htmlspecialchars protection isn't working - html

I made a function to print all the comments from a id-page. But I want to protect my site from being hacked with htmlspecialchars. So I put them arround my post that will be printed. The problem is that it isn't working? I can do whatever I want with the <>-signs.
CODE FUNCTION
public function GetAllComments($id)
{
$db = new Db();
$select = "SELECT * FROM tblcomments WHERE bug_id =" . $id . " ORDER BY comment_id DESC";
$result = $db->conn->query($select);
while($row = mysqli_fetch_assoc($result))
{
echo "<li class='description'>" . htmlspecialchars($row["comment_text"]) . "</li>";
echo "<li class='user'>" . $row['name'] . "</li>";
}
}
CODE PRINTING
if(isset($bugs)){
foreach ($bugs as $bug) {
echo " " .
$bug['bug_title'] . "" .
$bug['bug_status'] . "From:
" . $bug['name'] . " To: " .
$bug['bug_to'] . " Project: " .
$bug['project_title'] . "";
}
}

depends on what you want to save from you should use htmlspecialchars like this
htmlspecialchars(trim($variable), ENT_QUOTES);

Related

itunes search store api

I want to get data from the API iTunes Store to my PHP file. In the search form you can fill the artist and title of the song. I want to show only the data from the song. This is my code:
$title = $_POST["title"];
$artist = $_POST["artist"];
$query_string = urlencode($title);
$query_string2 = urlencode($artist);
$json = file_get_contents('https://itunes.apple.com/search?term=$query_string&term=$query_string2'); // this WILL do an http request for you
$data = json_decode($json);
echo "<div class='container' id='movies'>";
echo "<div class='col-md-4' id='movie'>";
echo "<img src='" .$data->artworkUrl60. "' width='200'>";
echo "<h4>" .$data->artistName. " - " .$data->trackName. "</h4>";
i get this error: Notice: Undefined property: stdClass::$artworkUrl60 in....
Whats wrong with my code?
Because your $data Object doesn't contain an attribute named $artworkUrl60.
Your HTTP query doesn't not work correctly, you should use double quote instead of single quote.
// For limit you can add 'limit' parameter
$json = file_get_contents("https://itunes.apple.com/search?term=$query_string&term=$query_string2&limit=20");
// OR concatenation
// $json = file_get_contents('https://itunes.apple.com/search?term='.$query_string.'&term='.$query_string2);
$data = json_decode($json);
if (0 == $data->resultCount) {
echo 'No result found ! ';
}
else {
foreach ($data->results as $row){
echo "<div class='container' id='movies'>";
echo "<div class='col-md-4' id='movie'>";
echo "<img src='" .$row->artworkUrl60. "' width='200'>";
echo "<h4>" .$row->artistName. " - " .$row->trackName. "</h4>";
}
}
https://affiliate.itunes.apple.com/resources/documentation/itunes-store-web-service-search-api/#searchexamples

YII2 how to get each record after joinwith

How to get each record in an active record after multiple joinWiths?
$model = \common\models\opcr\OpcrKra::find()
->joinWith('opcrRoObjectives')
->joinWith('opcrRoObjectives.opcrFdObjectives')
->joinWith('opcrRoObjectives.opcrFdObjectives.opcrIndividuals');
I get a Trying to get property of non-object error.
foreach ($model->all() as $row) {
echo "<tr>"
. "<td></td>"
. "<td>" . $row->kra . "</td>"
. "<td>" . $row->opcrRoObjectives->id . "</td>" // error here
. "</tr>";
}
I tried to display the $row->count() and it gave me just the exact number of records I expected.
I solved this using the eager loading.
$authors = Author::find()->with('posts')->all(); // fetches the authors with their posts
foreach($authors as $author) {
echo "<h2>Author : " . $author->name . "</h2>";
echo "<ul>";
foreach($author->posts as $post) { // no query executed here
echo "<li>" . $post->title . "</li>";
}
echo "</ul>";
}
You just try this solution:
$model = \common\models\opcr\OpcrKra::find()
->joinWith('opcrRoObjectives')
->joinWith('opcrRoObjectives.opcrFdObjectives')
->joinWith('opcrRoObjectives.opcrFdObjectives.opcrIndividuals')
$result = $model->asArray()->all();
Then in your view:
foreach ($model as $row) {
echo "<tr>"
. "<td></td>"
. "<td>" . $row->kra . "</td>"
. "<td>" . $row['opcrRoObjectives']['id'] . "</td>"
. "</tr>";
}

How create multi dimensional HTML table with loop in PHP

I am new to HTML CSS, I have tried many time but fail. Please help.
I want to create table like this:
I have inserted relevant data in mysql but i am unable to show data in given format/table.
<tbody>
<?php
foreach($record as $row)
{
$pre_stop = $row['pre_stop'];
$current_stop_id = $row['current_stop'];
$cur_stop_name=mysql_query("SELECT stop_name_urd FROM stop WHERE stop_id = '$current_stop_id'");
while($cur_stop=mysql_fetch_array($cur_stop_name))
{
$stop_name=$cur_stop[0];
}
$inter_distance = $row['inter_distance'];
$total_distance += $row['inter_distance'];
echo "<tr>";
echo "<td class='border' style='text-align:center;'>" . $inter_distance . "</td>";
echo "<td class='border' style='text-align:center;'>" . $stop_name . "</td>";
echo "<td class='border' style='text-align:center;'>".$total_distance."</td>";
for ($i=0; $i < 1; $i++) {
echo "<td rowspan='".$count."' class='noBorder' style='text-align:center;'>" . "" . "</td>";
echo "<td class='noBorder'>" . $stop_name . "</td>";
}
}
//echo "<td class='noBorder' style='text-align:center;'>" . $stop_name . "</td>";
//echo "<td></td>";
?>
</tr>
</tbody>
If you're new to coding HTML, then I recommend you try to manually create a smaller version of your table (say 3 rows) so that you know how the resulting HTML code is supposed to look and that you're fetching the SQL data correctly. Then you can transfer that knowledge into PHP code.
Do watch out for your loop, though:
for ($i=0; $i < 1; $i++) {
echo "<td rowspan='".$count."' class='noBorder' style='text-align:center;'>" . "" . "</td>";
echo "<td class='noBorder'>" . $stop_name . "</td>";
}
This will only loop once, which seems to defeat your purpose, as your logical check is odd. Your for loop reads:
$i=0 - Make a variable named i
$i < 1 - Stop if i ever becomes
greater than or equal to 1
$i++ - Add 1 to the value of i
This means that it will go through the loop one time only and then break out of the loop.
I don't see from your code example how you're getting your data but I imagine you'd want something like this:
for ($i=0; $i < $resultCount; $i++) {
echo "<td rowspan='".$count."' class='noBorder' style='text-align:center;'>" . "" . "</td>";
echo "<td class='noBorder'>" . $stop_name . "</td>";
}
Where $resultCount is equal to the number of rows returned by your SQL query.
It looks like you reversed the order of the columns when echo-ing out your html. Also, it would be easier to use colspan vs rowspan in this approach. Not knowing the initial value of count, we shall assume the header is 0 and all other rows are 1 through m (where m is the number of rows since we read a matrix as m x n (rows x columns)).
In conclusion, try this:
$count = 0;
$total_distance = 0;
// the header row
echo "<tr>" . PHP_EOL;
// Apply the space on the left
echo "\t<th colspan='" . (count($record) - $count) . "' class='noBorder' style='text-align:right;'></th>" . PHP_EOL;
// Provide headers on the last three columns
echo "\t<th class='border' style='text-align:center;'>Total Distance</th>" . PHP_EOL;
echo "\t<th class='border' style='text-align:center;'>Stop Name</th>" . PHP_EOL;
echo "\t<th class='border' style='text-align:center;'>Inter-Distance</th>" . PHP_EOL;
echo "</tr>" . PHP_EOL;
foreach($record as $row)
{
// get the values
$pre_stop = $row['pre_stop'];
$current_stop_id = $row['current_stop'];
$inter_distance = $row['inter_distance'];
$total_distance += $inter_distance;
// Assume the last stop in the results has the desired stop name
$cur_stop_name=mysql_query("SELECT stop_name_urd FROM stop WHERE stop_id = '$current_stop_id'");
while($cur_stop=mysql_fetch_array($cur_stop_name))
{
$stop_name = $cur_stop[0];
}
// Start the row
echo "<tr>" . PHP_EOL;
// Apply the space on the left
echo "\t<td colspan='" . (count($record) - $count) . "' class='noBorder' style='text-align:right;'>" . $stop_name . "</td>" . PHP_EOL;
// Apply the last three columns
echo "\t<td class='border' style='text-align:center;'>".$total_distance."</td>" . PHP_EOL;
echo "\t<td class='border' style='text-align:center;'>" . $stop_name . "</td>" . PHP_EOL;
echo "\t<td class='border' style='text-align:center;'>" . $inter_distance . "</td>" . PHP_EOL;
// End the row
echo "</tr>" . PHP_EOL;
// increment the count
$count++;
}

Yii2.0 export function using kartik-v

I am new in using kartik. Can I just check with you whether kartik is able to do below things? And how to do it?
Display date in different format than in db. i.e. in db it is displayed as YYYY-MM-DD"T"HH:MM:SS" whereas on screen, I want to display it as YYYY-MM-DD.
Show subtotal and total?
Since in my report screen, im using a normal html to display data since from my understanding, the gridview does not have the subtotal function.
Below is my html:
$reports = $dataProvider->getModels();
$i=1;
echo "<table class='table table-striped table-bordered'>";
echo "<tr><th>#</th><th>Item</th><th>Total Summary Usage Qty</th><th>Current Stock On Hand</th><th>Measurement</th></tr>";
foreach ($reports as $report) {
$item_key = $report['report_item_key'];
$item_model = Item::find()->where(['item_key' =>$item_key])->one();
$item_e_desc_tx = $item_model->desc_e_tx;
$item_c_desc_tx = $item_model->desc_c_tx;
$item_qty_no = $item_model->qty_no;
$item_measurement_tx = $item_model->measurement;
echo "<tr>";
echo "<td>" . $i++ . "</td>";
echo "<td>" . Html::a($item_key, array('stockmovementreportdetailbyitem', 'item_key' => $item_key, 'search' => 'true', 'stockmovement_summary_from_sales_date' => $stockmovement_summary_from_sales_date, 'stockmovement_summary_to_sales_date'=>$stockmovement_summary_to_sales_date)) . "<br>" . $item_e_desc_tx . "<br>" . $item_c_desc_tx ."</td>";
echo "<td>" . $report['total_summary_usage_qty'] . "</td>";
echo "<td>" . $item_qty_no . "</td>";
echo "<td>" . $item_measurement_tx . "</td>";
echo "</tr>";
}
echo "</table>";
echo \yii\widgets\LinkPager::widget([
'pagination'=>$dataProvider->pagination,
]);

Auto delete from SQL database

What can I add to this to make the record delete automatically after the endate has passed? I would like to post to automatically delete from the database after the endate has passed.
<?php
require "../login/config.php";
$host='';
$db = 'db';
$dbuser = 'dbo';
$dbpass = '';
$conn = mysql_connect($host, $dbuser, $dbpass,$db);
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db('db');
if(isset($_POST['submit'])) {
$name=$_POST["element_1"];
$stdatemm=$_POST["element_2_1"];
$stdatedd=$_POST["element_2_2"];
$stdateyy=$_POST["element_2_3"];
$endatemm=$_POST["element_3_1"];
$endatedd=$_POST["element_3_2"];
$endateyy=$_POST["element_3_3"];
$stdate=$stdatemm."/".$stdatedd."/".$stdateyy;
$endate=$endatemm."/".$endatedd."/".$endateyy;
$user=$_POST["postuser"];
$query = "INSERT INTO (fname,stdate,endate,addr1,addr2,city,state,zip,name,size,type,content,link,description,user) VALUES('" . mysql_real_escape_string($name) . "','$stdate','$endate','" . mysql_real_escape_string($staddr) . "','" . mysql_real_escape_string($addr2) . "','$city','$state','$zip','" . mysql_real_escape_string($fileName) . "','$fileSize','$fileType','" . mysql_real_escape_string($content) . "','$_POST[element_7]','" . mysql_real_escape_string($desc) . "','$user')";
} } } else
$query = "INSERT INTO (fname,stdate,endate,addr1,addr2,city,state,zip,name,size,type,content,link,description,user) VALUES('" . mysql_real_escape_string($name) . "','$stdate','$endate','" . mysql_real_escape_string($staddr) . "','" . mysql_real_escape_string($addr2) . "','$city','$state','$zip',' ','0',' ',' ','$_POST[element_7]','" . mysql_real_escape_string($desc) . "','$user')";
$q2=mysql_query($query) or die('Error, query failed'. mysql_error());
if($q2) {
echo ""; } else {
echo "error";
}
?>
There is no way to "automatically delete records". What you could do however includes:
cause all of your queries to disregard rows that have surpassed their end date.
Create a scheduled task/job that runs on an interval that removes records that have surpassed their end date
Write a trigger to check for outdated records to remove which could fire prior to select, update, and deletes.