i have some php source it can send form data info to other page under mysql 4.x version.
but after upgraded to mysql 5.x version, this php source can't send form data info to other page.
i was searched many info, but don't have idea what's wrong with my php source.
i just can guess this is related with mysql upgrade and i have to edit my php source,
but lack of knowledge it very tough for me.
if anyone help me or give some hint it really appreciate!
my php source is consist of 3 part.
form sender page ( http://pastebin.com/3Sg7SyWV )
-> submited form data info checking page ( http://pastebin.com/WEx5tEn2 )
-> insert form data to DB ( http://pastebin.com/918iZkgw )
for several day i was search and search but lack of my knowledge about php and mysql
it very hard to resolve.
Thanks in advance
You're not checking if your insert query succeeds. I can't tell which MySQL library you're using, but generally they all return FALSE if a query fails, so you could change your query line to something like:
$DB->ExecSql($InsertQuery) or die($DB->whatever_returns_error_information());
If something's wrong with the query, then this would abort the script and output any error information produced.
As well, it doesn't look like you're escaping your query data anywhere. That leaves you wide open to SQL injection. And as well, any of the form data which contains even a single quote (') will "break" the query by introducing syntax errors. If you had proper error checking in there, you'd have gotten a syntax error report.
For that matter, where are you extracting the submitted data and building all those variables you paste into the query? There's only one place in your three scripts where $_POST is referred to, and it seems to be in an error output function which simply dumps out each key/value as hidden form fields (and in there you're also not escaping/quoting the data, so your form itself is vulnerable to XSS attacks).
Related
I am trying to make a basic forum/board where anyone can simply post a message via a submit for. So far I've been able to send the text they've entered via POST and put it into a MySql table. I am wondering how I then can go and print on the webpage what was just submitted?
Well if it's on the same page / script as the MySQL insertion, then you can take it from post, however I suggest using htmlspecialchars() to remove any HTML that people could embed in to their data.
If it's not on the same page, as it won't always be, then use MySQL to retrieve the data with a SELECT query - See here for help: W3Schools - SELECT - and, again, use htmlspecialchars() on it and display it in your desired format.
This is a very vague question for StackOverflow, so I can't really give you much more information unless you give me something that you've already tried, something I can correct / alter.
I'm trying to realize a dynamic website for exercise. All contents are stored in the database:
I included html code(FORMS) as DB content with no ploblem, but when i try to insert php code as DB content nothing happens. The field type for Content is TEXT.
I tryed various ways :
INSERT INTO TableContent(Name_Content, Content, ID_Menu) values ("Amministration Area", "<?php include('LogIn.php')", 5);
INSERT INTO TableContent(Name_Content, Content, ID_Menu) values ("Amministration Area", "<?php include(\"LogIn.php\")", 5);
In the website page i see Amministrazion Area, but not what Login.php does.
I thought i made a mistake in Login.php page code so i changed it in a simply echo ("Hi"); but nothing appears anyway. I see only the text Amministration Area.
How can i solve it ?
It's just text! Text in a database. Nothing happens when you just insert text into a database and read from it. You have to actually get something to execute that text as PHP code. That doesn't happen automatically, thankfully! In PHP, the way to execute arbitrary strings as code is by using eval. But this is overall a very bad idea; storing all PHP code in a database is not making anything easier, on the contrary it makes everything more difficult to work with and more prone to exploits if you execute arbitrary code. I'd advice you to stop doing that and go back to PHP code in .php files, not databases.
PHP see <?php include("LogIn.php");? as a string, when you look in the source code of your file, you'll probably see it. It doesn't show up on screen because it starts with a <.
To execute the code instead of handling it as a string, you can use the eval() function.
You however don't want every row of your database be seen as PHP code, so you'll probably need to add a extra column that defines what the row is, i.e. a string, php code. Or you make an extra table where you store your includes.
I'm usually not the "scripting" guy
but I have been given a task, to create a script, that ping all our network equipments. (~300 devices) so I have come so fat, we can manage and edit the Excel and export as CVS into MySQL database, so far...
I have been searching around for a valid example to directly use the "IP" table from the database into my pingscript or to pull the SQL data and insert into a Array..
However, I have contact with the database, but I am unable to print the array data into my ping script however.
When I do a ECHO ['$databasename']; I get the result out, but I don't figure how to correctly input the table "IPaddr" into pingscript as a foreach from array...
I hope you can help me clearing this issue or correct me where I'm wrong :)
I can't post the code here, the site gives an error, so i posted on Pastebin:
PHP script can be seen here
I have simple form for editting site content:
- a text input for title
- a textarea for content
When adding content, there is no problem, allthings add normally:
$chead = mysql_real_escape_string(stripslashes($_POST['chead']));
$ctext = mysql_real_escape_string(stripslashes($_POST['ctext']));
But when edittig the article that containig the
$chead = 'sdsfsf' "sdgsdgs"ggdsfsdg
The $chead = 'sdsfsf'
and the "sdgsdgs"ggdsfsdg will be lost!!!
What is the problem with mysql_real_escpae_string?
Thanks
You need to track down where the information is getting lost, which isn't likely to be mysql_real_escape_string.
Check the $chead value that's being generated (before you accuse a particular function of having damaged your data, make sure it is). Then check SQL command you're generating and make sure it's working. Check the database after you insert/update the record and the values returned from the database when you ask for the article back.
In my experience it's much more likely to be a programmer error in the database interaction, or HTML generation that's causing trouble than PHP. If you really do track the problem down to mysql_real_escape_string, you'll probably need to reinstall PHP and MySQL.
I am working on building a small php/mysql script that will act something like a wordpress blog but will just be a small site for my eyes only to store PHP code snippets. So I will have categories and then pages with sample code that I write with a javascript syntax highlighter. Instead of storing my php code snippets in the file I am wanting to save them to mysql DB. So what is the best way to save PHP into mysql and to get it out of mysql to show on the page?
My end result will be something like this
alt text http://img2.pict.com/c1/c4/69/2516419/0/800/screenshot2b193.png
Update:
I just wasn't sure if I needed to do something special to the code before sending it to mysql since it has all different kinds of characters in it
Just store in a text field, as is. Not much more beyond that.
If you're not using some kind of database abstraction layer, just call mysql_real_escape_string on the text.
Do you want to be able to search the php code? If so, I recommend using the MyISAM table type as it supports full text indexes (InnoDB does not). Your choices for column type when it comes to a fulltext index are char, varchar and text. I would go with text as your code snippets might get too long for the other types.
Another point worth mentioning, is make sure you properly escape all php code (or any value for that matter) before you insert it. The best way to do this is by using parameterized queries.
Unless I'm missing part of the problem, you should be safe storing it as a TEXT field in a MySQL database. Just make absolutely sure you sanitize the code snippets, as PHP code in particular is quite likely to contain the characters that will escape out of an SQL string. (If you're already using an SQL framework, odds are the framework is doing this for you.)
Store as text (varchar) in the database.
Use cascading style sheet (css) to format code.
http://qbnz.com/highlighter/
Try this:
mysql select ...
eval('?>' . $row['phpcode'] . '<?php ');