My query:
mysql::getInstance()->update('requests', array('response' => mysql_real_escape_string($_POST['status'])), array('secret' => $_POST['secret'])); ?>
If i wand to add string with "&" symbol, all symbols after "&" stripped.
Example:
string: !"№;%:?()_+!##$%^&()_+
in database i see only: !"№;%:?*()_+!##$%^
How to fix this?
update function, if anyone need:
function update($table, $updateList, $whereConditions)
{
$updateQuery = '';
foreach ($updateList as $key => $newValue) {
if (!is_numeric($newValue)) {
$newValue = "'" . $newValue . "'";
}
if (strlen($updateQuery) == 0) {
$updateQuery .= '`' . $key . '` = ' . $newValue;
} else {
$updateQuery .= ', `' . $key . '` = ' . $newValue;
}
}
return $this->query('UPDATE ' . $table . ' SET ' . $updateQuery . $this->buildWhereClause($whereConditions));
}
UPD:
echo mysql::getInstance()->getLastSQL() says:
UPDATE requests SET `response` = '!\"№;%:?*()_ !##$%^' WHERE `secret` = '52a4ab5f7f3e8491e60b71db7d775ee2'
so, problem with function update in mysql class?
Slaks, i need to use str_replace('&', '%28', $query); ?
You're probably passing a raw & character in the querystring, which causes everything after the & to be parsed as second parameter by PHP. (Before it gets into your variable)
You need to escape the & as %26.
EDIT: You need to escape it before you send it to the server. (When you make the HTTP request)
Related
I have an input field that automatically inserts the value of 'www.' before anything the user types. The data in the input field then gets inserted into a table.
Using PHP, I am trying to remove/strip the instance of 'www.' IF an '#' symbol is typed into the input field. I cannot seem to get this to work, looking at what is output in my SQL Table. I'm using an empty variable in $var to replace the 'www.'
Here is my code:
if(strpos($_POST['Link'], '#') !== false) {
$webvar = 'Twitter';
str_replace('www.', '', $var);
$link = mysqli_real_escape_string($conn, '<a href='."'".'https://'.'twitter.com/'.$_POST['Link']."' ".'target='."'".'_blank'."'".'>'.$webvar.'</a>');
}
your question is unclear but something like this ?
if (strpos($_POST['Link'], '#')) {
$webvar = 'Twitter';
$link = mysqli_real_escape_string($conn, '<a href=' . "'" . 'https://' . 'twitter.com/' . str_replace('www.', '', $_POST['Link']) . "' " . 'target=' . "'" . '_blank' . "'" . '>' . $webvar . '</a>');
}
You should directly assign the value back to the variable (although it's not clear what $var is, it sounds like it should be $_POST['Link'])
$var = str_replace('www.', '', $_POST['Link']);
I wrote some code to update a mySQL table via php/PDO.
But it is not working and I just can't figure out where my mistake is.
The execute() returns true, but the changes never actually show up in the table.
My code looks pretty much like this:
$columnObject = array(
"emailAddress"=>"aaa#aaa.com",
"passwordHash"=>"56bj5g63j4g57g567g5k75jh7gk4g74j5hg67",
"name"=>"qweqweqwe",
"lastActivity"=>4128649814
);
$knownColumnName = "emailAddress";
$knownColumnData = "aaa#aaa.com";
foreach ($columnObject as $columnName => $columnData) {
$pdoUpdateString .= $columnName . "=:" . $columnName . ",";
$pdoExecuteObject[$columnName] = $columnData;
}
$pdoUpdateString = rtrim($pdoUpdateString, ",");
$pdoExecuteObject['knownColumn'] = $knownColumnData;
$q = $this->hCon->prepare('UPDATE ' . $this->name . ' SET ' . $pdoUpdateString . ' WHERE ' . $knownColumnName . '=:knownColumn');
$q->execute($pdoExecuteObject);
From LDAP I'm querying my users and this code sets them as a variable in the quoted format I need to run the MySQL query which would be 'username','other_username', etc...
foreach ($prefs as $who => $pref) {
if (strpos($who, 'public') === false) {
$team_users_string .='\'' . $who . '\',';
}
When I try to sanitize the command with the following code it converts the string to \'username\',\'other_username\', what can I do to correct this?
$team_users = rtrim($team_users_string, ",");
$start_date = $_POST['start_year'] . '-' . $_POST['start_month'];
$end_date = $_POST['end_year'] . '-' . $_POST['end_month'];
echo 'Welcome, <strong>' . $user . '</strong><br />';
echo '<br />';
echo '<strong>Selected Start Date:</strong> ' . $start_date . '<br />';
echo '<strong>Selected End Date:</strong> ' . $end_date . '<br />';
mysql_real_escape_string($team_users),
mysql_real_escape_string($start_date),
mysql_real_escape_String($end_date));
$query = "SELECT * FROM vacation WHERE user_name in ($team_users) AND day BETWEEN '$start_date-01' AND '$end_date-31'";
Your problem is that you're adding the quote characters before you pass the string to mysql_real_escape_string(). So the literal quotes become escaped by that function.
You could avoid this by using mysql_real_escape_string(), and then delimiting the result in quotes.
Also I'd use an array and implode() the array to get commas, instead of being forced to rtrim() the last comma.
foreach ($prefs as $who => $pref) {
if (strpos($who, 'public') === false) {
$team_users_array[] = "'" . mysql_real_escape_string($who) . "'";
}
}
$team_users = implode(",", $team_users_array); // no rtrim needed
I have something like this:
public function options()
{
$out = '';
$docs = $this->getAll();;
foreach($docs as $key => $doc) {
$out .= ',{"label" : "' . $doc['name'] . '", "value" : "' . $doc['id'] .'"}';
}
return $out;
}
It gives me a list of options from the DB, but it also gives me a null value at the top.
if I write it like this:
public function options()
{
//$out = '';
$docs = $this->getAll();;
foreach($docs as $key => $doc) {
$out = '';
$out .= '{"label" : "' . $doc['name'] . '", "value" : "' . $doc['id'] .'"}';
}
return $out;
}
It doesn't give me the null value but it only returns one value.
$out .= ',{"label" : "' . $doc['name'] . '", "value" : "' . $doc['id'] .'"}';
In this line if I don't add an , it gives me an error message, This because I have $out = ''; at the top. Now can you guys give me an idea how can I get all the values from the DB without the empty value at the beginning.
I also have another question , why we use ;; (double semicolon) in this code:
$docs = $this->getAll();;
test $out to see if it has any length, if so add the comma and the line, otherwise just set it to be the line:
$out="";
foreach($docs as $key=>$doc){
if(strlen($out)){
$out.=',{"label" : "' . $doc['name'] . '", "value" : "' . $doc['id'] .'"}';
}else{
$out='{"label" : "' . $doc['name'] . '", "value" : "' . $doc['id'] .'"}';
}
}
as to your other question, er, you wrote the code, so why did you put a double semi-colon?
This is not the correct way to build JSON. First create an array, and use json_encode() on it.
I'd suggest using an array instead to hold the individual values, and using join to concatenate them together.
public function options()
{
$docs = $this->getAll();
// Create an empty array
$items = array();
foreach($docs as $key => $doc) {
// "Push" an item to the end of the array
$items[] = '{"label" : "' . $doc['name'] . '", "value" : "' . $doc['id'] .'"}';
}
// Join the contents together
$out = join(",", $items);
return $out;
}
Also, the double semi-colon is completely unnecessary.
$brand_condition = ' AND ' . mysql_real_escape_string($brand_selection) . ' IN ';
$brand_condition .= $quote10 . '"'. mysql_real_escape_string($brand_value) . '"' .$quote9;
$brand_conditions[] = $brand_condition;
$query .= implode(' AND ', $brand_conditions) . '';
This produces: AND manufacturer IN ("brand1,brand2")
Since I'm using the IN statement, I need the values to be quoted. At the same time, I am escaping potential quotes with mysql_real_escape_string.
Does anyone see a simple way to get around this small problem?
function quote_escape(&$str) {
$str = '"' . mysql_real_escape_string(chop($str)) . '"';
}
$brands = explode(',', $brand_value);
array_walk($brands, "quote_escape");
$brands = implode(',', $brands);
or
function quote_escape($str) {
return '"' . mysql_real_escape_string(chop($str)) . '"';
}
$brands = implode(',', array_map("quote_escape", explode(',', $brand_value)));
How about $brand_conditions[] = '"'.$brand_condition.'"'; so your adding quotes right before you add the brand_condition in your array.
$concurrent_names = array("O'reilly", 'Tupac "MC New York" Shakur', 'Nemoden');
$escaped_concurrent_names = array_map('mysql_real_escape_string', $concurrent_names);
$condition = 'WHERE name in ("'.implode('", "', $escaped_concurrent_names).'")';
Use this to add quotes for imploded string.
$values = implode( " ',' ", array_values($values) );
$brands=array(nokia,samsung,xiomi);
$brands=implode(" ',' ",$brand);
//$brands='nokia','samsung','xiomi';
WHERE column_name IN ($brands)