- This topic is empty.
-
AuthorPosts
-
May 29, 2014 at 10:41 pm #171400PHP Strome the FrontParticipant
here is my variables
$error=[]; $dbname=htmlspecialchars(trim($_POST["dbname"])); $dbusername=htmlspecialchars(trim($_POST["dbusername"])); $dbpassword=htmlspecialchars(trim($_POST["dbpassword"])); $dbhost=htmlspecialchars(trim($_POST["dbhost"]));; $debugging=$_POST["debugging"]; ... // i got such variables many some are not belong to post as well
i want to display error like this
if(empty($dbname){ echo $error['$dberro']="Hey you have missed the database name"; } if(empty($dbusername){ echo $error['$dbusernameerror']="Hey you have missed the database user name"; } .... // i have such code many
i have such 40 variables and how do i do so very easily ..and i display on static page or some other php page like this
if (isset($error[$dberror])){ echo "$error[$dberror]"; } ... //i have such many
isn’t the code so much bulky probably there is better idea than this
can i get those idea
May 30, 2014 at 12:35 am #171415__Participanthtmlspecialchars(trim($_POST["dbname"]));
Is there a reason you are using
htmlspecialchars
? This function is for escaping special characters in HTML. Are you using these POST value in HTML? If you’re doing this for some other purpose (e.g., a database query) it will not work. It will cause problems and create security risks.Even if this is the case, you should escape the value when you print it, not when you’re checking the value that was submitted.
echo $error['$dberro']="Hey you have missed the database name";
Are you trying to assign this sentence to a variable, or are you trying to print it?
echo "$error[$dberror]";
Have you tried this? It’s a syntax error.
Also, I don’t see where you have defined a variable by the name of$dberror
…?This is what it sounds like:
- you have a list of form field inputs
- you want to check and make sure each has a value
- if an item is missing, assign an error message
- print all the error messages.
Is this what you want to do? If so, here’s the most straightforward approach. It might not be the best solution for your situation, so, if not, please explain what you are trying to accomplish in more detail.
- Make a list of the field names.
$list = [ "dbname", "dbusername", // etc. ... ];
- Loop through the list to check each input from POST.
foreach( $list as $fieldName ){ if( empty( $_POST[$fieldName] ) ){ /* see next step */ } }
- If an item is missing, assign an error message.
foreach( $list as $fieldName ){ if( empty( $_POST[$fieldName] ) ){ $error[$fieldName] = "You have missed the $fieldName field."; } }
- After that loop (and wherever you want to print the error messages), loop over the error messages and print them.
<!doctype html> <!-- all your html goes here --> <?php if( ! empty( $error ) ){ echo "<ul id=errorMessages>"; foreach( $error as $message ){ echo "<li>$message</li>"; } echo "</ul>"; } ?> <!-- rest of your html goes here -->
May 31, 2014 at 12:34 am #171481PHP Strome the FrontParticipantyes i am doing for form..
i used htmlspecialchars so i don’t get sql injection or something like that ..but this code
foreach( $list as $fieldName ){ if( empty( $_POST[$fieldName] ) ){ $error[$fieldName] = "You have missed the $fieldName field."; } }
print you have missed db field isn’t it ??? i want to print you have missed database field
May 31, 2014 at 1:10 am #171483__Participanti used htmlspecialchars so i don’t get sql injection or something like that
In that case, re-read my post above: using
htmlspecialchars
will not prevent sql injection. It has nothing at all to do with databases. Specifically, it will allow sql injection.How you go about preventing sql injection will depend on what database you use and what php extension you use to connect to it. If you are using MySQLi or PDO, you should use prepared statements.
but this code …
print you have missed db field isn’t it ??? i want to print you have missed database fieldI don’t know, specifically. It will print the
name
of the field in question. If you want more control over your error messages, you can create another array to hold them:$error_messages = [ "dbname" => "You have missed the database name field", "dbusername" => "You have missed the database username field", // etc. .. ];
and later:
foreach( $list as $fieldName ){ if( empty( $_POST[$fieldName] ) ){ $error[$fieldName] = $error_messages[$fieldName]; } }
May 31, 2014 at 10:29 am #171493PHP Strome the FrontParticipantGreat works like a charm…..but i heard doing html special chars prevent sql injection was i wrong?
I use PDO as people say pdo is best and many recommend pdo as well
I use database wrapper class that uses pdo..
http://www.imavex.com/php-pdo-wrapper-class/
THanks for your great support.
May 31, 2014 at 11:07 am #171495__Participanti heard doing html special chars prevent sql injection was i wrong?
Yes, this is completely wrong.
The function name gives you a big clue.
htmlspecialchars
is for escaping data for use in HTML, not SQL. When you echo something to your HTML webpage, but you want to make sure it displays as text, usehtmlspecialchars
. For example:<?php // I want to have a paragraph that talks about <script> tags. $script = "<script>alert( 'hello, html injection!' );</script>"; // but if I do this… echo "<p>$script<p>"; // I'll get an _actual_ script tag. // if I do this… echo "<p>".htmlspecialchars( $script )."</p>"; // I'll get what I want: _text_, not javascript.
But, even though it’s not meant for sql injection, will it work? No. Read the documentation: the default flags for handling conversions is
ENT_COMPAT
.ENT_COMPAT
Will convert double-quotes and leave single-quotes alone.- “‘” (single quote) becomes
& #39;
(or'
) only when ENT_QUOTES is set.
[emphasis added]
—php.net/htmlspecialcharsThis means that the one character you definitely always must escape in SQL queries is going through untouched.
Besides that, even if it did encode your single quotes, that’s not the same as escaping them. Your database doesn’t handle HTML encoding: it will store the entity code, not the character it is meant to represent: this means your data will be corrupted.
I use database wrapper class that uses pdo..
imavex.com/php-pdo-wrapper-classThis class has a method named
run
. If you look at the source code, you’ll see that it actually uses prepared statements, which is good. If you ever use this function directly, however, you need to make sure that you never put data in the$sql
parameter that came from the user, as this will prevent it from being escaped. Any data that came from the user needs to go in the$bind
parameter.May 31, 2014 at 7:55 pm #171509PHP Strome the FrontParticipantSo i don’t like using bind because code get long and long and i need to store data in variables every time..is there anyway to escape sql in FORM data.
June 1, 2014 at 12:27 am #171512__Participantis there anyway to escape sql in FORM data.
You can. With PDO, the proper method to escape data for use in an SQL statement is
PDO::quote
. If you chose this approach, it would probably be simpler to just use PDO directly, since you’d by bypassing all of the methods your wrapper class provides.i don’t like using bind because code get long and long and i need to store data in variables every time..
Binding the parameters and using prepared statements is a much better choice. It may be a few extra lines of typing, but it is far safer and more reliable. I would really encourage you to reconsider.
June 1, 2014 at 3:27 am #171518PHP Strome the FrontParticipantOk thanks for the advice and while binding if user inputs invalid error how to display it???
can you say the way to escape in that php pdo wrapper class??
and i got all the great answer so how to close this thread
June 1, 2014 at 11:02 am #171538__Participantcan you say the way to escape in that php pdo wrapper class??
The wrapper class you’re using
extends
PDO, so it already has thequote
method. You can “just use it.”Ok thanks for the advice and while binding if user inputs invalid error how to display it???
PDO uses exceptions by default, so you can just wrap your code in a try…catch block. PDO exceptions can contain sensitive information (including DB credentials), so be sure you don’t show them on the “live” site.
try{ $DB->somethingThatMightCauseAnError(); } catch( PDOException $PDOe ){ if ( $youAreDebugging ){ echo $PDOe->getMessage(); } else{ echo "<p>sorry, something went wrong.</p>"; } }
and i got all the great answer so how to close this thread
Can’t close. Don’t worry about it.
-
AuthorPosts
- The forum ‘Back End’ is closed to new topics and replies.