Confusion with html entities

Hi

Thank you for your reply, now I am really confused!

Ok its a while since I did the programming side of my website as I have spent the last 18 months doing the content.

I link to my database using:

require_once('connections/conndelete.php');

require_once('connections/connsearch.php');

require_once('connections/connadd.php');

require_once('connections/connupdate.php');

// with the connections details in the connections file

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

}

mysql_select_db($database_connsearch, $connsearch);

$query_reMenuBeds = "SELECT * FROM bedtable";

$reMenuBeds = @ mysql_query($query_reMenuBeds, $connsearch);

$row_reMenuBeds = mysql_fetch_assoc($reMenuBeds);

$totalRows_reMenuBeds = mysql_num_rows($reMenuBeds);

Is the above the depreciated code?

Please could you point me in the direction of some information on the best way to amend my code to the prepared statements and parametrized queries that you mention.

Will I still be able to pull the information from my MySQL database?

This has thrown my completely as I though I was almost ready to go online so please could you point me in the right directions to changing my code with the least changes as in PDO or MysQLi which is the nearest to what I have been doing?

Hope you can help me,

I look forward to your reply,

Thank you in advance

Date: Tue, 6 Nov 2012 15:14:30 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

It sounds like you are using the deprecated MySQL connection. NO ONE SHOULD BE USING THAT ANY LONGER! Use PDO or MySQLi with prepared statements and parameterized queries to avoid SQL injection attacks. Then you don't have to concern yourself with quotation marks in the data. Of course you must still validate and sanitize, but you don't need to convert the quotes/appostrophes, and no htmlentities needed.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4828130#4828130

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

Hi

Thank you so much for your reply. I have been in panic mode all day about just how much more work I need to do and have been researching MySQLi prepared statements, now I will make it a priority to get the Second Edition of PHP Solutions as the first book was my bible and help me write much on the code on my website as it stands.

I have sanitized my data using the php functions such as:

$sanitized = filter_input(INPUT_POST, '$formfield', FILTER_SANITIZE_STRING);

then on most form field except text fields I have checked the results against expected results.

With regards to running a mysqli connection and maintaining my mysql queries as they are for now, this is great news, and something I am hoping you will help me with:

At present I have four connections, one each for add, search, update and delete, which are detailed in a connections folder, and take the following format:

<?php

1. FileName="Connection_php_mysql.htm"

2. Type="MYSQL"

3. HTTP="true"

$hostname_connadd = "localhost";

$database_connadd = "databaseName";

$username_connadd = "username";

$password_connadd = "password";

$connadd = mysql_pconnect($hostname_connadd, $username_connadd, $password_connadd) or trigger_error(mysql_error(),E_USER_ERROR);

?>

I then call to the connection in each page using:

require_once('connections/connadd.php');

after which I use the :

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

}

then before my actual query:

mysql_select_db($database_connsearch, $connsearch);

Is it just defining the connections that I need to change and if so how?

Or do I need to change these two lines also:

require_once('connections/connadd.php');

mysql_select_db($database_connsearch, $connsearch);

At least if I can get my connection sorted I can get my website online and then concentrate on learning and changing to PDO or Mysqli in my own time (as a priority of course).

Thank you in advance for your time, you help is very much appreciated.

Date: Wed, 7 Nov 2012 09:16:55 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

I use PDO exclusively, but the closest to the original MySQL connection is MySQLi. One is not better than the other, but you may find it easier to switch to mysqli. Is the function you included the way you validate and sanitize data? You need to improve on that. There are probably some good mysqli tutorials and books, but I don't know of them. The second edition of PHP solutions by Powers gives code examples in both PDO and Mysqli. PHP Object Oriented Solutions, also by Powers, includes a very good class and instructions on using it to validate/sanitize form data (chapter 4). You don't have to change your whole website over at once. You can even run a PDO/Mysqli connection and a mysql_query() on the same page. But eventually you want to weed out all the mysql-query calls. This will be a lot of work and learning for you, but the result will be better, more secure code. Once you are comfortable with PDO or mysqli you will discover useful features they offer that mysql_query does not.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4829996#4829996

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

Thank you for your reply,

I have been looking that the parameterized variables today so i understand the general concept and the fact that I wouldn't need mysql_real_escape_string.

I will get Davids book and make a start. I am sure I will have more questions in future, I am especially concerned about mysql_num_rows, I use this alot!

Thank you, as always adobe provides the best help even if it is not want you want to hear!

Date: Wed, 7 Nov 2012 11:44:51 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

Unfortunately it's much more than simply changing the connection. Most of the logic of your queries will be fine, except that you will use parameterized variables instead of placing the variables directly. You will not use mysql_real_escape_string. It won't be needed. I can't help you a lot with mysqli because I only use PDO, so I'm not familiar with the nuances of mysqli. With PDO, there are some significant differences that, for me, were a stumbling block, and there are some things it seems at first you can't do. for instance, there isn't an equivalent of mysql_num_rows, which seems odd until you understand why. The way you sanitize the string is OK. It does use the built-in PHP function, but I still recommend the class described in the Powers book because it gives you the whole process of validating, sanitizing, dealing with errors and making sure that the data that gets into the database has been properly filtered.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4830511#4830511

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

Thank you for clarifying

Desperation...

How long do you thing that my current format wili be supported if I went online now? My possible host cannot guarantee mysql_pconnect time length but it does support it now. Am I looking at weeks or months before my website would not work without the changes?

best regards as always

Date: Wed, 7 Nov 2012 12:58:36 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

the issue with mysql_num_rows is with PDO, not mysqli, and there is a workaround. You don't lose anything by going to mysqli, but you may have to do some things differently.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4830784#4830784

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

Yes I can see that I need to make it my priority to change over and I will do this, to mysqli I think, but am going to read Davids book first before doing anything.

In the mean time, being that the mysql_pconnect that I use is still supported, may I ask for assistance to resolve my issue with the quotes:

My form posts to the same page, I use:

action="<?php echo $editFormAction; ?>"

$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

I then sanitize each form field and validated against expected values, if all ok it goes into the database, if a user has made an error in one of the form fields the page is re presented keeping their initial submission in the form fields, this is where my problem lies, on the error and re presentation of the sticky form fields.

If a user has used either single or double quotes the &#34; and or &#39; is displayed when the page is re displayed. The and sign & is fine, this gets displayed as it is so it is only the quotes.

I use the following code when the page re displays:

// remove escape characters from $_POST array

if (get_magic_quotes_gpc()) {

function stripslashes_deep($value) {

$value = is_array($value) ? array_map('stripslashes_deep',$value) : stripslashes($value);

return $value;

}

$_POST = array_map('stripslashes_deep', $_POST);

}

AND

this code when re displaying the actual text area:

echo htmlentities($_POST['textarea']);

I think it is the last line, the echo htmlentities that causes the problem. If I remove it all works fine. Do I really need it when I re display user input if the input as already been sanitized? As it doesn't actually go into the database until it is all validated correctly to my requirements?

It is strange though that the 'and' '&' sign doesn't get displayed as the entity value so this is adding to my confusion.

I look forward to your reply.

Once again thank you for persevering with me.

Date: Wed, 7 Nov 2012 13:50:04 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

The mysql connection will be supported for a long time, and even if a newer version of PHP didn't support it, you could always stay with a server that uses an older version. It will have nothing to do with the browsers your website visitors use. The reason you need to change is because the older connection is not as secure and has other problems and limitations. You can say goodbye to issues with quotes and apostrophes.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4830913#4830913

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

Thank you Rob,

At the risk of becoming a complete pain, I have one final query with regards to the mysql_connect.

You mentioned that it would be supported for a while yet, but I have noticed that my connection is mysql_pconnect in the following format:

$hostname_connadd = "localhost";

$database_connadd = "database";

$username_connadd = "username";

$password_connadd = "password";

$connadd = mysql_pconnect($hostname_connadd, $username_connadd, $password_connadd) or trigger_error(mysql_error(),E_USER_ERROR);

What is the difference? Does it matter? Many moons ago when I set up the connection this is how I presume dreamweaver did it, do I need to change this connection to mysql_connect (I am concerned that the pconnect won't have the same support), if I do need to change it can I just literally remove the p (I am imagining no), so how would I change to mysql_connect if it is the case that I need to.

When I contacted my possible hosting company they seem to support mysql_connect but have limited options with mysql_pconnect.

Thank you again and sorry for all the questions, you have been so helpful.

Date: Thu, 8 Nov 2012 09:11:44 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

When we include code snippets in this forum the programmers (if they were using PHP) would use html entities to correctly display the code, but normally you would not want to use htmlentities. If you apply htmlentities to text that has already had it applied, you end up creating entities out of the entities. So the answer is no, don't apply htmlentities to the text returned from the database.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4832961#4832961

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

Thank you for everything.

Book ordered.

No doubt you will hear from me again as I start to re write my code.

Best regards.

Date: Thu, 8 Nov 2012 11:02:10 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

mysql_pconnect creates a persistent connection, whereas mysql_connect drops the connection immediately after execution. Both are going to close when the script closes anyway. There is probably no reason for you to be using the 'p'connect, so you can probably drop it and everything will work fine. There are situations where it is necessary or desirable to use the p connect, but chances are, if your code required it, you would be aware of it. So, you probably never should have been using pconnect in the first place, but it's probably also no big deal that you did.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4833353#4833353

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.