I have a textarea and am submitting the form it is in using AJAX using GET.
I want to preserve the whitespace, so i have a url that look a bit like
http://.../notes/insert/?user_id=12¬e_string=new /r/r/r/r/r/rline&account_id=
however when i use $this->db->insert();
it converts the query to
INSERT INTO `notes` (`user_id`, `note_string`, `account_id`)
VALUES ('12', 'new \\r\\r\\r\\r\\r\\rline', '')
(in the controller i then replace /r for \r)
Is there a way of escaping the escape? lol or just letting the \r through?
Thank you
Take a look at 'Query Bindings' in the CodeIgniter documentation http://codeigniter.com/user_guide/database/queries.html
$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
$this->db->query($sql, array(3, 'live', 'Rick'));
Related
for($count = 0; $count < count($_POST["item_sub_category"]); $count++)
{
$data = array(
':item_sub_category_id'
=> SELECT r_name FROM Repair where r_id = $_POST["item_sub_category"][$count]
);
$query = "INSERT INTO Repairlog (description,visitID) VALUES (:item_sub_category_id,'1')";
$statement = $connect->prepare($query);
$statement->execute($data);
}
As far as concerns, your code won't work. The SQL query that you are passing as a parameter will simply be interpreted as a string.
You could avoid the need for a loop by taking advantage of the INSERT INTO ... SELECT ... syntax. The idea is to generate an IN clause that contains all values that are in the array, and then run a single query to insert all records at once.
Consider:
$in = str_repeat('?,', count($_POST["item_sub_category"]) - 1) . '?';
$query = "INSERT INTO Repairlog (description,visitID) SELECT r_name, 1 FROM Repair WHERE r_id IN ($in)";
$statement = $connect->prepare($query);
$statement->execute($_POST["item_sub_category"]);
Note: it is likely that visitID is an integer and not a string; if so, then it is better not to surround the value with single quotes (I removed them in the above code).
TLDR; No.
Your question can be re-framed as: Can I write SQL code in php. The answer is NO. You can write the SQL code within a String type variable (or parameter) in php.
This is a general rule for any programming language, you cannot have multiple languages within the same file, as the language parser will not be able understand which syntax is that.
In order to embed a different language in another language, you need some kind of separator that will define when the new language or special type will start and when it will end.
$fnavn = $_POST['fnavn'];
$enavn = $_POST['enavn'];
$adresse = $_POST['adresse'];
$adressenr = $_POST['adressenummer'];
$postnr = $_POST['postnummer'];
$kontonr = $_POST['kontonummer'];
$cvc = $_POST['cvc'];
$fid = $_POST['frakt'];
$gid = $_SESSION['gid'];
$aid = $_SESSION['aid'];
$sql = "INSERT INTO `bestillinger` (`bestilling_id`, `adresse`, `adressenummer`, `postnummer`, `fornavn`, `etternavn`, `kontonummer`, `cvc`, `time`, `fid`, `gid`, `aid`)
VALUES (NULL, '$adresse', '$adressenr', '$postnr', '$fnavn', '$enavn', '$kontonr', '$cvc', now(), '$fid', '$gid', '$aid')";
this is my code, for some reason no data is inserted into my database - and i just cant figure out why.
both sessions have a valid value.
After a form is filled out, my database is supposed to put the info into the database. what is the error?
You are escaping single quotes inside a double quoted string, so that will actually print the \ character as part of the SQL, rendering your SQL invalid.
You need to replace the \' with just ', or wrap the whole query using ' instead of "
I am using the normal INSERT sql statement, but for some reason when I insert code, It comes up as this. Here is my code:
$sql="insert into comments (username, comment) values ('$name','$comment')";
mysqli_query($link, $sql);
My SQL table:
MySQL's output formatting doesn't work well when there are control characters in a string. It expects each character in the string to take one horizontal space in the output, but newlines go to the beginning of the line.
You can show the newlines as escape sequences with:
SELECT username, REPLACE(comment, '\n', '\\n') AS comment, id
FROM comments;
It's also possible that there are carriage returns, which go to the beginning of the current line, if the input came from Windows. You can replace those as well with:
SELECT username, REPLACE(REPLACE(comment, '\n', '\\n'), '\r', '\\r') AS comment, id
FROM comments;
You only must use mysqli_real_escape_string() to escape all characters.
$sql="insert into comments (username, comment) values ('".mysqli_real_escape_string($name)."','".mysqli_real_escape_string($comment)."')";
mysqli_query($link, $sql);
OR
$name = $mysqli->real_escape_string($name);
$comment = $mysqli->real_escape_string($comment);
$sql="insert into comments (username, comment) values ('$name','$comment')";
mysqli_query($link, $sql);
Manual : http://php.net/manual/de/mysqli.real-escape-string.php
I have this query:
$sql = "
INSERT INTO table SET
name = '$name',
sku = '$number',
description = '$desc'
";
But the rows containing some special characters (in my case this ') are not inserted.. How I can solve?
Thanks in advance.
When you construct your query, you need to escape the data you are inserting.
You need to at least use addslashes() function in PHP, like this:
$sql = "INSERT INTO table SET name = '".addslashes($name)."', sku = '".addslashes($number)."', description = '".addslashes($desc)."'";
However more correct way is to use a different function than addslashes, which would properly handle all characters in the data, not only apostrophes.
I am using my custom 'escape' function like this:
function escape($text)
{
return str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z'), $text);
}
So using this function, you would write:
$sql = "INSERT INTO table SET name = '".escape($name)."', sku = '".escape($number)."', description = '".escape($desc)."'";
You must use parameterised queries instead of manually appending those values. Currently if name, number or description would contain any sql it would get executed.
A lot more detailed answer is in How can I prevent SQL injection in PHP?
Read about escaping characters in mysql. I think it is done with \
I'm having problems getting special characters like apostrophes and such from being added into my database.
I have the following code that adds data from a form into my database.
mysql_query("INSERT INTO people(`ID`, `Name`, `Description`)
VALUES (NULL, '$name', '$desc')") or die(mysql_error());
Form code looks like so:
$query = "SELECT * FROM people";
$result = mysql_query($query);
while ($person = mysql_fetch_array($result)){
echo "<h3>" . $person['Name'] . "</h3>";
echo "<p>" .$person['Description'] . "</p>"}`
How would I go about fixing this so that the string field accepts special characters?
if you want add special character in MySQL database use
mysql_real_escape_string($name)
after that insert into database
You could use mysql_real_escape_string
$insert_data = mysql_real_escape_string($input_data);
Assuming that you have the data stored as $input_data
Just use mysql_real_escape_string
$insert_data = mysql_real_escape_string($input_data);
Assuming that you have the data stored as $input_data