TIP: Click on subject to list as thread!

ANSI

echo:	rberrypi
to:	THE NATURAL PHILOSOPHER
from:	A. DUMAS
date:	2020-09-12 05:03:00
subject:	Re: Pi Hardware
The Natural Philosopher wrote: > On 11/09/2020 19:50, Andy Burns wrote: >> The Natural Philosopher wrote: >> >>> $query = "insert into data set"; >>> $flag=0; >>> foreach($fields as $name) //read variables and add to query >>> { >>> if($flag) $query .=','; >>> if(isset($_GET[$name])) >>> $query.= sprintf(" %s='%s'",$name,$_POST[$name]); >>> else >>> $query.= sprintf(" %s='%s'",$name,""); >>> $flag++; >>> } >> >> > funny, but obviously you don't understand sql as the sample code > specifically cannot do that kind of thing. > That is the reason why the SQL command is not passed. > And it is the reason why all the arguments are 'quoted'. You mixed up _GET and _POST, there are no sanity checks and you just dump it in the sql string. What if _POST[$name] starts with '; ? The key is to use mysqli_real_escape_string($dblink, $strval) or the equivalent for your db. Here are some snippets I wrote back in the day, maybe could use corrections as well? Idk. And I got out before everything turned into classes. Also this is so old that the mysql extension still existed (as opposed to mysqli). if (get_magic_quotes_gpc()) $postdata = stripslashes($postdata); if ($notags) $postdata = strip_tags($postdata); if ($collapsewhitespace) { $postdata = preg_replace('/^\s+/', '', $postdata); // not sure why I didn't use trim() $postdata = preg_replace('/\s+$/', '', $postdata); $postdata = preg_replace('/\s+/', ' ', $postdata); } $postdata = mb_substr($postdata, 0, $maxlength); // avoid string or field length overflow if ($nohtml) $postdata = htmlspecialchars($postdata); // tricky; could lead to double encoding if not careful $inidata = @parse_ini_file($inifile, TRUE); // load from outside doc root $ln = @mysql_connect($inidata[$section]['server'], $inidata[$section]['username'], $inidata[$section]['password']); $db = @mysql_select_db($inidata[$section]['database'], $ln); @mysql_query("SET NAMES 'utf8mb4' COLLATE 'utf8mb4_unicode_520_ci'", $ln); unset($inidata); unset($inifile); if (isset($_SERVER['HTTP_REFERER'])) { $refer_prev = $_SERVER['HTTP_REFERER']; $ref = parse_url($refer_prev); if (strcmp($ref['host'], $_SERVER['HTTP_HOST'])) $err .= 'Request from different host [' . htmlspecialchars($ref['host']) . '] not accepted.' . "\n"; } /** * Insert or update one row in a database table by ID. If ID is positive it is the * unique ID of the row to update. If zero, a new row is inserted. If negative, a new * row is inserted using INSERT IGNORE (no error message when insertion fails due to * key constraints). Data for the insert or update is expected in an associative array * of key-value pairs: fieldname and unescaped and unquoted fieldvalue. The function either * returns success of the update, the ID of the newly inserted row, zero if no row was * inserted (INSERT IGNORE failure) or FALSE on error. * @param string $table tablename * @param integer $id unique ID of row to update or zero for new insertion or negative for INSERT IGNORE * @param array $keyvaldata associative array of key-value data * @return mixed boolean update success, integer insert ID or zero, boolean false / function db_putrow($table, $id, $keyvaldata, $escape = TRUE, $empty2null = TRUE) { //check parameter validity if ( empty($keyvaldata) \|\| !is_array($keyvaldata) \|\| !count($keyvaldata) ) return FALSE; //check connection if ( !$ln = db_connect() ) return FALSE; //implode key-val array to partial SQL statement, escape and quote values $assign = array(); foreach ( $keyvaldata as $k => $v ) { if ( $empty2null && !strlen($v) ) $v = 'NULL'; elseif ( $escape && !is_numeric($v) && strcmp('NULL', $v) && !preg_match('/^[A-Z0-9_]+$.$$/', $v) ) $v = "'" . mysql_real_escape_string($v, $ln) . "'"; $assign[] = '`' . $k . '` = ' . $v; } $sql = '`' . DB_TABLEPREFIX . $table . '` SET ' . implode(', ', $assign); if ( $id > 0 ) //update particular row, return update success { $sql = 'UPDATE ' . $sql . ' WHERE `id` = ' . $id . ' LIMIT 1'; if ( mysql_query($sql, $ln) ) { //return number of affected rows or TRUE for successful query if ( $n = mysql_affected_rows($ln) ) return $n; else return TRUE; } else return FALSE; } elseif ( $id == 0 ) //insert new row, return new row ID or FALSE on error { $sql = 'INSERT INTO ' . $sql; return mysql_query($sql, $ln) ? mysql_insert_id($ln) : FALSE; } else //insert new row (possible duplicate), return new row ID or zero on failure or FALSE on error { $sql = 'INSERT IGNORE INTO ' . $sql; return mysql_query($sql, $ln) ? (mysql_affected_rows($ln) ? mysql_insert_id($ln) : 0) : FALSE; } } --- SoupGate-Win32 v1.05 * Origin: Agency HUB, Dunedin - New Zealand \| FidoUsenet Gateway (3:770/3)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.