Notretsam

tried using form_val function tried $libioBio = formval($_POST['newBio']); which didn't add anything to database column first I tried $lilbioBio = formval($lilbioBio); which still added don't to database column tried it with $lilbioBio within formval wrapped in '' and " , all the same think am going have to contact hosting company on it. thanks for the help again JAG

my hosting company deals with php.ini file settings for me, presume magic_quotes PHP option be in there if i got hosting company to disable it? would that sort it?

finally got around to trying this and was simple enough , small problem though as you can see the first result for some reason is off , the <br> tag isn't taken effect and neither is the wrapped <a href= tag below is the coding <?php// Create connection$conn = new mysqli($host, $user, $password, $database);// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);} /* create a prepared statement */ $stmtgethintwrest = $conn->prepare("SELECT wrestlerName FROM memberInfo ORDER BY wrestlerName"); /* bind parameters for markers */ $stmtgethintwrest->bind_param; /* execute query */ $stmtgethintwrest->execute(); $stmtgethintwrest->bind_result($wrestlerName); /* fetch value */ while ($row = $stmtgethintwrest->fetch()) { $a[]="$wrestlerName"; }// get the q parameter from URL$q=$_REQUEST["q"]; $hint="";// lookup all hints from array if $q is different from "" if ($q !== "") { $q=strtolower($q); $len=strlen($q); foreach($a as $name) { if (stristr($q, substr($name,0,$len))) { if ($hint==="") { $hint=$name; } else { $hint .= "<a href=''>$name</a><br>"; } } } } /* close statement */ $stmtgethintwrest->close();// Output "no suggestion" if no hint were found// or output the correct values echo $hint==="" ? "no suggestion" : $hint;?>

anytime someone uses ' in a textfield , it always adds don't to database I looked in mysql database and is showing as don't in there. http://www.w3schools.com/php/func_mysqli_real_escape_string.asp I tried adding to database in way above page states, but outputted as don't having similar issue with wrestler names like "The Superstar" Daniel Starr , whenever I pass name across a page, it shows as "The Superstar" Daniel Starr. This time it shows in database as "The Superstar" Daniel Starr , which is because I manually adjusted it in past. I also thought using bind parameters when inserting into database would put a stop to this but guess it doesn't looked online for a solution but having no luck, any advice?

ah ok , that sounds much simpler than I thought it would be, I know CSS and never considered adding class to <div> tag , which I presume is where it would go. its 7.33pm here for me, so have look into that tomorrow.

This is a mix of PHP, mysqli and Javascript but decided to post it in PHP areas as its what I know. You can see from attached image , that I have code that outputs hints as someone is typing in text field. I have no idea how to display the hints in same way google search engine does, a nice neat menu underneath the text field. I have code that I found on the web and have adapted it from mysql over to mysqli Am hoping someone can actually tell me step by step how to achieve what am looking to do, as I really have no idea how to do it myself. Below is the code that I have. <input type="text" name="shoAcc" value="<?php echo "$biomsg"; ?>" size="30" class="edit" maxlength="45" onkeyup="showshoutHint(this.value)"> You can see the showshoutHint that triggers the javascript function below <script>function showshoutHint(str){if (str.length==0) { document.getElementById("txtshoutHint").innerHTML=""; return; }var xmlhttp=new XMLHttpRequest();xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.getElementById("txtshoutHint").innerHTML=xmlhttp.responseText; } }xmlhttp.open("GET","theme/gethint.php?q="+str,true);xmlhttp.send();}</script> I don't know javascript but able to view above snippet I found online and see how it generally works, it triggers the following code contained in gethint.php // Create connection$conn = new mysqli($host, $user, $password, $database);// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);} /* create a prepared statement */ $stmtgethintwrest = $conn->prepare("SELECT wrestlerName FROM memberInfo ORDER BY wrestlerName"); /* bind parameters for markers */ $stmtgethintwrest->bind_param; /* execute query */ $stmtgethintwrest->execute(); $stmtgethintwrest->bind_result($wrestlerName); /* fetch value */ while ($row = $stmtgethintwrest->fetch()) { $a[]="$wrestlerName"; }// get the q parameter from URL$q=$_REQUEST["q"]; $hint="";// lookup all hints from array if $q is different from "" if ($q !== "") { $q=strtolower($q); $len=strlen($q); foreach($a as $name) { if (stristr($q, substr($name,0,$len))) { if ($hint==="") { $hint=$name; } else { $hint .= "<option value='$name'>$name</option>"; } } } } /* close statement */ $stmtgethintwrest->close();// Output "no suggestion" if no hint were found// or output the correct values echo $hint==="" ? "no suggestion" : $hint; The above code was also part of snippet I found online, but it used mysql_ , an changed it over to mysqli_ As you can see the line with <option> is the output which below code shows on page with text field you see in attached image. <div id='txtshoutHint'></div> I thought within the $hint var being set I could maybe display it within a select forum field underneath the text field, not a preferred option but nope didn't work. Since this isn't fully my code, pretty much most of it isn't , not certain how I can adapt it and show a menu list underneath the text field with the hint listed in it. I do have javascript coding that I use to popup a window with information in it, yet another snippet I found on the web. Thought maybe I could use this, but it has specific settings for where window pops up, an doesn't seem to allow me to select specific area in page and am not convinced creating another window is the right idea. Really hope someone can actually just provide the coding needed to adapt what I have into what am needing, but is a lot to ask, so at least, hope someone can point me in direction of doing it myself. I don't know javascript and more familiar with PHP , so solution preferable in PHP but suspect it is done with javascript but not sure.

I figured there was something I was missing on sql injection, didn't consider that the login fields are being carried over to other pages, an therefore any sql injection attacks can be carried over with it. thanks for the info.

yup store result is what I was missing. thanks, working now. think am set now on upgrading to mysqli and prepared statements, going make a start on upgrading site to it today. *fingers crossed* it goes well and don't have anymore questions lol we shall see. don't know if there is a way for moderators to change titles of a thread, but this thread certainly turned into a completely different topic from original title. have no probs with topic of thread being changed to "sql injection - mysqli prepared statements" or something like that. lots of good info in here i feel for those like me that needed to upgrade.

I got select single query and while loop figured out for multiple results the $numberofrows is setting 0 though, so not got that right, not sure why /* create a prepared statement */if ($stmt = $conn->prepare("SELECT memid, wrestlerName FROM memberInfo WHERE accStatus=? ORDER BY wrestlerName")) { /* bind parameters for markers */ $stmt->bind_param("s", $fsloginName); /* execute query */ $stmt->execute(); $numberofrows = $stmt->num_rows; /* bind result variables */ $stmt->bind_result($memid,$wrestlerName); echo "$numberofrows<br>"; /* fetch value */ while ($row = $stmt->fetch()) { echo "ID = $memid - wrestlerName = $wrestlerName<br>";} /* close statement */ $stmt->close();}

don't fully understand sql injection but do understand enough to know that people add text to there field inputs that they submitting , that will comprise you're database. however I don't see how they can inject if there is no text field for them to type in. I did think maybe in the URL they could do page.php?varname=therecodehere But they would need to know what the varname is I would think. I did search for sql injection attack examples and found below link, which gave me a bit more info on it. http://www.unixwiz.net/techtips/sql-injection.html Am not disputing that SQL Injection is a thing, it obviously is, just don't see how an attacker can do it, if there no text field for them to use.

well get below working but coding seems rather long, compared to the simpler and smaller code I usually use. just need to figure out how to do while loop so i can get more than one result // Create connection$conn = new mysqli($host, $user, $password, $database);$fsloginName = 'Confirmed';// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);}/* create a prepared statement */if ($stmt = $conn->prepare("SELECT memid, wrestlerName FROM memberInfo WHERE accStatus=?")) { /* bind parameters for markers */ $stmt->bind_param("s", $fsloginName); /* execute query */ $stmt->execute(); /* bind result variables */ $stmt->bind_result($memid,$wrestlerName); /* fetch value */ $stmt->fetch(); $visitID = "$memid"; $wrestlerName = "$wrestlerName"; /* close statement */ $stmt->close();}echo "ID = $visitID - wrestlerName = $wrestlerName";

I always find php.net examples hard to follow is there really any chance of someone using sql injection with select queries? I do use a variable to select info I want, but someone would need to know what that variable is to inject code I would think.

obviously the information contained in database isn't being extracted with code I have so $memid is blank and why it not set. just don't know how to add the old extract($row) command I used before to get info. i see fetch_assoc while loops in some examples i looked at on stack overflow, but really want to extract all info and not have to set individual variables like these examples show.

$visitID = "$memid"; that is what that meant to do

$memid is a mysql column that meant to be selected from memberInfo database

well sadly I didn't get select query working right , thought I had but messed up with test. according to http://www.piliapp.com/php-syntax-check/ nothing wrong with code but $visitID is not setting for some reason. include("theme/mem.inc");// Create connection$conn = new mysqli($host, $user, $password, $database);// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);}$stmt = $conn->prepare("SELECT * FROM memberInfo WHERE wrestlerName= ?");$stmt->bind_param('s',$var1);// set parameters and execute$var1 = "Scottish Phantom";if (!$stmt->execute()) { echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;}$stmt->close();$conn->close();$visitID = "$memid";

got update, insert, delete, select queries prepared, binded and working now. am sorted now, thank you very much justsomeguy, you was a big help and much appreciate it

I understand what u mean now justsomeguy Am just about to put together a UPDATE query thank you very much for the help, do very much appreciate it.

delete and select queries on my site don't come from forms with text fields that can be inputed, some combos where items can be selected. That why am thinking am good on that front. EDIT" actually the where comparison in query will be a variable, dam , thought i could go with the smaller easier code. oh well don't call execute twice? u mean below part $stmt->execute();if (!$stmt->execute()) {

I was missing the "S" to signify a string, got below coding working. not 100% sure if error code is right though on it. I also presume I should prepare/bind with "update query" as well , don't see a need to do it with delete query. not to sure about "select query" though? i pretty much thinking I don't , SQL Injection can only really occur with adding to database, so presume insert and update query only. <?php/* INSERT QUERY WITH PREPARED STATEMENT */ $ptIDpone = time(); $ptIDptwo = rand(1,100); $ptIDpthree = rand(1,100); $cid = "$ptIDpone$ptIDptwo$ptIDpthree";// Create connection$conn = new mysqli($host, $user, $password, $database);// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);}$stmt = $conn->prepare("INSERT INTO imagecat (icatid,imcloginID,imccategory,imchash,imcdesc) VALUES (?, ?, ?, ?, ?)");$stmt->bind_param('sssss',$cid, $var1, $var2, $var3, $var4);// set parameters and execute$cid = "$cid";$var1 = "no";$var2 = "no";$var3 = "no";$var4 = "no";$stmt->execute();if (!$stmt->execute()) { echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;}$stmt->close();$conn->close(); $mess = "Item has been succesfully ADDED."; header("Location: ../success.php?message=$mess"); exit();?>

the $cid is the ID i generate for everything that goes into database, so the $varcid will be final result of that. I presume the format is fine for insert? also since you haven't mentioned anything about the update and delete queries, presume they are fine. on page you link, I can see echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;echo "Execute failed: (" . $mysqli->errno . ") " . $mysqli->error; just not sure where to place that in my coding, used to if success or else fail.

ok based on that page information and recoding the insert example from above, code below is what I have. am I right? if so, how do I output an error message when error occurs inserting new line to database? /* INSERT QUERY WITH PREPARED STATEMENT */// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);}$stmt = $conn->prepare("INSERT INTO modeSets (userID,imageSet,messSet,intSend,msgSend) VALUES (?, ?, ?, ?, ?)");$stmt->bind_param($cid, $var1, $var2, $var3, $var4);// set parameters and execute$cid = "$varcid";$var1 = "no";$var2 = "no";$var3 = "no";$var4 = "no";$stmt->execute();$stmt->close();$conn->close(); $mess = "Item has been succesfully ADDED."; header("Location: ../page.php?message=$mess"); exit();

ok just like to confirm this before actually changing my site over, but does the following code look correct? if it does, then I can quickly go through the pages and easily change. edit* need to put exit(); after the header line <?php/* SELECT QUERY */session_start();// Create connection$conn = new mysqli($host, $user, $password, $database);// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);} $sql = "SELECT * FROM memberInfo WHERE wrestlerName='{$_SESSION['logname']}'";$result = $conn->query($sql);$row = $result->fetch_assoc(); extract($row);/* UPDATE QUERY */// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);} $updemail = "UPDATE memberInfo SET fpaypalemail = '".$liemail."', fpaypalfname = '".$lifname."', fpaypallname = '".$lilname."' WHERE memid = '".$liAid."'";if ($conn->query($updemail) === TRUE) { $mess = "Paypal information has been succesfully updated."; header("Location: ../paypal.php?message=$mess");} else { echo "Error updating record: " . mysqli_error($conn);}$conn->close();/* DELETE QUERY */// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);} // sql to delete a record $sql2 = "DELETE FROM imagestore WHERE iupcatid='$imcatdelid'";if ($conn->query($sql2) === TRUE) { $mess = "Item has been succesfully deleted."; header("Location: ../page.php?message=$mess");} else { echo "Error deleting record: " . $conn->error;}$conn->close();/* INSERT QUERY */// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);} $sql3 = "INSERT INTO modeSets (userID,imageSet,messSet,intSend,msgSend) VALUES ('$cid','no','no','no','no')";if ($conn->query($sql3) === TRUE) { $mess = "Item has been succesfully ADDED."; header("Location: ../page.php?message=$mess");} else { echo "Error: " . $sql3 . "<br>" . $conn->error;}$conn->close();?>

lol would help if I tried it , only just started working out mysqli today. code below is what I have and works $conn = new mysqli($host, $user, $password, $database);// Check connectionif ($conn->connect_error) { die("Connection failed: " . $conn->connect_error);} $sql = "SELECT * FROM memberInfo WHERE wrestlerName='{$_SESSION['logname']}'";$result = $conn->query($sql);$row = $result->fetch_assoc(); extract($row); may have some questions along the way of updating website, but hopefully I can figure it out myself.

I agree justsomeguy, I more commented out of frustration as really don't want to upgrade a whole site of code that took me over a year to do, but sadly it needs done. I have started going through my site today and changing over to mysqli really wish I learned about this over a year ago when I started this very long project, down side of being self taught I guess and not spending more time on forums like this. http://www.w3schools.com/php/php_mysql_insert.asp using w3schools tutorial to guide me. figureing out the select query with mysqli was easy enough, w3schools tutorials are simple enough to follow, just be time consuming. Only thing am wondering so far is, with mysql_ I could use extract($row) to get all info in database table row, can't see a way to do that on w3schools tutorial for select data with mysqli_. http://www.w3schools.com/php/php_mysql_select.asp no big deal really, most likely better to set variables with the specific columns I need on page.