How to add allow punctuation with sql - html

I am receiving a syntax error when typing punctuation into my website form such as ' or &. I am using the below code on the page when receiving this error. What am I missing or doing wrong that will fix this issue?
$name=$_REQUEST["title"];
$stdate=$_REQUEST["sdate"];
$endate=$_REQUEST["edate"];
$staddr=$_REQUEST["staddr"];
$addr2=$_REQUEST["staddr2"];
$city=$_REQUEST["city"];
$state=$_REQUEST["state"];
$zip=$_REQUEST["zip"];
$desc=$_REQUEST["desc"];
$file=$_REQUEST['photo'];
$link=$_REQUEST["link"];
$user=$_REQUEST["user"];
/***************** DELETE QUERY ****************************/
$date2 = date('Y-m-d');
$qry = "DELETE FROM table WHERE STR_TO_DATE(`endate`, '%Y-%m-%d') < '".$date2."'";
$del = mysql_query($qry);
$query = "INSERT INTO table (fname,stdate,endate,addr1,addr2,city,state,zip,name,size,type,content,link,description,user) VALUES('" . mysql_real_escape_string($name) . "','$stdate','$endate','" . mysql_real_escape_string($staddr) . "','" . mysql_real_escape_string($addr2) . "','$city','$state','$zip','".str_replace(' ','',$name)."-".$stdate."-".$file.".png','0',' ',' ','" . mysql_real_escape_string($link)."','" . mysql_real_escape_string($desc) . "','$user')";
$q2=mysql_query($query) or die('Error, query failed'. mysql_error());
if($q2) {
echo "ok";
} else {
echo "error ".$query.mysql_error();
}
?>
The issue stems from the query line

Related

SQL query and output in PHP does not work - 500 Internal Server Error

i try to put a working SQL query in a PHP-file for my Cronjob. But i receive only a blank 500 Internal Server Error notification.
The SQL query works fine in PHPmyAdmin.
Here the code:
<?php
$con=mysqli_connect("HOST","DBUSER","DBPW","DBNAME");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT oc_order_product.order_id AS bestellnr, oc_order_product.quantity, oc_order_product.model, oc_order_product.name, oc_order.shipping_company, oc_order.shipping_firstname, oc_order.shipping_lastname, oc_order.shipping_city
FROM oc_order_product, oc_order
WHERE oc_order.order_id = oc_order_product.order_id
AND oc_order.order_status_id = 1
ORDER BY bestellnr, model");
while($row = mysqli_fetch_array($result))
{
echo $row['oc_order_product.order_id'] . "; " . $row['oc_order_product.quantity'] "; " . $row['oc_order_product.model'] "; " . $row['oc_order_product.name'] "; " . $row['oc_order.shipping_company'] "; " . $row['oc_order.shipping_firstname'] "; " . $row['oc_order.shipping_lastname'] "; " . $row['oc_order.shipping_city']; //these are the fields that you have stored in your database table
echo "<br />";
}
mysqli_close($con);
?>
The error_log is empty. Is something wrong with my code?
The error message, that i receive via mail ist:
Status: 500 Internal Server Error
X-Powered-By: PHP/5.6.19
Content-type: text/html; charset=UTF-8
Any idea?
Thanx
I can note that this is incorrect:
$row['oc_order_product.order_id']
The row has no column with that name. In fact, you have explicitly given the column the name bestellnr. So, you might try:
$row['bestellnr']
I can't guarantee that is the only problem, though.
That's the final code:
<?php
$pdo = new PDO('mysql:host=DBHOST;dbname=DBNAME', 'DBUSER', 'DBPW');
$sql = "SELECT oc_order_product.order_id AS bestellnr, oc_order_product.quantity, oc_order_product.model, oc_order_product.name, oc_order.shipping_company, oc_order.shipping_firstname, oc_order.shipping_lastname, oc_order.shipping_city
FROM oc_order_product, oc_order
WHERE oc_order.order_id = oc_order_product.order_id
AND oc_order.order_status_id = 1
ORDER BY bestellnr, model";
foreach ($pdo->query($sql) as $row) {
echo $row['bestellnr']."; ".$row['quantity']."; ".$row['model']."; ".$row['name']."; ".$row['shipping_company']."; ".$row['shipping_firstname']."; ".$row['shipping_lastname']."; ".$row['shipping_city']."<br />";
}
?>

Auto delete from SQL database

What can I add to this to make the record delete automatically after the endate has passed? I would like to post to automatically delete from the database after the endate has passed.
<?php
require "../login/config.php";
$host='';
$db = 'db';
$dbuser = 'dbo';
$dbpass = '';
$conn = mysql_connect($host, $dbuser, $dbpass,$db);
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db('db');
if(isset($_POST['submit'])) {
$name=$_POST["element_1"];
$stdatemm=$_POST["element_2_1"];
$stdatedd=$_POST["element_2_2"];
$stdateyy=$_POST["element_2_3"];
$endatemm=$_POST["element_3_1"];
$endatedd=$_POST["element_3_2"];
$endateyy=$_POST["element_3_3"];
$stdate=$stdatemm."/".$stdatedd."/".$stdateyy;
$endate=$endatemm."/".$endatedd."/".$endateyy;
$user=$_POST["postuser"];
$query = "INSERT INTO (fname,stdate,endate,addr1,addr2,city,state,zip,name,size,type,content,link,description,user) VALUES('" . mysql_real_escape_string($name) . "','$stdate','$endate','" . mysql_real_escape_string($staddr) . "','" . mysql_real_escape_string($addr2) . "','$city','$state','$zip','" . mysql_real_escape_string($fileName) . "','$fileSize','$fileType','" . mysql_real_escape_string($content) . "','$_POST[element_7]','" . mysql_real_escape_string($desc) . "','$user')";
} } } else
$query = "INSERT INTO (fname,stdate,endate,addr1,addr2,city,state,zip,name,size,type,content,link,description,user) VALUES('" . mysql_real_escape_string($name) . "','$stdate','$endate','" . mysql_real_escape_string($staddr) . "','" . mysql_real_escape_string($addr2) . "','$city','$state','$zip',' ','0',' ',' ','$_POST[element_7]','" . mysql_real_escape_string($desc) . "','$user')";
$q2=mysql_query($query) or die('Error, query failed'. mysql_error());
if($q2) {
echo ""; } else {
echo "error";
}
?>
There is no way to "automatically delete records". What you could do however includes:
cause all of your queries to disregard rows that have surpassed their end date.
Create a scheduled task/job that runs on an interval that removes records that have surpassed their end date
Write a trigger to check for outdated records to remove which could fire prior to select, update, and deletes.

Inserting a table in a database without knowing prefix

I have a small script that will insert two tables in a database, which works fine unless the user has changed the default prefix. I am wondering how I can call and use the "prefix" from the config file. Here is my code.
<?php
include("../../Config/config.php");
$link = mysql_connect($CONFIG['host'], $CONFIG['login'], $CONFIG['password'];
$db = ($CONFIG['database']);
if (!$link)
{
die('Could not connect: ' . mysql_error());
}
$db_selected = mysql_select_db("$db", $link);
$sql = 'INSERT INTO settings '.
'(id, field, value) '.
'VALUES ("NULL", "show_thumbs_down", "1")';
$exec = mysql_query($sql, $link);
if (!$exec) die(mysql_error());
mysql_close($link);
?>
You can see that I call "config.php" to get the database info. That would also work to get the prefix but I'm not sure how to implement the "prefix" with the rest of the code.
FYI: I'm a newbie :)
Thanks.
I got it, here's what worked.
<?php
require_once ("../../Config/config.php");
$link = mysql_connect($CONFIG['host'], $CONFIG['login'],$CONFIG['password']);
$table_prefix = ($CONFIG['prefix']);
$db = ($CONFIG['database']);
if (!$link)
{
die('Could not connect: ' . mysql_error());
}
$db_selected = mysql_select_db("$db", $link);
$sql = 'INSERT INTO ' . $table_prefix . 'settings'.
'(id, field, value) '.
'VALUES ("NULL", "show_thumbs_down", "1")';
$exec = mysql_query($sql, $link);
if (!$exec) die(mysql_error());
mysql_close($link);
?>
Thanks for the help BK435
Welcome!
I am assuming you can get the prefix and store it in variable. When calling your sql add this to your code ' . $TABLE_PREFIX . '. so your above insert would look something like:
$sql = 'INSERT INTO ' . $TABLE_PREFIX . 'settings '.
'(id, field, value) '.
'VALUES ("NULL", "show_thumbs_down", "1")';

htmlspecialchars protection isn't working

I made a function to print all the comments from a id-page. But I want to protect my site from being hacked with htmlspecialchars. So I put them arround my post that will be printed. The problem is that it isn't working? I can do whatever I want with the <>-signs.
CODE FUNCTION
public function GetAllComments($id)
{
$db = new Db();
$select = "SELECT * FROM tblcomments WHERE bug_id =" . $id . " ORDER BY comment_id DESC";
$result = $db->conn->query($select);
while($row = mysqli_fetch_assoc($result))
{
echo "<li class='description'>" . htmlspecialchars($row["comment_text"]) . "</li>";
echo "<li class='user'>" . $row['name'] . "</li>";
}
}
CODE PRINTING
if(isset($bugs)){
foreach ($bugs as $bug) {
echo " " .
$bug['bug_title'] . "" .
$bug['bug_status'] . "From:
" . $bug['name'] . " To: " .
$bug['bug_to'] . " Project: " .
$bug['project_title'] . "";
}
}
depends on what you want to save from you should use htmlspecialchars like this
htmlspecialchars(trim($variable), ENT_QUOTES);

MySQL update isn't updating

<?php
require("header.inc.php");
?>
<?php
if (isLoggedIn()) {
if (isset($_POST['CKey_Button'])) {
if (!isset($_POST['CKey'])) {
die("Error: The Character Key field was not set.");
}
}
$CKey = $_POST['CKey_Button'];
mysql_select_db("samp");
$query = mysql_query("SELECT `id` FROM `players` WHERE `CharacterKey` = '" . mysql_real_escape_string($_POST['CKey']) . "' LIMIT 1");
if (mysql_num_rows($query)) {
mysql_select_db("ucp");
mysql_query("UPDATE `users` SET `CharacterID` = '" . $CKey . "' WHERE `name` = '" . $user['name'] . "'");
header("./Dashboard.php");
exit;
}
else {
header("./index.php");
exit;
}
}
else {
header("./index.php");
exit;
}
?>
That is the code but it isn't updating and it just a blank screen, does anyone know why this could be happening(I have just started coding php so be nice if it's a newbie error).
EDIT: I have fixed it I was using $CKey as the button and not the actual key, hope this makes sense, I also changed = '" . $CKey . "' to = " . $CKey
Use mysql_error() to see if there is any error in your query
mysql_query($query) or die ('Error updating database: '.mysql_error());