Confusion with html entities

Hi

Thank you so much for your reply. I have been in panic mode all day about just how much more work I need to do and have been researching MySQLi prepared statements, now I will make it a priority to get the Second Edition of PHP Solutions as the first book was my bible and help me write much on the code on my website as it stands.

I have sanitized my data using the php functions such as:

$sanitized = filter_input(INPUT_POST, '$formfield', FILTER_SANITIZE_STRING);

then on most form field except text fields I have checked the results against expected results.

With regards to running a mysqli connection and maintaining my mysql queries as they are for now, this is great news, and something I am hoping you will help me with:

At present I have four connections, one each for add, search, update and delete, which are detailed in a connections folder, and take the following format:

<?php

1. FileName="Connection_php_mysql.htm"

2. Type="MYSQL"

3. HTTP="true"

$hostname_connadd = "localhost";

$database_connadd = "databaseName";

$username_connadd = "username";

$password_connadd = "password";

$connadd = mysql_pconnect($hostname_connadd, $username_connadd, $password_connadd) or trigger_error(mysql_error(),E_USER_ERROR);

?>

I then call to the connection in each page using:

require_once('connections/connadd.php');

after which I use the :

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

}

then before my actual query:

mysql_select_db($database_connsearch, $connsearch);

Is it just defining the connections that I need to change and if so how?

Or do I need to change these two lines also:

require_once('connections/connadd.php');

mysql_select_db($database_connsearch, $connsearch);

At least if I can get my connection sorted I can get my website online and then concentrate on learning and changing to PDO or Mysqli in my own time (as a priority of course).

Thank you in advance for your time, you help is very much appreciated.

Date: Wed, 7 Nov 2012 09:16:55 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

I use PDO exclusively, but the closest to the original MySQL connection is MySQLi. One is not better than the other, but you may find it easier to switch to mysqli. Is the function you included the way you validate and sanitize data? You need to improve on that. There are probably some good mysqli tutorials and books, but I don't know of them. The second edition of PHP solutions by Powers gives code examples in both PDO and Mysqli. PHP Object Oriented Solutions, also by Powers, includes a very good class and instructions on using it to validate/sanitize form data (chapter 4). You don't have to change your whole website over at once. You can even run a PDO/Mysqli connection and a mysql_query() on the same page. But eventually you want to weed out all the mysql-query calls. This will be a lot of work and learning for you, but the result will be better, more secure code. Once you are comfortable with PDO or mysqli you will discover useful features they offer that mysql_query does not.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4829996#4829996

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.