update multiple escape characters?

johnworf

Hi,

I've managed to pull data from my database and update multiple fields...

..but if the data has special characters in then it won't update at all..

I'm not sure where to put htmlentities() or stripslashes or mysql_escape_string() whatever php code to escape the text?

e.g.

Description=htmlentities('$Description[$i]'), i thought might be right but doesn't work..

what's best to use and where do i put it to update the fields correctly?

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>

<strong>Update multiple rows in mysql</strong><br>

<?php
$host="blah.com"; // Host name
$username="blah"; // Mysql username
$password="blah"; // Mysql password
$db_name="blah"; // Database name
$tbl_name="Restaurants"; // Table name

mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$sql="SELECT * FROM $tbl_name WHERE Verify=0";
$result=mysql_query($sql);

// Count table rows
$count=mysql_num_rows($result);
?>
<table width="500" border="0" cellspacing="1" cellpadding="0">
<form name="form1" method="post" action="">
<tr>
<td>
<table width="500" border="0" cellspacing="1" cellpadding="0">


<tr>
<td align="center" bgcolor="#FFFFFF"><strong>ID</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Name</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Email</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Restaurant</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Website</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Description</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>URL</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Verify</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>State ID</strong></td>
</tr>
<?php
while($rows=mysql_fetch_array($result)){
?>
<tr>
<td align="center"><? $ID[]=$rows['ID']; ?><? echo $rows['ID']; ?></td>
<td align="center"><input name="Name[]" type="text" id="Name" value="<? echo $rows['Name']; ?>"></td>
<td align="center"><input name="Email[]" type="text" id="Email" value="<? echo $rows['Email']; ?>"></td>
<td align="center"><input name="Restaurant[]" type="text" id="Restaurant" value="<? echo $rows['Restaurant']; ?>"></td>
<td align="center"><input name="Website[]" type="text" id="Website" value="<? echo $rows['Website']; ?>"></td>
<td align="center"><input name="Description[]" type="text" id="Description" value="<? echo $rows['Description']; ?>"></td>
<td align="center"><input name="URL[]" type="text" id="URL" value="<? echo $rows['URL']; ?>" size="100"></td>
<td align="center"><input name="Verify[]" type="text" id="Verify" value="<? echo $rows['Verify']; ?>"></td>
<td align="center"><input name="StateID[]" type="text" id="StateID" value="<? echo $rows['StateID']; ?>"></td>
</tr>
<?php
}
?>
<tr>
<td colspan="8" align="center"><input type="submit" name="Submit" value="Submit"></td>
</tr>
</table>
</td>
</tr>
</form>
</table>
<?php
// Check if button name "Submit" is active, do this
if($Submit){
for($i=0;$i<$count;$i++){
$sql1="UPDATE $tbl_name SET Name='$Name[$i]', Email='$Email[$i]', Restaurant='$Restaurant[$i]', Website='$Website[$i]', Description='$Description[$i]', URL='$URL[$i]', Verify='$Verify[$i]', StateID='$StateID[$i]' WHERE ID='$ID[$i]'";
$result1=mysql_query($sql1);
}
}

if($result1){
echo "<meta http-equiv=\"refresh\" content=\"0;URL=update.php\">";
}
mysql_close();
?>
</body>
</html>

laserlight

johnworf wrote:
I'm not sure where to put htmlentities() or stripslashes or mysql_escape_string() whatever php code to escape the text?

Use htmlentities() to escape the text for printing to the browser. Use mysql_real_escape_string() to escape the text for the SQL statement. Better yet, use the PDO extension with prepared statements.

johnworf

ok - so where do i put...

mysql_real_escape_string()

in the code?

johnworf

i tried replacing...

Description='$Description[$i]'

with

Description=mysql_real_escape_string('$Description[$i]')

but it did nothing - it wouldn't let me update because of the special characters.

laserlight

No, like this:

$sql1 = sprintf("UPDATE $tbl_name SET Name='&#37;s', Email='%s', Restaurant='%s', Website='%s', Description='%s', URL='%s', Verify='%s', StateID='%d' WHERE ID='%d'",
    mysql_real_escape_string($Name[$i]),
    mysql_real_escape_string($Email[$i]),
    mysql_real_escape_string($Restaurant[$i]),
    mysql_real_escape_string($Website[$i]),
    mysql_real_escape_string($Description[$i]),
    mysql_real_escape_string($URL[$i]),
    mysql_real_escape_string($Verify[$i]),
    $StateID[$i],
    $ID[$i]);

But you would be better off using prepared statements where you can prepare the statement once and then rebind it in the loop.

johnworf

Thanks - that worked beautifully.

"But you would be better off using prepared statements where you can prepare the statement once and then rebind it in the loop."

I don't understand to be honest?

laserlight

johnworf wrote:
What does that mean in english please?

But it is English 😃
What you are doing now is running SQL statements in a loop. This means that without a query cache, the same SQL statement would have to be re-compiled and then executed. It would be better if it could be compiled once, and then executed multiple times with different values substituted.

For example, using the PDO extension, and assuming $dbh is our PDO object (i.e., database handle object), we might write:

$stmt = $dbh->prepare("UPDATE $tbl_name SET Name=:Name, Email=:Email,
    Restaurant=:Restaurant, Website=:Website, Description=:Description,
    URL=:URL, Verify=:Verify, StateID=:StateID WHERE ID=:ID");

for ($i = 0; $i < $count; ++$i) {
    $stmt->bindValue(':Name',        $Name[$i],        PDO::PARAM_STR);
    $stmt->bindValue(':Email',       $Email[$i],       PDO::PARAM_STR);
    $stmt->bindValue(':Restaurant',  $Restaurant[$i],  PDO::PARAM_STR);
    $stmt->bindValue(':Website',     $Website[$i],     PDO::PARAM_STR);
    $stmt->bindValue(':Description', $Description[$i], PDO::PARAM_STR);
    $stmt->bindValue(':URL',         $URL[$i],         PDO::PARAM_STR);
    $stmt->bindValue(':Verify',      $Verify[$i],      PDO::PARAM_STR);
    $stmt->bindValue(':StateID',     $StateID[$i],     PDO::PARAM_INT);
    $stmt->bindValue(':ID',          $ID[$i],          PDO::PARAM_INT);
    $stmt->execute();
}

johnworf

...so what's that in english...:-)

i think this is probably beyond me to be honest - i hope others can gleam something from it - thanks for your help...hopefully i'll be there in a year or so.