|
M-Dayyan wrote: I want to store an image to the MySql database's filed?
Google is your friend.  [^]
|
|
|
|
|
No, I don't think so.
You are my friend 
A nice friend.
Isn't it.
|
|
|
|
|
Hello guru's
I am writing an API for my project in this case one of function return XML message ( actually its a small xml node ) i store that xml to an variable and if i alert if its show correct XML data, and if i pass it to function its give error <xml_variable> is not defined ........ I am very new in XML can any one told me where i am doing wrong. My complete code is given below.
<?
Required class file and javascript files.
?>
<html>
<head>
<title></title>
<link href="templates/<?php echo $TEMPLATE ?>/css/stylesheet.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="templates/<?php echo $TEMPLATE ?>/javascript/jstb_validations.js"></script>
<script type="text/javascript" src="templates/<?php echo $TEMPLATE ?>/javascript/AjaxRequest.js"></script>
<script type="text/javascript" src="templates/<?php echo $TEMPLATE ?>/javascript/xparse.js"></script>
<script language="javascript" type="text/javascript">
</script>
<!------- Validation for client side java script function ---------->
<script type="text/javascript">
function parseXML()
{
var device_type_name = document.getElementById('device_type_name').value;
var reporting_interval = document.getElementById('reporting_interval').value;
var module = document.getElementById('module').value;
var version = document.getElementById('version').value;
var s_key = document.getElementById('s_key').value;
var uid = document.getElementById('uid').value;
var lang = document.getElementById('lang').value;
var strUrl = 'api/index.php?device_type_name='+device_type_name+'&reporting_interval='+reporting_interval+'&module='+module+'&version='+version+'&s_key='+s_key+'&uid='+uid+'&lang='+lang;
// var strUrl = 'api/index.php?device_type_name=trewq&reporting_interval=10&module=ADD_DEVICE_TYPE&version=0.3&s_key=XYZ&uid=1&lang=english';
AjaxRequest.get(
{
'url':strUrl
,'onSuccess':function(req)
{
//alert(req.responseText);
var str_xml = req.responseText;
alert(str_xml);
// Note above alert show correct XML .
}
}
);
text="<note>";
text=text+"<to>Tove</to>";
text=text+"<from>Jani</from>";
text=text+"<heading>Reminder</heading>";
text=text+"<body>Don't forget me this weekend!</body>";
text=text+"</note>";
try //Internet Explorer
{
xmlDoc=new ActiveXObject("Microsoft.XMLDOM");
xmlDoc.async="false";
// xmlDoc.loadXML(text);
xmlDoc.loadXML(str_xml);
}
catch(e)
{
try // Firefox, Mozilla, Opera, etc.
{
parser=new DOMParser();
// xmlDoc=parser.parseFromString(text,"text/xml");
xmlDoc=parser.parseFromString(str_xml,"text/xml");
}
catch(e)
{
alert(e.message);
return;
}
}
/*
var to=xmlDoc.getElementsByTagName("to")[0].childNodes[0].nodeValue;
var from=xmlDoc.getElementsByTagName("from")[0].childNodes[0].nodeValue;
var message=xmlDoc.getElementsByTagName("body")[0].childNodes[0].nodeValue;
alert(to);
alert(from);
alert(message);
*/
var to=xmlDoc.getElementsByTagName("result")[0].childNodes[0].nodeValue;
alert(to);
}
function ChkFrm_data()
{
frm=document.add_new_dev_type;
if(frm.device_type_name.value=="")
{
CustomAlert('<?php echo NECESSARY_FIELD_REQUIRED?>');
frm.txt_device_type_name.focus();
return false;
}
if(frm.reporting_interval.value=="")
{
CustomAlert('<?php echo NECESSARY_FIELD_REQUIRED?>');
frm.txt_reporting_interval.focus();
return false;
}
}
function CheckInteger(input_object)
{
if(!isNumeric(input_object.value))
{
CustomAlert('<?php echo NUMERIC_FIELD_REQUIRED?>');
input_object.value = "";
//next two lines are there for compatibility with FireFox
myField = input_object;
setTimeout("this.myField.focus();",0);
//input_object.focus();
return false;
}
}
function CustomAlert(message, message_header, message_type)
{
alert(message);
}
</script>
<!------- /Validation for client side java script function ---------->
</head>
<body class="body_inner">
<form action="add_new_dev_type.php" name="add_new_dev_type" method="POST" onSubmit="return ChkFrm_data();">
<table id="form_container">
<tr id="form_header">
<td colspan="2"><?php echo HEADING?></td>
</tr>
<tr id="form_message">
<?if(!empty($message)){?>
<td colspan="2"><?php echo $message;?></td>
<?}?>
</tr>
<tr id="field_row">
<td><?php echo DEVICE_TYPE_NAME?></td>
<td><input type='text' name='device_type_name' id='device_type_name' value='<?php echo $device_type_name ?>' /></td>
</tr>
<tr id="field_row">
<td><?php echo REPORTING_INTERVAL?></td>
<td><input type='text' id="reporting_interval" name='reporting_interval' value='<?php echo $reporting_interval ?>' onChange="return CheckInteger(document.getElementById('txt_reporting_interval'))" /></td>
</tr>
<tr>
<td colspan="2">
<input type="hidden" name="module" id="module" value="ADD_DEVICE_TYPE">
<input type="hidden" name="version" id="version" value="0.3">
<input type="hidden" name="s_key" id="s_key" value="<?php echo $CURRENT_HASH?>">
<input type="hidden" name="uid" id="uid" value="<?php echo $USER_ID?>">
<input type="hidden" name="lang" id="lang" value="english">
<input type="button" onClick="parseXML()" name='Save' value='Save' />
</td>
</tr>
</table>
</form>
</body>
</html>
Note : if i pass XML "text" which is also write at this page this program work properly ... i am using this program from w3school
Please help me i am really bothered ... Thanks in advanced
Regard's
Kaushik
|
|
|
|
|
Well I didn't test it.
Just to say there are some XML classes here[^]
try those.
|
|
|
|
|
I am writing a simple form for a website I am developing and I keep getting parse errors, mostly dealing with quotes around HTML tags. Here is my code - any guidance would be appreciated. The errors I am getting are creeping up between the following 2 comment tags, to make it easier to identify:
///////////////////////////////////////////////////////
//check for existence of missing fields/error messages
///////////////////////////////////////////////////////
and
/* commented this out for testing of first part of script
/////////////////////////////
// WRITE DATA TO MYSQL table
/////////////////////////////
Here's my code:
<HTML>
<HEAD>
<TITLE>SHIRT SCRIPT</TITLE>
</HEAD>
<BODY>
<?php
include ("validation_functions.php4");
function shirtsSetup()
{
////////////////////////////////////////
//GET VALUES FROM SHIRT PORTION OF FORM
////////////////////////////////////////
$name = ($_POST['name']);
$address = ($_POST['address']);
$city = ($_POST['city']);
$state = ($_POST['state']);
$zip = ($_POST['zip']);
$email = ($_POST['email']);
$phone = ($_POST['phone']);
$quantity = ($_POST['quantity']);
$size = ($_POST['size']);
$color = ($_POST['color']);
$price = 15;
$shirtTotalPrice = $price * $quantity;
$instructions = ($_POST['instructions']);
$paypal = ($_POST['paypal']);
$check = ($_POST['check']);
$to = "myemail@yahoo.com";
$subject = "OMN T-Shirt order";
$message= "$name\n$address\n$city\n$state\n$zip\n$phone\n$email\n$phone\nquantity\n$size\n$color\n$instructions";
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
//////////////////////////////
//CHECK FOR ERRONEOUS FIELDS.
//////////////////////////////
$error_msg = array();
$valid = verifyAlphaNum($name);
if(!valid) {
$error_msg[] = "Name must be letters, spaces, dashes and ' only";
}
$valid = verifyAlphaNum($address);
if(!valid) {
$error_msg[] = "Address must be letters, numbers, spaces, dashes and ' only";
}
$valid = verifyAlphaNum($city);
if(!valid) {
$error_msg[] = "City must be letters, spaces, dashes and ' only";
}
$valid = verifyAlphaNum($state);
if(!valid) {
$error_msg[] = "State must be two letters only";
}
$valid = verifyAlphaNum($zip);
if(!valid) {
$error_msg[] = "Zip must contain five numbers only";
}
$valid = verifyEmail($email);
if(!valid) {
$error_msg[] = "Email must be a valid format";
}
///////////////////////////////////////////////////////
//check for existence of missing fields/error messages
///////////////////////////////////////////////////////
if($error_msg)
{
echo "<ul>\n";
foreach($error_msg as $err) {
echo "<div align = "center"><li>" .$err. "<li>\n</div>";
}
echo "<div align = "center"></ul>\n</div>";
}
else
if (!$error_msg )&& ($paypal == 'on')
{
mail($to, $subject, $message, $headers);
echo "<div align = "center">Your Order: " .$size. " .$color. ".$quantity. ".$shirtTotalPrice. "<br /></div>";
}
/* commented this out for testing of first part of script
/////////////////////////////
// WRITE DATA TO MYSQL table
/////////////////////////////
mysql_select_db(database name, connection pointer) or die (Unable to select database.");
mysql_query('INSERT into TABLE_NAME (Name, Address, City, State, Zip, Email, Phone, Quantity, Size, Color, Instructions) VALUES ($name, $address $city, $state, $zip, $email, $phone, $quantity, $size, $color, $instructions)', $connectID) or die ("Unable to insert records into database.");
header ('Refresh: 3; URL = http://www.paypal.com');//REDIRECT TO PAYPAL.COM
exit();
}
else
if (!$error_msg )&& ($check == 'on')
{
mail($to, $subject, $message, $headers);
echo "Thank you for your order! Please allow 2-3 weeks shipping time.<br />"
Order will be shipped upon receipt of check.";
header ('Refresh: 3; URL = http://www.mypage.com'); //REDIRECT TO HOME
}
*/
}
?>
</BODY>
</HTML>
|
|
|
|
|
|
That probably would help, eh?  . Here ya go....
Also, just to clarify my program, this is a t-shirt order form and the $paypal and $check variables ccorrespond to checkboxes asking if the user wants to pay by check or with paypal.
<html>
<head>
<title>Validations functions</title>
</head>
<body>
<?php
// print "included ok";
function verifyAlphaNum($testString)
{
if (eregi ("^([[:alnum:]]|-|\.||')+$", $testString))
{
return 1;
}
else
{
return 0;
}
}
function verifyEmail($testString)
{
if (eregi ("^([[:alnum:]]|-|\.||')+@([[:alnum:]]|\.|-
)+(\.)([a-z]{2, 4})$", $testString))
{
return 1;
}
else
{
return 0;
}
}
function verifyText($testString)
{
if (eregi("^([[:alnum:]]|-|\.||\n|\r|\?|\!|\"|\' ')+$",
$testString))
{
return 1;
}
else
{
return 0;
}
}
function verifyPhone($testString)
{
if(eregi('^([[:digit:]]||-)+$', $testString))
{
return 1;
}
else
{
return 0;
}
}
?>
</body>
</html>
|
|
|
|
|
Here is my corrected version:
1. You are/were including a full HTML document into an already existing defined HTML document. I removed the extraneous HTML from validation_functions.php4 incase they snuck in there by accident somehow.
2. You are testing a variable without the leading '$' which PHP uses to indicate a variable. Although it won't cause a parse error (syntactically it's acceptable) you won't get expected results because there is no constant named 'valid'
<br />
$valid = verifyAlphaNum($name);<br />
if(!valid) {<br />
$error_msg[] = "Name must be letters, spaces, dashes and ' only";<br />
}<br />
You should change these instances to:
<br />
$valid = verifyAlphaNum($name);<br />
if(!$valid) {<br />
$error_msg[] = "Name must be letters, spaces, dashes and ' only";<br />
}<br />
When I run your code I get the following error:
Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /var/www/test.php on line 87
Here is a tip: Always include the error information like above when asking for help with source code, and always wrap the source code in a [code] bracket so it's nicely formatted. It saves people from having to copy/psate and run your code like I had to do.
Anyways, with that error message in hand I can quickly jump to line 87 in my editor and immediately spot the problem(s):
echo "<div align="center"><li>" .$err. "<li></li></li></div>";
You using double quotes for the HTML attribute when it's already wrapped in double quotes
Change that code to this:
echo '<div align="center"><li>'.$err.'</li></div>
Notice how I use double quotes for the HTML attribute and single quotes for the PHP string? That was intentional and should be considered a best practice. Why?
PHP parser supports interpolated strings, meaning you can use a PHP variable in a double quoted string, like this:
$test = 'Some Value';
echo "Hello world this is a variable: $test";
The above would output something like:
Hello world this is a variable: Some Value
While this might seem cool (and it is handy in some circumstances) it should be a practice avoided like the plague.
1. It can lead to difficult to find bugs as it's not very explicit.
2. You incur a performance hit because PHP tokenizer needs to process double quoted strings
By using single quoted strings instead od double inside PHP you save yourself from the above problems.
Use concatenation, like you already do:
echo 'This is a '.$test.' string';
Or you can also use the C style sprintf functions, like so:
echo sprintf('This is a string: %s', $test);
One more issue I've spotted:
if (!$error_msg ) && ($paypal == 'on')
Should be:
if (!$error_msg && $paypal == 'on')
Cheers
I'm finding the only constant in software development is change it self.
|
|
|
|
|
Thanks Hockey! Yes, I noticed after posting my php4 function that my 'valids' were missing the $s. Also, the help on the concatenation helped a lot. This was throwing me off more than anything. Thanks again! The form (up to the rest of my commented-out code) works great!
Ben
|
|
|
|
|
Not that I've even used Perl ( I used Pyhton tho )
Christian Graus
Please read this if you don't understand the answer I've given you
"also I don't think "TranslateOneToTwoBillion OneHundredAndFortySevenMillion FourHundredAndEightyThreeThousand SixHundredAndFortySeven()" is a very good choice for a function name" - SpacixOne ( offering help to someone who really needed it ) ( spaces added for the benefit of people running at < 1280x1024 )
|
|
|
|
|
Wow...someone else that hasn't used it...I thought I was the only one in this day and age.
Scott Dorman Microsoft® MVP - Visual C# | MCPD
President - Tampa Bay IASA
Hey, hey, hey. Don't be mean. We don't have to be mean because, remember, no matter where you go, there you are. - Buckaroo Banzai
[ Forum Guidelines][ Articles][ Blog]
|
|
|
|
|
Christian Graus wrote: ( I used Pyhton tho )
You're off-topic. This is the Perl forum. You may want to check out the Python[^] forum. I just took a peak, and a well-known CP regular has already posted there. He can probably give you a hand with your Python questions. 
|
|
|
|
|
For what it's worth
Christian Graus
Please read this if you don't understand the answer I've given you
"also I don't think "TranslateOneToTwoBillion OneHundredAndFortySevenMillion FourHundredAndEightyThreeThousand SixHundredAndFortySeven()" is a very good choice for a function name" - SpacixOne ( offering help to someone who really needed it ) ( spaces added for the benefit of people running at < 1280x1024 )
|
|
|
|
|
which apparently isn't much since there isn't any other activity yet. 
Scott Dorman Microsoft® MVP - Visual C# | MCPD
President - Tampa Bay IASA
Hey, hey, hey. Don't be mean. We don't have to be mean because, remember, no matter where you go, there you are. - Buckaroo Banzai
[ Forum Guidelines][ Articles][ Blog]
|
|
|
|
|
Python, sounds like a pet to me 
but on a more serious note, all i know is that python is a scripting language. What exactly does that mean? why would i as a C# developer use python for?
Harvey Saayman - South Africa
Junior Developer
.Net, C#, SQL
think BIG and kick ASS
you.suck = (you.passion != Programming)
|
|
|
|
|
see my response under "what is python's claim to fame?". The only reason not to learn Python is that once you do so much of C# will drive you insane,... that has certainly been my experience
Paul Coldrey
http://www.lumient.com.au/
|
|
|
|
|
Some background: I have taken a few measures to prevent SQL injection on my PHP/MySQL setup (currently WAMP for development, but will be LAMP for production server):
- In my users table, I have entered a "bad" user, with all the fields equal to 0.
- this is the first user in the table
- if a hacker tries to enter ' or ''=' in the uname field:
- (theoretically,) "bad" user will be first result, and
- (theoretically,) # of results will also be greater than 1 (more than 1 user)
- (theoretically,) the following code will prevent said hacker from gaining unauthorized access
- mysql_real_escape_string() function will be used to escape input when site is launched, but right now it is not in use to allow testing of common SQL injection methods.
- I have read that mysql_real_escape_string() has some vulnerabilities.
- I know mysql_real_escape_string() is more secure than addslashes().
<span style="color: green">
<span style="color: blue">$u</span> = <span style="color: blue">$_POST[uname]</span>;
<span style="color: blue">$p</span> = <span style="color: blue">$_POST[pass]</span>;
<span style="color: green">
<span style="color: blue">$query</span> = <span style="color: red">"select uid,uname,fname,lname,email,phone,other,pass from ads.users where uname = '$u'"</span>;
<span style="color: blue">$result</span> = mysql_query(<span style="color: blue">$query</span>);
<span style="color: blue">$rows</span> = mysql_num_rows(<span style="color: blue">$result</span>);
<span style="color: green">
if (<span style="color: blue">$rows</span> > 1) {
<span style="color: green"></span>
die (<span style="color: red">"Error[20]: You have entered potentially harmful input. Security measures have been put in place until this incident can be reviewed."</span>);
}
<span style="color: blue">$record</span> = mysql_fetch_assoc(<span style="color: blue">$result</span>);
<span style="color: blue">$passQuery</span> = <span style="color: red">"select password('$p') = '$result[pass]'"</span>;
if (<span style="color: blue">$rows</span> == 1 && mysql_num_rows(mysql_query(<span style="color: blue">$passQuery</span>))) {
if (<span style="color: blue">$record[uid]</span> == 0) {
<span style="color: green">
die (<span style="color: red">"Error[25]: You have entered input that could be harmful to the site. Security measures have been put in place until this incident can be reviewed."</span>);
}
<span style="color: blue">$l</span> = 1; <span style="color: green">
<span style="color: green">
<span style="color: blue">$_SESSION[uid]</span> = <span style="color: blue">$record[uid]</span>;
<span style="color: blue">$_SESSION[uname]</span> = <span style="color: blue">$record[uname]</span>;
<span style="color: blue">$_SESSION[fname]</span> = <span style="color: blue">$record[fname]</span>;
<span style="color: blue">$_SESSION[lname]</span> = <span style="color: blue">$record[lname]</span>;
<span style="color: blue">$_SESSION[phone]</span> = <span style="color: blue">$record[phone]</span>;
<span style="color: blue">$_SESSION[email]</span> = <span style="color: blue">$record[email]</span>;
} else <span style="color: blue">$loginError</span> .= <span style="color: red">"Error: Invalid username and/or password."</span>;
I dunno... maybe I'm just paranoid... I just want to make sure to CMA to prevent liability problems, since this will be a commercial site.
P.S. I hope the markup helps read my programming - I know my lines tend to be fairly long...
"Silently laughing at silly people is much more satisfying in the long run than rolling around with them in a dusty street, trying to knock out all their teeth. If nothing else, it's better on the clothes." - Belgarath (David Eddings)
|
|
|
|
|
To prevent SQL injection all you need to do is escape and use good validation. Other stuff can be a waste of time.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
I usually use this function to prevent SQL injection, maybe it's useful for you :
function quote_smart($value)
{
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
if (!is_numeric($value))
{
$value = mysql_real_escape_string($value);
}
return $value;
}
Sorry for my English. I'm a freshman .
|
|
|
|
|
Bradml wrote: Other stuff can be a waste of time
Like using parameters instead of inlining?
cheers,
Chris Maunder
CodeProject.com : C++ MVP
|
|
|
|
|
Exactly.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
What level of validation is enough?
I think that using prepared statements with parameters is the safest way, what do you think ?
|
|
|
|
|
SQLi is best handled using the database's native escaping routines and not just relying on addslashes() -- there is actually a way to circumvent addslashes from what I remember.
Filtering is probably a good practice as well.
To avoid escaping, you could just use PDO and prepared statements which handles the escaping for you automagically as well.
I'm finding the only constant in software development is change it self.
|
|
|
|
|
Hi friends.
I usually use Smarty to create templates.
When I wanted to create somethings like this :
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Test</title>
</head>
<body>
<table>
<tr>
<td> </td>
</tr>
</table>
<table>
<tr>
<td> </td>
</tr>
</table>
<table>
<tr>
<td> </td>
</tr>
</table>
<table>
<tr>
<td> </td>
</tr>
</table>
</body>
</html>
I created three files ( for example Header.tpl , Footer.tpl , Body.tpl )
Header.tpl :
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Test</title>
</head>
<body>
Body.tpl :
<table>
<tr>
<td> </td>
</tr>
</table>
Footer.tpl :
</body>
</html>
Then I wrote this Smarty code in PHP to created above HTML file :
$smarty -> display('Header.tpl');
for ($i=0; $i<=3; $i++)
$smarty -> display('Body.tpl');
$smarty -> display('Footer.tpl');
This way is bad, because designing template is very difficult.
Are there any ways to use Smarty and create above HTML file.
Thanks in advance
Sorry for my English. I'm a freshman .
|
|
|
|
|
Can't you just output the HTML? It doesn't stop normal PHP from working.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
