for foreach().
Edit after the comment : when calling the following line :
$likes = mysql_escape_string($likes);
If your $likes is an array, you'll get some trouble, as mysql_escape_string works on a string.
Instead of trying to escape the whole array at once, you should use mysql_escape_string on each item, while looping over the array -- a bit like that :
foreach($likes as $like)
{
// escape the current item :
$escaped_like = mysql_real_escape_string($like);
$insert3 = "insert into ProfileInterests values ('$id', '$escaped_like', null)";
$result3 = # mysql_query ($insert3, $connection) or showerror();
}
As a sidenote : you should use var_dump() on your variables, while developing, to see what they contain ;-) It'll help you understand what your code is doing.
Related
I have a cronjob which runs a script -> getting data from different itunes stores. Sometimes i get the above mentioned error message.
I think its because of special letters or something like this. Is there a way to check, where the problem exactly is? Which "special character" is respsonisble for the error. Is there a workaround for example with a IF statement?
I canĀ“t reproduce the error, as it not appears always. Would be great to get help on this.
Here is the code:
foreach ($Kategorien->entry as $item) {
$id = addslashes($item->id);
$title = utf8_decode(addslashes($item->title));
$preview = addslashes($item->link[1]["href"]);
$namespaces = $item->getNameSpaces(true);
$im = $item->children($namespaces['im']);
$track_title = utf8_decode(addslashes($im->name));
$track_artist = utf8_decode(addslashes($im->artist));
$track_amount = addslashes($im->price->attributes()->amount);
$track_currency = utf8_decode(addslashes($im->price->attributes()->currency));
$release_date = addslashes($im->releaseDate);
$image = addslashes($im->image[2]);
$entry_id['im'] = $item->id->attributes('im', TRUE);
$track_id = addslashes($entry_id['im']['id']);
$category_id['im'] = $item->category->attributes('im', TRUE);
$genre_id = addslashes($category_id['im']['id']);
$genre_cat = utf8_decode(addslashes($item->category->attributes()->term));
$insertSQL = sprintf("UPDATE track_itunes_countries_total SET modified = NOW(), modified_genre = '$genre_name' WHERE id = ".$row_select_country['id']."");
$Result1 = mysql_query($insertSQL, $con) or die(mysql_error());
$insertSQL = sprintf("INSERT INTO track_itunes_".$cc."_total (id, title, preview, track_title, track_artist, track_amount, track_currency, release_date, image, track_id, genre_id, genre_cat, country, Online, Approved) VALUES ('$id', '$title', '$preview', '$track_title', '$track_artist', '$track_amount', '$track_currency', '$release_date', '$image', '$track_id', '$genre_id', '$genre_cat', '$cc', '1', '1') ON DUPLICATE KEY UPDATE title='$title',preview='$preview',track_title='$track_title',track_artist='$track_artist',track_amount='$track_amount',track_currency='$track_currency',release_date='$release_date',image='$image',track_id='$track_id',genre_id='$genre_id',genre_cat='$genre_cat',country='$cc'");
$Result1 = mysql_query($insertSQL, $con);}
I will answer in a tangential way, because you're using mysql_* library which is deprecated and show you PDO instead. This will either a) solve your problem or b) provide a much more informative error message that will help you debugging.
foreach ($Kategorien->entry as $item) {
$id = $item->id;
$title = utf8_decode($item->title);
$preview = $item->link[1]["href"];
$namespaces = $item->getNameSpaces(true);
$im = $item->children($namespaces['im']);
$track_title = utf8_decode($im->name);
$track_artist = utf8_decode($im->artist);
$track_amount = $im->price->attributes()->amount;
$track_currency = utf8_decode($im->price->attributes()->currency);
$release_date = $im->releaseDate;
$image = $im->image[2];
$entry_id['im'] = $item->id->attributes('im', TRUE);
$track_id = $entry_id['im']['id'];
$category_id['im'] = $item->category->attributes('im', TRUE);
$genre_id = $category_id['im']['id'];
$genre_cat = utf8_decode($item->category->attributes()->term);
$insertSQL = "UPDATE track_itunes_countries_total
SET modified = NOW(), modified_genre = :genre_name
WHERE id = :row_id");
$stmt = $pdo->prepare($insertSQL);
$stmt->bindValue(':genre_name', $genre_name);
$stmt->bindValue(':row_id', $row_select_country['id']);
$success = $stmt->execute();
if(!$success){
//something bad happened
}
//use whitelist techniques to guarantee valid, non-malicious input
//with table names or column names. whitelistTableName is a function
//that YOU have to write.
$clean_table_name = whitelistTableName("track_itunes_{$cc}_total");
$insertSQL = "INSERT INTO {$clean_table_name}
(id, title, preview, track_title,
track_artist, track_amount, track_currency,
release_date, image, track_id, genre_id,
genre_cat, country, Online, Approved)
VALUES
(:id, :title, :preview, :track_title,
:track_artist, :track_amount, :track_currency,
:release_date, :image, :track_id, :genre_id,
:genre_cat, :country, :Online, :Approved)
ON DUPLICATE KEY UPDATE
title=:title_u,preview=:preview_u,track_title=:track_title_u,
track_artist=:track_artist_u,track_amount=:track_amount_u,
track_currency=:track_currency_u,release_date=:release_date_u,
image=:image_u,track_id=:track_id_u,genre_id=:genre_id_u,
genre_cat=:genre_cat_u,country=:cc_u");
$stmt = $pdo->prepare($insertSQL);
$stmt->bindValue(':id', $id);
$stmt->bindValue(':title', $title);
$stmt->bindValue(':preview', $preview);
$stmt->bindValue(':track_title', $track_title);
$stmt->bindValue(':track_artist', $track_artist);
$stmt->bindValue(':track_amount', $track_amount);
$stmt->bindValue(':track_currency', $track_currency);
$stmt->bindValue(':release_date', $release_date);
$stmt->bindValue(':image', $image);
$stmt->bindValue(':track_id', $track_id);
$stmt->bindValue(':genre_id', $genre_id);
$stmt->bindValue(':genre_cat', $genre_cat);
$stmt->bindValue(':country', $cc);
$stmt->bindValue(':Online', 1);
$stmt->bindValue(':Approved', 1);
//some drivers doesn't allow to have a named placeholder to appear more than once so we must duplicate those.
$stmt->bindValue(':id_u', $id);
$stmt->bindValue(':title_u', $title);
$stmt->bindValue(':preview_u', $preview);
$stmt->bindValue(':track_title_u', $track_title);
$stmt->bindValue(':track_artist_u', $track_artist);
$stmt->bindValue(':track_amount_u', $track_amount);
$stmt->bindValue(':track_currency_u', $track_currency);
$stmt->bindValue(':release_date_u', $release_date);
$stmt->bindValue(':image_u', $image);
$stmt->bindValue(':track_id_u', $track_id);
$stmt->bindValue(':genre_id_u', $genre_id);
$stmt->bindValue(':genre_cat_u', $genre_cat);
$stmt->bindValue(':country_u', $cc);
$stmt->bindValue(':Online_u', 1);
$stmt->bindValue(':Approved_u', 1);
$success = $stmt->execute();
if(!$success){
//something bad happened
}
}
more to read here: http://php.net/manual/en/book.pdo.php It's pretty easy and much better than mysql_* libraries
Expanding on the whitelisting techniques: there are several approaches to sanitize user inputs. One is escaping: this is done where the user input is "open ended" like a text input, where there is an unlimited number of possibilities. Prepared statements are perfect for this, as demonstrated above.
Another possibility is whitelisting, and it's useful when there are only limited valid possibilities for the user input (for example, radiobuttons, checkboxes, option selections, etc.) and any invalid input is either an error or malicious.
an example follows:
whitelistTableName($tablename){
$allowedTables = array('tbl1', 'tbl2', 'tbl3');
if(in_array($tablename, $allowedTables)){
return $tablename;
} else {
throw new Exception('Malicious attempt detected');
}
}
This is very basic but allows you to get started. A better approach would be to query your information_schema database to fetch every valid table name rather than hardcoding them by hand.
That's not how sprintf works.
sprintf means string printf -- you are doing a printf which returns a string instead of printing directly into stdout.
printf works by assigning placeholders into a format string (the first argument), and the bound values to the placeholders as the succeeding arguments.
for example
$s = sprintf("SELECT * FROM %s WHERE id = %d", 'some_table', $id);
This is in some way a naive way to sanitize input since you are forcing variables to be cast into certain types using the formats: in this case %s and %d for string and decimal/digit, respectively. At runtime, these will be replaced by "some_table", and whatever intval($id) is.
The reason you are getting "Too few arguments" is because you are missing the bound values.
First of all: you should use mysql_real_escape_string() or even better use mysqli instead of mysql functions since mysql is deprecated.
And for the errormessage you should have a look into the documentation of sprintf to understand the error.
Or just use proper concatination.
$string = "fooo='".$var."'";
instead of your lazy notation
$string = "fooo='$var'";
Here is an example including mysql_real_escape_string():
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
You can also give specific positions for the bound vars:
$query = sprintf("SELECT * FROM users WHERE user='%2$s' AND password='%1$s'",
mysql_real_escape_string($password),
mysql_real_escape_string($user)
);
And for the mysql_query(), you don't need to supply the connection link $con if you don't use more then 1 database connection.
mysql_query($query);
will do the trick.
Let's read the image file into varialble picture:
$picture = addslashes(fread(fopen($image, "r"), filesize($image)));
This $picture you can easy insert into database table with no trouble.
*for example*: INSERT INTO $banners(banner) VALUES( $picture );
For some reason lets create an associative array $final:
$final["banner"] = $picture;
$final["place"] = something...
Later lets decompose $final and insert the obtained values into database:
$fields = ""; $values = "";
while (list($name, $value) = each( $final ))
{
$fields .= "$name, ";
$values .= "'$value', ";
}
// Cut trailing commas
$values_fields = ereg_replace(", $", "", $values_fields);
$values = ereg_replace(", $", "", $values);
// Execute query
$query = "INSERT INTO banners($values_fields) VALUES($values)";
$res = mysql_db_query($database, $query) or mysql_die();
Now MySQL warns "Something wrong" when comes to insert consecutive $value with $picture into database. Why?
First, don't destroy your data. Read it directly and keep the variable clean:
$picture = file_get_contents($image);
Next, prepare the data for insertion:
$final["banner"] = mysqli_real_escape_string($picture);
$final["place"] = $something;
Last, there is no need to loop through your array, since it only contains one record. You don't quote the values, causing an error.
$fields = "`" . implode("`, `", array_keys($final)) . "`";
$values = "'" . implode("', '", array_values($final)) . "'";
$query = "INSERT INTO banners ({$fields}) VALUES ({$values})";
$result = mysqli_query($database, $query) or die(mysqli_error($database));
I'm using MySQLi here, since the mysql_* functions are deprecated (as well as ereg_* functions).
If the code you posted here is exactly the one you are trying to run then please note that you are accumulating field names in $fields variable but "cut trailing commas" from $values_fields which is at this point empty. Putting empty $values_fields into your query might be the cause of mysql error.
Why are you doing addslashes()? Try to use mysql_real_escape_string() instead.
Also make sure that the type of the database column where you are trying to put your image into is BLOB or LONGBLOB.
You may find answer to this question Binary Data in MySQL relevant.
I'm sure this is a duplicate, but I've tried several different things on the site here and none of them are working for me. I'm calling my function in php, sending $mysqli connection, the $clientID, and the array of $tagFields to upload.
It's 'working', but the values are always null. I've put echo "$tagName" inside the foreach, and it's reading it, but not sending it up to the database. $clientID, however, IS passing information. So basically all it does is upload consistently blank rows into my database. What am I doing wrong here?
function tagRefresh($mysqli,$clientID,$tagFields) {
$stmt = $mysqli->stmt_init();
$query = "INSERT INTO client_tags (client_id,tag_category) VALUES (?,?) ";
$stmt->prepare($query);
foreach($tagFields as $tagName) {
$stmt->bind_param('is',$clientID,$tagName);
$stmt->execute();
}
}
some sample values for $tagFields:
$tagFields[0] = "Regional";$tagFields[1] = "Automotive";$tagFields[2] = "Maintenance";
Note mysqli_stmt::bind_param bind the reference of the variables.
Try the below:
function tagRefresh($mysqli,$clientID,$tagFields) {
$stmt = $mysqli->stmt_init();
$query = "INSERT INTO client_tags (client_id,tag_category) VALUES (?,?) ";
$stmt->prepare($query);
$stmt->bind_param('is', $clientID, $tagName);
foreach($tagFields as $tagName) {
$stmt->execute();
}
}
execute() shouldn't be situated inside the foreach.
Among with a myriad of problems associated with the database (including the client_id being the primary key), I've rebuilt the formula like this:
function tagRefresh($mysqli,$clientID,$tagFields) {
$query = "DELETE FROM client_tags WHERE client_id = '" . $clientID . "'"; //we have to delete the old ones every time
if(!$mysqli->query($query)) {
echo $mysqli->error;
}
if($tagFields != '') { //see if data was sent
$tags = array();
foreach($tagFields as $tag) {
$tags[] = "('" . (int) $clientID . "', '" . $tag ."')"; //build an array
}
$query = "INSERT INTO client_tags (client_id,tag) VALUES " . implode(',', $tags) . " ON DUPLICATE KEY UPDATE client_id = " . $clientID;
if(!$mysqli->query($query)) {
echo $mysqli->error; //drop errors, will attach this later
}
}
}
This formats to something like this:
INSERT INTO client_tags (client_id,tag) VALUES ('1234','mechanical'),('1234','regional'),('1234','service') ON DUPLICATE KEY UPDATE client_id = '1234';
The ON DUPLICATE part is important because for some reason the client_id is set to primary key. I'm gonna have to talk to the app guys and see if this matters to them.
Unfortunately, bind_param isn't being used, but this is a admin panel access only for company employees only, and now that this is working I'm giving them autocomplete boxes to reference existing values.
I am trying do multi-driver support for my Framework, which basically means I can use MySQL, MySQLi or PDO(MySQL) with ease.
So, let's say I have an array of values I want to insert.
array('Manuel', 'StackOverflow');
and I have this query..
mysql_query("INSERT INTO users(name, fav_site) VALUES(?, ?)");
So, I'd like to replace the question marks with those values in order, so Manuel goes first and then goes StackOverflow. Remembering that I need to add -> ' <- at the sides of these values so MySQL doesn't throw an error.
I have tried searching if someone has asked this and had no luck.
Any help is appreciated!
NOTE: I know I shouldn't even bother with MySQL, but hey! A feature is a feature.
<?php
$query = "INSERT INTO users(name, fav_site) VALUES(?, ?)";
$args = array('joe', 'google goggles');
while(strpos($query, '?') !== FALSE)
{
$query = preg_replace('/\?/', your_quoting_func(array_shift($args)), $query, 1);
}
echo $query;
Basically, this says...while there is still a ? remaining in the string, delete the first question mark and replace it with a quoted (use your own function or mysql_real_escape_string and surround with single quotes) string, and shift that item off the array. You should probably substr_count the ? marks versus the number of arguments for error checking.
I used preg_replace because it accepts an argument specifying how many values to replace, whereas str_replace does not.
I would do it this way (with one exeption: I wouldn't use mysql_):
<?php
$values = array('foo', 'bar');
$query_start = "INSERT INTO `users` (`name`, `fav_site`) VALUES ('";
$query_end = "')";
$query = $query_start . implode("', '", $values) . $query_end;
$result = mysql_query($query);
?>
$query_start contains the start of the MySQL query (notice the ' at the end), and $query_end goes at the end.
Then $values is imploded, with ', ' as the 'glue', and $result is set as:
$query_start (impoded $result) $query_end.
See implode - PHP Manual.
I am trying to insert multiple rows into MySQL DB using PHP and HTML from. I know basic PHP and searched many examples on different forums and created one script however it doesn't seem working. Can anybody help with this. Here is my script:
include_once 'include.php';
foreach($_POST['vsr'] as $row=>$vsr) {
$vsr=mysql_real_escape_string($vsr);
$ofice=mysql_real_escape_string($_POST['ofice'][$row]);
$date=mysql_real_escape_string($_POST['date'][$row]);
$type=mysql_real_escape_string($_POST['type'][$row]);
$qty=mysql_real_escape_string($_POST['qty'][$row]);
$uprice=mysql_real_escape_string($_POST['uprice'][$row]);
$tprice=mysql_real_escape_string($_POST['tprice'][$row]);
}
$sql .= "INSERT INTO maint_track (`vsr`, `ofice`, `date`, `type`, `qty`, `uprice`,
`tprice`) VALUES ('$vsr','$ofice','$date','$type','$qty','$uprice','$tprice')";
$result = mysql_query($sql, $con);
if (!$result) {
die('Error: ' . mysql_error());
} else {
echo "$row record added";
}
MySQL can insert multiple rows in a single query. I left your code as close as possible to the original. Keep in mind that if you have a lot of data, this could create a large query that could be larger than what MySQL will accept.
include_once 'include.php';
$parts = array();
foreach($_POST['vsr'] as $row=>$vsr) {
$vsr=mysql_real_escape_string($vsr);
$ofice=mysql_real_escape_string($_POST['ofice'][$row]);
$date=mysql_real_escape_string($_POST['date'][$row]);
$type=mysql_real_escape_string($_POST['type'][$row]);
$qty=mysql_real_escape_string($_POST['qty'][$row]);
$uprice=mysql_real_escape_string($_POST['uprice'][$row]);
$tprice=mysql_real_escape_string($_POST['tprice'][$row]);
$parts[] = "('$vsr','$ofice','$date','$type','$qty','$uprice','$tprice')";
}
$sql = "INSERT INTO maint_track (`vsr`, `ofice`, `date`, `type`, `qty`, `uprice`,
`tprice`) VALUES " . implode(', ', $parts);
$result = mysql_query($sql, $con);
Please try this code. Mysql query will not accept multiple insert using php. Since its is a for loop and the values are dynamically changing you can include the sql insert query inside the for each loop. It will insert each rows with the dynamic values. Please check the below code and let me know if you have any concerns
include_once 'include.php';
foreach($_POST['vsr'] as $row=>$vsr) {
$vsr=mysql_real_escape_string($vsr);
$ofice=mysql_real_escape_string($_POST['ofice'][$row]);
$date=mysql_real_escape_string($_POST['date'][$row]);
$type=mysql_real_escape_string($_POST['type'][$row]);
$qty=mysql_real_escape_string($_POST['qty'][$row]);
$uprice=mysql_real_escape_string($_POST['uprice'][$row]);
$tprice=mysql_real_escape_string($_POST['tprice'][$row]);
$sql = "INSERT INTO maint_track (`vsr`, `ofice`, `date`, `type`, `qty`, `uprice`,
`tprice`) VALUES ('$vsr','$ofice','$date','$type','$qty','$uprice','$tprice')";
$result = mysql_query($sql, $con);
if (!$result)
{
die('Error: ' . mysql_error());
}
else
{
echo "$row record added";
}
}
I would prefer a more modern approach that creates one prepared statement and binds parameters, then executes within a loop. This provides stable/secure insert queries and avoids making so many escaping calls.
Code:
// switch procedural connection to object-oriented syntax
$stmt = $con->prepare('INSERT INTO maint_track (`vsr`,`ofice`,`date`,`type`,`qty`,`uprice`,`tprice`)
VALUES (?,?,?,?,?,?,?)'); // use ?s as placeholders to declare where the values will be inserted into the query
$stmt->bind_param("sssssss", $vsr, $ofice, $date, $type, $qty, $uprice, $tprice); // assign the value types and variable names to be used when looping
foreach ($_POST['vsr'] as $rowIndex => $vsr) {
/*
If you want to conditionally abort/disqualify a row...
if (true) {
continue;
}
*/
$ofice = $_POST['ofice'][$rowIndex];
$date = $_POST['date'][$rowIndex];
$type = $_POST['type'][$rowIndex];
$qty = $_POST['qty'][$rowIndex];
$uprice = $_POST['uprice'][$rowIndex];
$tprice = $_POST['tprice'][$rowIndex];
echo "<div>Row# {$rowIndex} " . ($stmt->execute() ? 'added' : 'failed') . "</div>";
}
To deny the insertion of a row, use the conditional continue that is commented in my snippet -- of course, write your logic where true is (anywhere before the execute call inside the loop will work).
To adjust submitted values, overwrite the iterated variables (e.g. $vsr, $ofice, etc) before the execute call.
If you'd like to enjoy greater data type specificity, you can replace s (string) with i (integer) or d (double/float) as required.