php - Strip Out All Unwanted Characters -


i using following code strip out unwanted characters not stripping out , throwing mysql error: 

    $commentmessage = strip_tags($commentmessage);     $commentmessage = htmlentities($commentmessage, ent_quotes);

what code use strip out might cause mysql error?

the message receiving is:

error message: sqlstate[42000]: syntax error or access violation: 1064 have error in sql syntax; check manual corresponds mysql server version right syntax use near 'omg thats one". 1 of logo's liked 1049859 f' @ line 2**

evidently you're building query so:

$query = "insert foo values ('$bar')";

which breaking because text of $bar contains single quotes. '

no. *hits rolled-up newspaper* bad developer.

i could throw string escaping function, or show right like:

$bar = "i problematic string!'; drop table users -- " $query = "insert foo values (?)"; $stmt = $dbh->prepare($query); $stmt->execute(array($bar));

or:

$bar = "i problematic string!'; drop table users -- " $query = "insert foo values (:bar)"; $stmt = $dbh->prepare($query); $stmt->execute(array('bar'=>$bar));

when prepare query php/pdo/mysql , pre-agree on types placeholders are. strings treated strings without need escaping characters. both prevents rogue single quotes breaking query, , protect sql injection attacks.

you can re-use prepared statements increase performance: [relative un-prepared statements since sql needs parsed once, rather once per query]

$query = "insert foo values (?)"; $stmt = $dbh->prepare($query); foreach( $bars $bar ) {   $stmt->execute(array($bar)); }

Comments

Post a Comment

Popular posts from this blog

cakephp - simple blog with croogo -

i not problem, made simple blog in croogo, problem is not adding or modifying or delete, because arabic language ?? function add in controller `public function admin_add() { $this->set('title_for_layout', __('add part')); if (!empty($this->request->data)) { $this->part->create(); if ($this->part->save($this->request->data)) { $this->session->setflash(__('the part has been saved'), 'default', array('class' => 'success')); $this->redirect(array('action' => 'index'));//, $this->part->id)); } else { $this->session->setflash(__('the part not saved. please, try again.'), 'default', array('class' => 'error')); } } }` => model `class part extends appmodel { public $name = 'part'; var $belongst...
Read more

How to group boxplot outliers in gnuplot -

i have large set of data points. try plot them boxplot, of outliers exact same value , represented on line beside each other. found how set horizontal distance between outliers in gnuplot boxplot , doesn't much, apparently not possible. is possible group outliers together, print 1 point , print number in brackets beside indicate how many points there are? think make more readable in graph. for information, have 3 boxplots 1 x value , times 6 in 1 graph. using gnuplot 5 , played around pointsize, doesn't reduce distance anymore. hope can help! edit: set terminal pdf set output 'dat.pdf' file0 = 'dat1.dat' file1 = 'dat2.dat' file2 = 'dat3.dat' set pointsize 0.2 set notitle set xlabel 'x' set ylabel 'y' header = system('head -1 '.file0); n = words(header) set xtics ('' 1) set [i=1:n] xtics add (word(header, i) i) set style data boxplot plot file0 using (1-0.25):1:(0.2) boxplot lw 2 lc rgb '#8b0000...
Read more

bash - Performing variable substitution in a string -

i have string contains use of variable, , i'd substitute variable's value string. right best have is #!/bin/bash foo='$name; echo bar' name="the name" expanded="$(eval echo "$foo")" echo "$expanded" which has obvious defects: prints the name bar while i'd print the name; echo bar instead of eval can bash's regex matching bash's string replacement: foo='$name; echo bar' name="the name" [[ "$foo" =~ \$([[:alnum:]]+) ]] && s="${!bash_rematch[1]}" && expanded="${foo/\$${bash_rematch[1]}/$s}" echo "$expanded" name; echo bar
Read more