I am using kohana 2.3.4, I have a text area for "Embed Google Map Code", the system automatically strips the Iframe tag and not inserted on the database. here's my code snippet for inserting/updating:
$this->db->query("UPDATE tbl_sites SET map_code='$_POST[map_code]' WHERE id=$id");
My guess is that you are forgetting the quotes when indexing into the $_POST array. Try this:
$this->db->query("UPDATE tbl_sites SET map_code='{$_POST["map_code"]}' WHERE id={$id}");
You should also make sure to sanitize the values coming from the $_POST array before using it in a query.
That query looks dodgy, but if you're certain it's updating the record correctly, and Kohana is only stripping the iframe, then perhaps this is an issue with XSS filtering.. have you tried to turn off global XSS filtering? http://docs.kohanaphp.com/general/security#cross_site_scripting_xss
Related
I'm trying replace this shortcode
[RICH_REVIEWS_SHOW category=”all” num=”6″]
with this shortcode
[site_reviews summary count="3" hide="date"] in a wordpress database.
I've tried the plugin "better search and replace" but no luck.
I've also tried using this code via the cpanel.
update wplq_posts set post_content =
replace(post_content,'[RICH_REVIEWS_SHOW category=”all” num=”6″]','[site_reviews summary count="3" hide="date"]');
Initially no matches, if I remove certain parts of the shortcode I get some results. I'm a bit lost as to what will get the job the job done.
Can anyone point me in the right direction.
Thanks in advance.
The SQL in your example is correct.
A likely explanation for the issue is that the double-quotes within the [RICH_REVIEWS_SHOW category=”all” num=”6″] do not match the double quotes used within the shortcode stored in the post_content table.
For example ” vs ″ vs "
I suggest finding a post manually that has this shortcode and copying that that shortcode into the SQL query. Then try again.
I'm trying to update numerous wordpress multisite pages.
I have an ajax script that is posting to a php file where, after the text is formatted, it updates the corresponding table cell.
However, I keep getting the "WordPress database error You have an error in your SQL syntax;" error.
$content = "[shortcode] text processed by shortcode [/shortcode]";
$table = "wp_".$_POST["blogid"]."_posts";
$wpdb->query(" UPDATE {$table} SET post_content={$content} WHERE posts_title='test'");
Is this an issue with the use of square brackets (shortcodes) in the string I wish to use to update the cell?
The syntax seems fine to me, but my SQL knowledge isn't that strong.
In greater detail, I have a mysql query that gets all multisites, then loops through them after making the edits with JS before posting to this php file.
Avoid using string templates directly for query building. You can too-easily include invalid syntax, and since you're reading content directly from the shortcode you're opening your entire database up to SQL-injection attacks. This could give attackers direct access to your database, meaning anyone who can post content could also gain total access to your WordPress.
Always prepare your query first. If you're using $wpdb, the usage is described here: https://developer.wordpress.org/reference/classes/wpdb/prepare/
This will also ensure that the shortcode content you query on is formatted properly.
I have an HTML form that I'm using to submit some SQL data. I'd like to pass the MYSQL function LAST_INSERT_ID() as a value but when I do this there are single tick marks that get added the the function upon insert and it fails, like this 'LAST_INSERT_ID()'.
I want to be able to use this function so I can call what that ID was.
Is it possible to pass this function successfully?
No, you can't pass SQL code instead of values and have it automatically executed on the server.
(Can you imagine how that could have been used by someone with not so good intentions...?)
You could send a special "magic" value, that the code on the server would recognise, and change the query to use last_insert_id() for the value. (You could use the function name as magic value, but you should probably use something less obvious.)
To insert code in a query like that, you need to create the SQL query dynamically. When you create queries dynamically, make sure to escape values properly so that the code isn't open to SQL injection attacks.
I am using prepared statements with mysqli(); to insert and retrieve data on my website also i used bind_param so i don't add variables directly into the query.I used strip_tags to clean any inputs what else should i look out for ?
Don't use strip_tags() on database input: use htmlentites() (or urlencode() where appropriate) on browser output.
i have an tiny editor web page where my users can use this editor and i am saving the html into my database.
i am having issues saving this html to my database. for example if there is a name with a "'" or if there are other html character "<,",">" etc, my code seems to blow up on the insert.
Is there any best practices about taking any arbitrary html and have it persist fully to a db field without worrying about any specific characters.
I'm wondering if you are building the full query. Instead use a parameterized query and that should eliminate your data problems.
string sqlIns = "INSERT INTO table (name, information, other) VALUES (#name, #information, #other)";
SqlCommand cmdIns = new SqlCommand(sqlIns, db.Connection);
cmdIns.Parameters.Add("#name", info);
cmdIns.Parameters.Add("#information", info1);
cmdIns.Parameters.Add("#other", info2);
cmdIns.ExecuteNonQuery();
do you insert using SqlParameter? If yes, you should not have problems, check that.
You could just HtmlEncode the data.
You'll have a HttpContext.Current.Server object, so in pseudo code you'd just do:
Database.Save(HttpContext.Current.Server.HtmlEncode(myHtml));
and to retrieve it:
myHtml = HttpContext.Current.Server.HtmlDecode(DataBase.Load());
Just reading through this - is your problem actually on the insert statement or do you get a problem from the web server before it ever hits your controller? Noticing that you tagged the question with asp.net-mvc, you may need to make sure that you have decorated your controller method with the [ValidateInput(false)] attribute.