cannot propely escape string

Print
Go Down Pages1
User actions

noname8

#3
October 23, 2016, 04:58:15 PM
Thanks a million! (nynccats) https://www.youtube.com/watch?v=GE8M5QM1sf8
it was missing the global $database; row at the start.

And also thanks for the real escape, couldn't figure that out !
:-)

DarkViper

#2
October 23, 2016, 02:05:25 PM Last Edit: October 23, 2016, 02:11:24 PM by DarkViper
Quote from: noname8 on October 23, 2016, 12:24:39 PM
I'm creating a snippet Droplet that updates json string into mysql.
The problem is that json contains " -charachters
but i cant get it to either run trogh php or run trough sql, always mismatch of the ' charachters:

Code Select

$save_string='[{"page_id": "'.$pid.'", "viewed": "'.$pvalue.'"}]';

$save_string=addslashes($save_string);

$sql='UPDATE '.TABLE_PREFIX.'users SET checked_content='.$save_string.' WHERE user_id='.$uid;
$results = $database->query( $sql );
$retval.= $results.$sql;  // <--  !! concate Boolean and String ???
$retval.= '<br>päivitetty';
-Fatal error: Call to a member function query() on a non-object in /var/www/verkkokurssi/modules/droplets/droplets.php(37) : eval()'d code on line 12


  • "Call to a member function query() on a non-object" means that $database does not contain a valid database object.
    You can try to import the global one.
  • the use of addslashes() with SQL statements is a bad solution.
    Use $database->escapeString($save_string); instead.

Ok, from this the following code should work properly.
Code Select
<?php

global $database;
$sSaveString='[{"page_id": "'.$pid.'", "viewed": "'.$pvalue.'"}]';
$sql 'UPDATE `'.TABLE_PREFIX.'users` '
     'SET `checked_content`=\''.$database->escapeString($sSaveString).'\' '
     'WHERE `user_id`='.(int)$uid;
$bRetval $database->query($sql);

return '<br>'.($bRetval 'päivitetty' 'virhe');

have a nice day,
Manuela
[url=http://www.youtube.com/watch?v=tmzDAz6ZvFQ]Der blaue Planet[/url] - er ist nicht unser Eigentum - wir haben ihn nur von unseren Nachkommen geliehen[br]
[i]"You have to take the men as they are... but you can not leave them like that !" :-P [/i]
[i]Das tägliche Stoßgebet: [b]Oh Herr, wirf Hirn vom Himmel ![/b][/i]

noname8

#1
October 23, 2016, 12:24:39 PM
I'm creating a snippet that updates json string into mysql.
The problem is that json contains " -charachters
but i cant get it to either run trogh php or run trough sql, always mismatch of the ' charachters:

Code Select

$save_string='[{"page_id": "'.$pid.'", "viewed": "'.$pvalue.'"}]';


$save_string=addslashes($save_string);

$sql='UPDATE '.TABLE_PREFIX.'users SET checked_content='.$save_string.' WHERE user_id='.$uid;
$results = $database->query( $sql );
$retval.= $results.$sql;
$retval.= '<br>päivitetty';
-Fatal error: Call to a member function query() on a non-object in /var/www/verkkokurssi/modules/droplets/droplets.php(37) : eval()'d code on line 12

Code Select

$sql='UPDATE '.TABLE_PREFIX.'users SET checked_content=''.$save_string.'' WHERE user_id='.$uid;

Parse error: syntax error, unexpected ''.$save_string.'' (T_CONSTANT_ENCAPSED_STRING) in ....droplets.php(37) : eval()'d code on line 41

Code Select

$sql='UPDATE '.TABLE_PREFIX.'users SET checked_content=\''.$save_string.'\' WHERE user_id='.$uid;

Fatal error: Call to a member function query() on a non-object in /var/www/verkkokurssi/modules/droplets/droplets.php(37) : eval()'d code on line 12


Code Select
$sql='UPDATE '.TABLE_PREFIX.'users SET checked_content=\\''.$save_string.'\\' WHERE user_id='.$uid;


Parse error: syntax error, unexpected ''.$save_string.'' (T_CONSTANT_ENCAPSED_STRING) in /var/www/verkkokurssi/modules/droplets/droplets.php(37) : eval()'d code on line 41


So what does it take to get it in to the system?!!
Working sql made manually and run into sql console:
Code Select

UPDATE wbakervk1_users SET checked_content='[{\"page_id\":\"1\",\"viewed\":\"1\"},{\"page_id\":\"2\",\"viewed\":\"0\"},{\"page_id\":\"13\",\"viewed\":0}]' WHERE user_id=1


Print
Go Up Pages1
User actions
SMF 2.1.4 © 2023, Simple Machines
ProCurve Theme Made By : TwitchisMental