Paul Swanson
Members-
Posts
163 -
Joined
-
Last visited
-
Days Won
19
Everything posted by Paul Swanson
-
It sounds like when data is being inserted into your database, it isn't being escaped first. Escaping data before inserting into a database makes your SQL more secure because it can prevent SQL injection attacks (when a malicious user enters SQL commands into your form fields). If your site is on an intranet, it might not be much of a risk, but if this is a publicly accessible site you really should escape the data. See page 254 in Chapter 7 - "Ensuring Secure SQL" for a discussion on this topic, as well as a function which will do the escaping for you. An even better escape_data function is listed in script 13.4 on page 538. By escaping the data, the escape character (\ = backslash) is inserted in front of certain characters, including both single and double quotes. When printing the data retrieved from the database, you'll need to use the stripslashes() function to remove the slashes and get the output you want to display. The quotes in the database were causing you problems because when you echo it out it would look like: value=""My Customer Name"" So your browser would see value="" plus some extra invalid attribute names of My, and Customer, and a second occurrence of a valid attribute: name. I recommend that you also make use of htmlspecialchars() before echoing to convert single and double quotes (among other characters) to HTML entities. With your current code, you're going to run into the same problem if some spells Hawaii Hawai'i, or their last name is O'Reilly.
-
Uploading Pdf Files
Paul Swanson replied to Jocky's topic in Effortless E-Commerce with PHP and MySQL
I don't think you want the domain name in the location to move the file to. PHP operates on the file system level when copying files. Try changing your PDFS_DIR constant definition to: define ('PDFS_DIR', $_SERVER['DOCUMENT_ROOT'] . '/e-Commerce/pdfs/'); www.bexcomputersdesigns.co.uk isn't a directory, it's a DNS entry; a friendly alias of the actual IP address. PHP doesn't use it, it wants something like /mnt/vol3/home/b/e/bexcom/public_html/e-Commerce/pdfs/. $_SERVER['DOCUMENT_ROOT'] will return the /mnt/vol3/home/b/e/bexcom/public_html part (I can't remember if it includes the trailing slash or not. -
I think your problem is that you are missing quotes around the form element value attributes. Since the values you are reading in from the database contain spaces, only the first word is recognized as the value, and the other words are being interpreted as invalid element attributes and your browser is ignoring them. Try placing quotes around the value attributes, like so: <p>Customer: <input type="text" name="mycustomer" size="35" value="<?php echo $row['mycustomer']; ?>"/></p> Missing quote here ^ You are also using the same name for elements (mycustomer 3 times, and matls1 3 times). You should make all the names unique for text fields. This isn't the cause of your problem (the quotes issue is), but if you want to do something with the values you'll need to change the names or you will only get the last mycustomer and matls1 values.
-
Hey zabberwan, You can suppress the ob_end_flush error by prepending an @ symbol (it's the error-suppression operator) to the function call: @ob_end_flush(): As for your other question, I would create a <div> at the point where you want any errors to display if any errors where detected. I haven't seen your validation code, but assuming any errors are added to an array variable named $errors: if (!empty ($errors) { // if errors exist, create div for display echo '<div style="color:red;margin:10px;">' . "\n"; foreach ($errors as $error) { // loop thru $errors array and print each error echo "$error<br />\n"; } echo "</div>\n\n"; // close div } // end of $errors conditional So if there are any errors, a <div> is inserted in your page and the rest of the content is pushed down accordingly. If no errors, no <div> is created.
-
You've got a typo where you try to update the database: //Make the update query $q = "UPDATE users SET pass=SHA1('$np') WHERE user_id=$row[0]"; $r = @maysqli_query($dbc, $q); // this function is misspelled - should be mysqli_query That would trigger an error, and if you have error messages turned off you might get just a blank page.
-
Bennie8, The reason you can't find a way to traverse an array by mouse click with PHP coding is because there isn't one. PHP runs on the server only, and knows nothing about what is happening on the client (i.e., browser) side. A PHP script executes in its entirety, and sends the final results to the browser. Javascript, on the other hand, executes on the client, and that's why your AJAX solution is the correct approach. And AJAX utilizes Javascript (AJAX = Asynchronous Javascript And XML), so the suggestion by HartleySan was spot on. As for your issue with the <textarea>, PHP doesn't automatically convert newlines to <br>, but there is a function called nl2br() that is commonly used to make that conversion for displaying as regular HTML text, and you must be using it. If you want to re-display text from a <textarea> into a <textarea> field, don't use that function, just display the unconverted text. You could also do a string replace of converted text with str_replace('<br>', '\n', $yourTextareaString). When echoing the replacement string, you'll want to enclose it with double-quotes rather than single-quotes since single-quoted strings are printed exactly as-is and you'll just see \n instead of a newline. When entering blocks of code, please consider using the code tags (in the editor toolbar it's the <> button), which makes the code much easier to read and preserves indention. I personally don't have a problem with lengthy blocks, but I probably won't read all of it. Hang in there. You'll make a lot of mistakes in the beginning, but you'll learn more from those mistakes than by doing it right the first time.
-
Hey Floydian, Good to hear from you. I noticed you hadn't posted in quite a while, and I was kind of worried that something bad happened. I'm glad to hear that you are doing well. I once lost 65 lbs. over about a 4 month period (after being diagnosed with Type II Diabetes), and I know how hard that is. I'm very impressed with your weight loss. And Larry, I'm really liking the new forum! It's nice to get the whole page width back for posts, and I like that the individual forums are marked as having new posts, rather than relying on the timestamp of the most recent post. And the syntax-highlighted code is especially cool! Well done!