I have a MySQL Query -> Forums

Shinyshell Community Forums > Coding > I have a MySQL Query
Sign Up	Member List	New Posts	Help

[1]

July 24 02009, 18:36 GMT
Peter* A Pythonic One Location: US Post count: 99	lol I couldn't resist... Anyway. Editing a user bio. <form action="?id=usercp" method="post"> <textarea name="bio"> </textarea> <input type="submit" value="Submit"> </form> <form action="?id=usercp" method="post"> <textarea name="bio"> </textarea> <input type="submit" value="Submit"> </form> ]]> $bio = htmlspecialchars($_POST['bio']); $query = "INSERT INTO users (bio) values('" . $bio . "')"; mysql_query($query) or die(mysql_error()); $bio = htmlspecialchars($_POST['bio']); $query = "INSERT INTO users (bio) values('" . $bio . "')"; mysql_query($query) or die(mysql_error()); ]]> If I write "Hey I'm Peter" on the form, it comes up with a MySQL error thanks to the apostrophe. I want users to be able to use apostrophes... how can I fix it? ;-;

July 24 02009, 19:45 GMT
Pikachu Kelp is good! Location: California Post count: 50	Use addslashes(). <?php $bio = htmlspecialchars($_POST['bio']); $bio2 = addslashes($bio); $query = "UPDATE users SET bio='".$bio2."' WHERE username='".$username."'"; mysql_query($query) or die(mysql_error()); ?> $bio = htmlspecialchars($_POST['bio']); $bio2 = addslashes($bio); $query = "UPDATE users SET bio='".$bio2."' WHERE username='".$username."'"; mysql_query($query) or die(mysql_error()); ?>]]> I would use update rather than insert. ______________________________ Linux \| Chrome \| Python \| Chuck

July 25 02009, 16:05 GMT
Peter* A Pythonic One Location: US Post count: 99	When I'm retrieving the data, can I remove the slashes?

July 25 02009, 20:17 GMT
Pikachu Kelp is good! Location: California Post count: 50	There's no need to remove the slashes. For example: <?php echo "I\'m Peter"; ?> <?php echo "I\'m Peter"; ?>]]> This would echo "I'm Peter". Adding slashes just allows you to input apostrophes into the database, so that you won't get an error. ______________________________ Linux \| Chrome \| Python \| Chuck

July 26 02009, 02:23 GMT
Peter* A Pythonic One Location: US Post count: 99	OH, I see now. I should have known that... anyway. Won't mysql_real_escape_string do the same?

July 26 02009, 02:56 GMT
Pikachu Kelp is good! Location: California Post count: 50	mysql_real_escape_string makes sure that someone doesn't try to drop your tables. I'm not too sure if it adds slashes, since I haven't used it in awhile. ______________________________ Linux \| Chrome \| Python \| Chuck

July 26 02009, 04:16 GMT
Peter* A Pythonic One Location: US Post count: 99	Apparently it does, because it let me add the data without a MySQL error. :D Will this work for a user registration script? function register() { $query = "INSERT INTO users (user, password, usergroup, email, regdate) values('" . $_POST['user'] . "', '" . $_POST['password'] . "', 'user', '" . $_POST['email'] . "', CURDATE()"; } function register() { $query = "INSERT INTO users (user, password, usergroup, email, regdate) values('" . $_POST['user'] . "', '" . $_POST['password'] . "', 'user', '" . $_POST['email'] . "', CURDATE()"; } ]]> I think it should add all the data. I haven't put in the script to check whether or not the user exists or the email exists. I'm also unsure about the CURDATE() thing. EDIT: I took out the CURDATE() thing for now... I'll figure that out later. Here's the modified code. //Add the user into the users MySQL table function register() { $query = "SELECT * FROM users WHERE user='" . $_POST['user'] . "'"; $result = mysql_query($query); $rowcount = mysql_num_rows($result); $query = "SELECT * FROM users WHERE email='" . $_POST['email'] . "'"; $result = mysql_query($query); $rowcount2 = mysql_num_rows($result); if($rowcount != 0) { echo "The username you entered is taken... please enter another. "; } elseif($rowcount2 != 0) { echo "The email you entered is taken... please enter another. "; } else { $query = "INSERT INTO users (user, password, usergroup, email) values('".$_POST['user']."', '".md5($_POST['password'])."', 'user', '".$_POST['email']."')"; mysql_query($query); } } //Add the user into the users MySQL table function register() { $query = "SELECT * FROM users WHERE user='" . $_POST['user'] . "'"; $result = mysql_query($query); $rowcount = mysql_num_rows($result); $query = "SELECT * FROM users WHERE email='" . $_POST['email'] . "'"; $result = mysql_query($query); $rowcount2 = mysql_num_rows($result); if($rowcount != 0) { echo "The username you entered is taken... please enter another. "; } elseif($rowcount2 != 0) { echo "The email you entered is taken... please enter another. "; } else { $query = "INSERT INTO users (user, password, usergroup, email) values('".$_POST['user']."', '".md5($_POST['password'])."', 'user', '".$_POST['email']."')"; mysql_query($query); } } ]]>

July 26 02009, 16:52 GMT
Pikachu Kelp is good! Location: California Post count: 50	See, the problem with this is that you're using an if-else. What if both the username and email are taken? The if-else statement will only be able to echo the first one. This is solved with by making them separate if statements: <?php if($rowcount != 0) { echo "The username you entered is taken... please enter another. "; } if($rowcount2 != 0) { echo "The email you entered is taken... please enter another. "; } ?> <?php if($rowcount != 0) { echo "The username you entered is taken... please enter another. "; } if($rowcount2 != 0) { echo "The email you entered is taken... please enter another. "; } ?> ]]> Now, if both the username and email are taken, both statements will be echoed. ______________________________ Linux \| Chrome \| Python \| Chuck

July 27 02009, 21:47 GMT
Peter* A Pythonic One Location: US Post count: 99	Ok, I hadn't considered that. xD But it's fixed now. I've added a lot of other conditions, too. The basic system works... now I just have to add everything else. @_@ Coding is enjoyable. "Thanks, Pikachu," said Ash. How would I echo only a certain amount of information from a MySQL table? Three rows, for example.

July 28 02009, 00:11 GMT
Pikachu Kelp is good! Location: California Post count: 50	Using LIMIT: <?php $query = "SELECT * FROM users LIMIT 3"; ?> <?php $query = "SELECT * FROM users LIMIT 3"; ?> ]]> That should echo the first three rows. I haven't tested it out, but if it doesn't work, try: <?php $query = "SELECT * FROM users LIMIT 0, 3"; ?> <?php $query = "SELECT * FROM users LIMIT 0, 3"; ?> ]]> And you're welcome, I'm always here to help. ______________________________ Linux \| Chrome \| Python \| Chuck

August 07 02009, 18:11 GMT
Peter* A Pythonic One Location: US Post count: 99	More problems. T_T //Insert an update function inUpdate($title, $update) { $user = "Zack"; $query = "INSERT INTO updates (title, update, date, user) values('" . $title . "', '" . $update . "', CURDATE(), '" . $user . "')"; mysql_query($query) or die(mysql_error()); } //Insert an update function inUpdate($title, $update) { $user = "Zack"; $query = "INSERT INTO updates (title, update, date, user) values('" . $title . "', '" . $update . "', CURDATE(), '" . $user . "')"; mysql_query($query) or die(mysql_error()); } ]]> <?php include("functions.php"); databaseConnect("mysql.owensvilleumc.com", "zack_oumc", "****", "oumc_common"); $title = $_POST['title']; $update = $_POST['update']; if(isset($title)) { cleanString($title); $okay++; } else { echo "You left the title field blank! "; } if(strlen($title) > 50) { echo "Your title cannot be longer than fifty characters. "; } else { $okay++; } if(isset($update)) { cleanString($title, $update, $_COOKIE['user']); $okay++; } else { echo "You left the update field blank! "; } if(strlen($update) > 500) { echo "The length of an update cannot exceed 500 characters. "; } else { $okay++; } if($okay == 4) { inUpdate($title, $update); } else { echo "something's up..."; } ?> <form action="cms.php" method="post"> <table> <tr> <td> Update Title: </td> <td> <input type="text" name="title"> </td> </tr> <tr> <td> Update: </td> <td> <textarea name="update"> <?php include("functions.php"); databaseConnect("mysql.owensvilleumc.com", "zack_oumc", "****", "oumc_common"); $title = $_POST['title']; $update = $_POST['update']; if(isset($title)) { cleanString($title); $okay++; } else { echo "You left the title field blank! "; } if(strlen($title) > 50) { echo "Your title cannot be longer than fifty characters. "; } else { $okay++; } if(isset($update)) { cleanString($title, $update, $_COOKIE['user']); $okay++; } else { echo "You left the update field blank! "; } if(strlen($update) > 500) { echo "The length of an update cannot exceed 500 characters. "; } else { $okay++; } if($okay == 4) { inUpdate($title, $update); } else { echo "something's up..."; } ?> <form action="cms.php" method="post"> <table> <tr> <td> Update Title: </td> <td> <input type="text" name="title"> </td> </tr> <tr> <td> Update: </td> <td> <textarea name="update"> ]]> Apparently since UPDATE is a MySQL command you can't name a column that. xD Apparently since UPDATE is a MySQL command you can't name a column that. xD]]>

September 25 02009, 23:16 GMT
Peter* A Pythonic One Location: US Post count: 99	More problems :D This is back to my other site, which is in PHP. Sorry about the double post :/ <?php if(isset($_POST['postid'])) { $post = mysql_real_escape_string(htmlspecialchars($_POST['post'])); $title = mysql_real_escape_string(htmlspecialchars($_POST['title'])); $pid = mysql_real_escape_string(htmlspecialchars($_POST['postid'])); $query = "UPDATE posts SET title='$title' and post='$post' WHERE id='$pid'"; mysql_query($query) or die(mysql_error()); echo "Two."; } elseif(isset($_GET['pid'])) { $pid = $_GET['pid']; echo "One."; } $query = "SELECT * FROM posts WHERE id='" . $pid ."'"; $result = mysql_query($query) or die(mysql_error()); $array = mysql_fetch_array($result); ?> <form action="?id=edit" method="post"> <table> <tr> <td> <input type="text" name="title" class="text" value="<?php echo $array['title']; ?>" /> <input type="text" name="postid" class="hidden" value="<?php echo $array['id']; ?>" /> </td> </tr> <tr> <td> <textarea name="post" class="text"> <?php echo $array['post']; ?> </textarea> </td> </tr> <tr> <td> <input type="submit" value="Submit" /> </td> </tr> </table> </form> <?php if(isset($_POST['postid'])) { $post = mysql_real_escape_string(htmlspecialchars($_POST['post'])); $title = mysql_real_escape_string(htmlspecialchars($_POST['title'])); $pid = mysql_real_escape_string(htmlspecialchars($_POST['postid'])); $query = "UPDATE posts SET title='$title' and post='$post' WHERE id='$pid'"; mysql_query($query) or die(mysql_error()); echo "Two."; } elseif(isset($_GET['pid'])) { $pid = $_GET['pid']; echo "One."; } $query = "SELECT * FROM posts WHERE id='" . $pid ."'"; $result = mysql_query($query) or die(mysql_error()); $array = mysql_fetch_array($result); ?> <form action="?id=edit" method="post"> <table> <tr> <td> <input type="text" name="title" class="text" value="<?php echo $array['title']; ?>" /> <input type="text" name="postid" class="hidden" value="<?php echo $array['id']; ?>" /> </td> </tr> <tr> <td> <textarea name="post" class="text"> <?php echo $array['post']; ?> </textarea> </td> </tr> <tr> <td> <input type="submit" value="Submit" /> </td> </tr> </table> </form> ]]> It just modifies a post. But when I try to update, it just inserts 0 into the database.

September 26 02009, 00:42 GMT
Faltzer Member Location: Glendale, New York Post count: 38	Why are you not treating $pid as an integer and type-casting it, and why are you quoting it in your MySQL query? Why are you using a hidden field for something that should be in GET? ______________________________ FHQ

September 26 02009, 01:20 GMT
Peter* A Pythonic One Location: US Post count: 99	The first part of the if statement is for after the submission of the form. This is part of my Admin CP. The original URL is something like this: http://site.com/cms/index.php?id=edit&pid=13 . It obviously shows up the the form what the MySQL table says. The second URL looks like this: http://site.com/cms/index.php?id=edit . Are you saying that I should treat the query with $pid like this: $query = "SELECT * FROM posts WHERE id=".$pid; $query = "UPDATE posts SET title='$title' and post='$post' WHERE id=".$pid; $query = "SELECT * FROM posts WHERE id=".$pid; $query = "UPDATE posts SET title='$title' and post='$post' WHERE id=".$pid; ]]> ? I don't think I understand lol

September 26 02009, 01:36 GMT
Faltzer Member Location: Glendale, New York Post count: 38	I don't know why you'd concatenate if you're already using interpolation. Just remove the single-quotes. And you shouldn't be using hidden form fields for that. All nitpicks aside, you're not being specific enough. Provide more information; i.e. your schema for said table. ______________________________ FHQ

September 26 02009, 02:01 GMT
Peter* A Pythonic One Location: US Post count: 99	id (primary key), 11 character integer, auto-incremental title, 50 character varchar user, 50 character varchar date, date post, 500 character varchar I tried it with and without concatenating. And the field post can be up to 500 characters, while the max for a GET variable is 100.

September 26 02009, 02:23 GMT
Faltzer Member Location: Glendale, New York Post count: 38	Unless you want your posts to only be 500 characters, I suggest you make it a TEXT field instead of a VARCHAR. Either way, I modified the script, and it seems to work on my end. I've added logic, also eliminated a possible SQL injection. I coded it in accordance to your style; although coding islands are messy any. Try it out: <?php if (isset($_GET['pid'])) { $pid = (int) $_GET['pid']; if (isset($_POST['submit'])) { $post = mysql_real_escape_string(htmlspecialchars($_POST['post'])); $title = mysql_real_escape_string(htmlspecialchars($_POST['title'])); $query = "UPDATE posts SET title = '$title', post = '$post' WHERE id = $pid;"; mysql_query($query); if (mysql_affected_rows()) { echo 'Updated'; } else { echo '<p>Failed to edit the post.</p>'; } } $query = "SELECT * FROM posts WHERE id = '{$pid}';"; $result = mysql_query($query); if (mysql_num_rows($result)) { $array = mysql_fetch_array($result); ?> <form action="?id=edit&pid=<?php echo $pid; ?>" method="post"> <table> <tr> <td><input type="text" name="title" class="text" value="<?php echo $array['title']; ?>" /></td> </tr> <tr> <td><textarea name="post" class="text"><?php echo $array['post']; ?></textarea> </td> </tr> <tr> <td><input type="submit" name="submit" value="Submit" /> </td> </tr> </table> </form> <? } else { echo 'The post does not exist.'; } } else { echo '<p>You have not specified a post to edit.</p>'; } ?> if (isset($_GET['pid'])) { $pid = (int) $_GET['pid']; if (isset($_POST['submit'])) { $post = mysql_real_escape_string(htmlspecialchars($_POST['post'])); $title = mysql_real_escape_string(htmlspecialchars($_POST['title'])); $query = "UPDATE posts SET title = '$title', post = '$post' WHERE id = $pid;"; mysql_query($query); if (mysql_affected_rows()) { echo 'Updated'; } else { echo '<p>Failed to edit the post.</p>'; } } $query = "SELECT * FROM posts WHERE id = '{$pid}';"; $result = mysql_query($query); if (mysql_num_rows($result)) { $array = mysql_fetch_array($result); ?> <form action="?id=edit&pid=<?php echo $pid; ?>" method="post"> <table> <tr> <td><input type="text" name="title" class="text" value="<?php echo $array['title']; ?>" /></td> </tr> <tr> <td><textarea name="post" class="text"><?php echo $array['post']; ?></textarea> </td> </tr> <tr> <td><input type="submit" name="submit" value="Submit" /> </td> </tr> </table> </form> <? } else { echo 'The post does not exist.'; } } else { echo '<p>You have not specified a post to edit.</p>'; } ?>]]> http://faltzershq.com/form.php?id=edit&pid=1 http://faltzershq.com/form.php?id=edit&pid=2 ______________________________ FHQ

September 26 02009, 12:29 GMT
Peter* A Pythonic One Location: US Post count: 99	Thank you. ^-^ I found the problem with my original code. Rather than saying "title='$title', post='$post'," I said, "title='$title' and post='$post'."

[1]

Forum Information

	Currently Active Members [detailed] (0 members and ? guests)

	Forum Statistics
	Topics: 0, Posts: 0, Members: 108. Welcome to our newest member, adamthephantump Most members online was 5, on August 28 2009, at 21:49:28.
	Legend
	Forums with unread topics in them are indicated by a strong yellow colouring around the forum icon. Forums with no unread topics have the standard pale yellow colouring around the forum icon. Forums with a blue arrow icon will redirect you to a non-forum page. Locked forums have a little padlock by their icon. You won't be able to post in these forums.
Shinyshell Home \| Contact \| Staff List \| Archive \| Top

Conventional Login

Don't have an account? You may want to create one.

OpenID Login

OpenID login and registration is usable, but not finished.
What is OpenID?

Search

(advanced search)

Site Stats

Total members: 108
Latest member: adamthephantump
Members currently online: 0
Most online: 5 - Aug 28, 2009 (21:49)
Front page hits: 87949

Developer info

Site version: 3.5 Alpha
16 queries - 9 templates

Under the Spotlight

Collide Site

Collide make fabulously dreamy electronic-industrial music, they're one of my favourite bands! Give them a chance to take control of your life - myspace | youtube - "Euphoria".

Collide Site - Hits: 4483

5/5 (2) | Rate this site?