[RESOLVED] Re-designing a flash site in (x)html

Printable View

Show 60 post(s) from this thread on one page

Oct 18th, 2009, 10:28 AM
kows

Re: Re-designing a flash site in (x)html

you should add it to any variables that are set by the user aside from the body (and definitely don't use it on the headers). the body is allowed to have new lines (otherwise, you'll just get a bunch of garbled text with no paragraphs [assuming you are creating paragraphs]).

glad you finally figured out the mysql_real_escape_string() thing.
Oct 18th, 2009, 06:34 PM
Nightwalker83

Re: Re-designing a flash site in (x)html

Quote:

Originally Posted by kows

you should add it to any variables that are set by the user aside from the body (and definitely don't use it on the headers). the body is allowed to have new lines (otherwise, you'll just get a bunch of garbled text with no paragraphs [assuming you are creating paragraphs]).

glad you finally figured out the mysql_real_escape_string() thing.

Ah ok so it would be:

PHP Code:

<?php sendTo = "myemail"; $newLines = array("\r\n", "\n", "\r"); $subject = str_replace($newLines,"",$_POST["uSubject"]); $message = "Customers name: " . $_POST["Username"] ."\n\r" ."Customers email:" . $_POST["uEmail"] . "\n\r" ."Customers address:" . $_POST["uAddress"] . "\n\r" ; $header = "From: flash application"; mail($sendTo, $subject, $message, $header); ?>
Oct 18th, 2009, 07:21 PM
kows

Re: Re-designing a flash site in (x)html

sure.
Oct 18th, 2009, 09:03 PM
kows

Re: Re-designing a flash site in (x)html

I'm surprised you're still not understanding this, to be completely honest.

the only thing you need to use mysql_real_escape_string() on is user input that will be going into a database or SQL query! this doesn't mean you use it on data you've received from a database (unless you're putting it back in, possibly). if your script stops working when you use it on an image name or image type that you are storing in a database, then you are again doing something wrong. if you aren't putting it into a database, then there would be no reason to use mysql_real_escape_string() on it. ever.

if you want to make things a little easier on yourself, do something I do when I'm handling form data that may or may not go into a database:

PHP Code:

<?php //only if we're posted to if($_SERVER['REQUEST_METHOD'] == "POST"){ $mysql_safe = array(); foreach($_POST as $key => $value){ $mysql_safe[$key] = mysql_real_escape_string($value); } } ?>

****** if you run this code, then you have your original variables stored in $_POST, and your sanitised variables stored in $mysql_safe! if you are ever inserting data into an SQL query, you can use $mysql_safe to do so; if you are instead displaying output to a user or echoing out your flash variables, you can use $_POST.

PHP Code:

$sql = "INSERT INTO table (name) VALUES('{$mysql_safe['name']}'); echo "Hello, {$_POST['name']}!";

****** editor's note: this is a very simplified example and I also do all error processing (empty variables, valid emails, etc) during this foreach loop. you could do it there as well, if you like.

edit: hey, look, this is my 1337th post. neat.
Oct 18th, 2009, 09:21 PM
Nightwalker83

Re: Re-designing a flash site in (x)html

Quote:

Originally Posted by kows

I'm surprised you're still not understanding this, to be completely honest.

It ok! I made a couple of simple mistakes. This code works:

PHP Code:

<?php // Database connection variables $dbDatabase = "BazaarCeramics"; //connect to server or exit if (!($conn = mysql_connect("localhost", "root", "") )){ echo 'result=connection+failed'; exit; } $pName= mysql_real_escape_string($_POST['pName']); $pPrice= mysql_real_escape_string($_POST['pPrice']); $pImageName= mysql_real_escape_string($_POST['pImageName']); $pImageType= mysql_real_escape_string($_POST['pImageType']); // Make sure a file has been entered if($pName =="" || $pPrice==""||$pImageName==""||$pImageType==""){ echo '&result=you+must+enter+a+product&'; exit; } if (!(mysql_select_db($dbDatabase, $conn))){ echo '&result=db+selection+failed&'; exit; } if (!($result = mysql_query("SELECT * FROM products where productid= '$pName'"))){ echo '&result=query+failed&'; exit; } $num_results = mysql_num_rows($result); if($num_results == 0) {//product does not exist so insert $insert = "insert into products (productid, pPrice, pImagePath, pImageType) values('$pName','$pPrice', '$pImageName', '$pImageType')"; if (mysql_query($insert, $conn)) echo "&result=the+product+'$pName'+has+been+successfully+added&"; else echo '&result=the+insert+was+not+successful&'; }else {//update product $update = "update products set pPrice='$pPrice', pImagePath='$pImageName', pImageType='$pImageType' where productid='$pName'"; if (mysql_query($update, $conn)) echo "&result=the+product+'$pName'+has+been+successfully+updated&"; else echo '&result=the+update+was+not+successful&'; } ?>

I removed the string before because I though I didn't need it on:

PHP Code:

$pImageName= mysql_real_escape_string($_POST['pImageName']); $pImageType= mysql_real_escape_string($_POST['pImageType']);

However, after testing the code again I found out I was wrong.
Oct 31st, 2009, 02:09 AM
Nightwalker83

Re: Re-designing a flash site in (x)html

Hopefully, I will be able to get the code to work with design I want. I am just waiting on the code to code to run the database creation script via a link. I have got the code to run the script via a flash button through.
Nov 26th, 2009, 10:16 PM
Nightwalker83

Re: Re-designing a flash site in (x)html

Finally finished the site! If I upload it I will put the link in my sig.

Show 60 post(s) from this thread on one page