Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End php variables

  • This topic is empty.
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • May 29, 2014 at 10:41 pm #171400
    PHP Strome the Front
    Participant

    here is my variables

    $error=[];

$dbname=htmlspecialchars(trim($_POST["dbname"]));
$dbusername=htmlspecialchars(trim($_POST["dbusername"]));
$dbpassword=htmlspecialchars(trim($_POST["dbpassword"]));
$dbhost=htmlspecialchars(trim($_POST["dbhost"]));;
$debugging=$_POST["debugging"];

...  // i got such variables many some are not belong to post as well

    i want to display error like this

    if(empty($dbname){
echo $error['$dberro']="Hey you have missed the database name";
}
if(empty($dbusername){
echo $error['$dbusernameerror']="Hey you have missed the database user name";
}
....   // i have such code many

    i have such 40 variables and how do i do so very easily ..and i display on static page or some other php page like this

    if (isset($error[$dberror])){
echo "$error[$dberror]";
}
... //i have such many

    isn’t the code so much bulky probably there is better idea than this

    can i get those idea

    May 30, 2014 at 12:35 am #171415
    __
    Participant

    htmlspecialchars(trim($_POST["dbname"]));

    Is there a reason you are using htmlspecialchars? This function is for escaping special characters in HTML. Are you using these POST value in HTML? If you’re doing this for some other purpose (e.g., a database query) it will not work. It will cause problems and create security risks.

    Even if this is the case, you should escape the value when you print it, not when you’re checking the value that was submitted.

    echo $error['$dberro']="Hey you have missed the database name";

    Are you trying to assign this sentence to a variable, or are you trying to print it?

    echo "$error[$dberror]";

    Have you tried this? It’s a syntax error.
    Also, I don’t see where you have defined a variable by the name of $dberror…?

    This is what it sounds like:

    • you have a list of form field inputs
    • you want to check and make sure each has a value
    • if an item is missing, assign an error message
    • print all the error messages.

    Is this what you want to do? If so, here’s the most straightforward approach. It might not be the best solution for your situation, so, if not, please explain what you are trying to accomplish in more detail.

    • Make a list of the field names.
    $list = [
    "dbname",
    "dbusername",
    //  etc. ...
];
    • Loop through the list to check each input from POST.
    foreach( $list as $fieldName ){
    if( empty( $_POST[$fieldName] ) ){
        /*  see next step  */
    }
}
    • If an item is missing, assign an error message.
    foreach( $list as $fieldName ){
    if( empty( $_POST[$fieldName] ) ){
        $error[$fieldName] = "You have missed the $fieldName field.";
    }
}
    • After that loop (and wherever you want to print the error messages), loop over the error messages and print them.
    <!doctype html>
    <!--  all your html goes here  -->

<?php
if( ! empty( $error ) ){
    echo "<ul id=errorMessages>";
    foreach( $error as $message ){
        echo "<li>$message</li>";
    }
    echo "</ul>";
}
?>

    <!-- rest of your html goes here  -->
    May 31, 2014 at 12:34 am #171481
    PHP Strome the Front
    Participant

    yes i am doing for form..
    i used htmlspecialchars so i don’t get sql injection or something like that ..

    but this code

    foreach( $list as $fieldName ){
    if( empty( $_POST[$fieldName] ) ){
        $error[$fieldName] = "You have missed the $fieldName field.";
    }
}

    print you have missed db field isn’t it ??? i want to print you have missed database field

    May 31, 2014 at 1:10 am #171483
    __
    Participant

    i used htmlspecialchars so i don’t get sql injection or something like that

    In that case, re-read my post above: using htmlspecialchars will not prevent sql injection. It has nothing at all to do with databases. Specifically, it will allow sql injection.

    How you go about preventing sql injection will depend on what database you use and what php extension you use to connect to it. If you are using MySQLi or PDO, you should use prepared statements.

    but this code …
    print you have missed db field isn’t it ??? i want to print you have missed database field

    I don’t know, specifically. It will print the name of the field in question. If you want more control over your error messages, you can create another array to hold them:

    $error_messages = [
    "dbname" => "You have missed the database name field",
    "dbusername" => "You have missed the database username field",
    // etc. ..
];

    and later:

    foreach( $list as $fieldName ){
    if( empty( $_POST[$fieldName] ) ){
        $error[$fieldName] = $error_messages[$fieldName];
    }
}
    May 31, 2014 at 10:29 am #171493
    PHP Strome the Front
    Participant

    Great works like a charm…..but i heard doing html special chars prevent sql injection was i wrong?

    I use PDO as people say pdo is best and many recommend pdo as well

    I use database wrapper class that uses pdo..

    http://www.imavex.com/php-pdo-wrapper-class/

    THanks for your great support.

    May 31, 2014 at 11:07 am #171495
    __
    Participant

    i heard doing html special chars prevent sql injection was i wrong?

    Yes, this is completely wrong.

    The function name gives you a big clue. htmlspecialchars is for escaping data for use in HTML, not SQL. When you echo something to your HTML webpage, but you want to make sure it displays as text, use htmlspecialchars. For example:

    <?php

// I want to have a paragraph that talks about <script> tags.
$script = "<script>alert( 'hello, html injection!' );</script>";

// but if I do this…
echo "<p>$script<p>";
// I'll get an _actual_ script tag.

// if I do this…
echo "<p>".htmlspecialchars( $script )."</p>";
// I'll get what I want: _text_, not javascript.

    But, even though it’s not meant for sql injection, will it work? No. Read the documentation: the default flags for handling conversions is ENT_COMPAT.

    • ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
    • “‘” (single quote) becomes & #39; (or &apos;) only when ENT_QUOTES is set.

    [emphasis added]
    —php.net/htmlspecialchars

    This means that the one character you definitely always must escape in SQL queries is going through untouched.

    Besides that, even if it did encode your single quotes, that’s not the same as escaping them. Your database doesn’t handle HTML encoding: it will store the entity code, not the character it is meant to represent: this means your data will be corrupted.

    I use database wrapper class that uses pdo..
    imavex.com/php-pdo-wrapper-class

    This class has a method named run. If you look at the source code, you’ll see that it actually uses prepared statements, which is good. If you ever use this function directly, however, you need to make sure that you never put data in the $sql parameter that came from the user, as this will prevent it from being escaped. Any data that came from the user needs to go in the $bind parameter.

    May 31, 2014 at 7:55 pm #171509
    PHP Strome the Front
    Participant

    So i don’t like using bind because code get long and long and i need to store data in variables every time..is there anyway to escape sql in FORM data.

    June 1, 2014 at 12:27 am #171512
    __
    Participant

    is there anyway to escape sql in FORM data.

    You can. With PDO, the proper method to escape data for use in an SQL statement is PDO::quote. If you chose this approach, it would probably be simpler to just use PDO directly, since you’d by bypassing all of the methods your wrapper class provides.

    i don’t like using bind because code get long and long and i need to store data in variables every time..

    Binding the parameters and using prepared statements is a much better choice. It may be a few extra lines of typing, but it is far safer and more reliable. I would really encourage you to reconsider.

    June 1, 2014 at 3:27 am #171518
    PHP Strome the Front
    Participant

    Ok thanks for the advice and while binding if user inputs invalid error how to display it???

    can you say the way to escape in that php pdo wrapper class??

    and i got all the great answer so how to close this thread

    June 1, 2014 at 11:02 am #171538
    __
    Participant

    can you say the way to escape in that php pdo wrapper class??

    The wrapper class you’re using extends PDO, so it already has the quote method. You can “just use it.”

    Ok thanks for the advice and while binding if user inputs invalid error how to display it???

    PDO uses exceptions by default, so you can just wrap your code in a try…catch block. PDO exceptions can contain sensitive information (including DB credentials), so be sure you don’t show them on the “live” site.

    try{
    $DB->somethingThatMightCauseAnError();
}
catch( PDOException $PDOe ){
    if ( $youAreDebugging ){
        echo $PDOe->getMessage();
    }
    else{
        echo "<p>sorry, something went wrong.</p>";
    }
}

    and i got all the great answer so how to close this thread

    Can’t close. Don’t worry about it.

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)
  • The forum ‘Back End’ is closed to new topics and replies.