...

View Full Version : Escaping out of HTML inside PHP, to use PHP! Arghhhh!!!



Democrazy
09-20-2011, 12:28 PM
This code isn't working and I suspect because I am not using an escape function.


echo 'Product ID: <INPUT name="id" type="text" value="$query = "select id from products where id=".$_POST['id'].""; $result = mysql_query($query); $row = mysql_fetch_array($result); print $row['id']">';

If I am right, what is the escape function?

Democrazy
09-20-2011, 12:47 PM
That doesn't look right bro....


if (!empty($_POST['id']))

Whats this?

Democrazy
09-20-2011, 12:56 PM
Can't I use an escape code inside my existing code?

gvre
09-20-2011, 12:57 PM
What exactly doesn't look right?

if (!empty($_POST['id'])) checks that $_POST['id'] exists.

Democrazy
09-20-2011, 12:59 PM
Exactly that.
I asked about an escape function, not how to check if $_POST['id'] exists.
Giving me things I didn't ask for when I'm trying to learn does nothing but confuse me.

KIS - Keep It Simple.

gvre
09-20-2011, 01:06 PM
This code isn't working and I suspect because I am not using an escape function.


echo 'Product ID: <INPUT name="id" type="text" value="$query = "select id from products where id=".$_POST['id'].""; $result = mysql_query($query); $row = mysql_fetch_array($result); print $row['id']">';

If I am right, what is the escape function?

You SHOULD rewrite this code.

Democrazy
09-20-2011, 01:07 PM
If you think I should re-write my code, tell me in a personal message and tell me WHY you think I should rewrite it.

BluePanther
09-20-2011, 01:15 PM
If you think I should re-write my code, tell me in a personal message and tell me WHY you think I should rewrite it.

Bit harsh, haha.

What exactly do you mean an escape function? Judging on your code, you're looking to find the value for your input? What you should do, is populate an a resultset with a query to collect the product(s) that you're gonna use, then echo them out in a while loop with values in your resultset.
Example:


$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
// . is the string concatenation operator
echo 'Product ID: <INPUT name="id" type="text" value="'.$row['id'].'">';
}

gvre
09-20-2011, 01:15 PM
"Bro", I have already posted the correct way to solve your problem.

Democrazy
09-20-2011, 01:17 PM
OMG!!!! Ok its pretty clear we have people with downs syndrome in this thread..
Look, if you don't know how to escape out of my current code (assuming it can be done), then PLEASE just say nothing!
I'm sick of forum preachers! ****in hell what the **** is wrong with people!

Democrazy
09-20-2011, 01:19 PM
echo 'Product ID: <INPUT name="id" type="text" value="

// ESCAPE FROM HTML //
php code
// RETURN TO HTML //

">';

Democrazy
09-20-2011, 01:50 PM
Look don't worry. I solved it:


echo 'Product ID: '; $query = "select id from products where id=".$_POST['id'].""; $result = mysql_query($query); $row = mysql_fetch_array($result); print '<INPUT name="id" type="text" value="'.$row['id'].'"></DIV>';

Thanks for your efforts anyway.

Democrazy
09-20-2011, 01:59 PM
How do you start php and stop php in every php script?

tangoforce, if you take a closer look at my code, you will see that was not an option, and the PHP was going inside a HTML attribute.


Thats just sloppy code. gvre has given you far better, neater and easier to maintain code. Use it or drop this thread. He has done you a massive favour even though you refuse to accept it.

Again, I do not care for opinions. If thats what I wanna use, then I will use it. I shouldn't have people constantly preaching to me about this ways better than that.
Neater and easier for you. To me, my way is better. In fact, my code is shorter and does exactly the same thing, so there you go.



Learning to program is about asking those with experience "Can you help?" and when they give something to you on a plate: Accepting it.

Thats your ideology, and that style of learning doesn't apply to me.

I like seeing things - no explanations, just the raw code. My IQ is high enough to put together the logic in it to understand it.

... and like I said, people insist preaching and including code that you didn't ask. This does not help!
People in this world have many problems. I swear. I don't see why people can't straight forward answers.

tangoforce
09-20-2011, 02:05 PM
tangoforce, if you take a closer look at my code, you will see that was not an option, and the PHP was going inside a HTML attribute.

Yes and thats bad. Suppose you want to change the page layout in the future? - You've got a lot of work ahead of you. Templating is the way forward and thats what gvre was introducing you to.



I shouldn't have people constantly preaching to me about this ways better than that.


Yet thats exactly what you dome to this forum and ask for help for. That is what this forum is all about - sharing tips, techinique and showing how to improve.



Neater and easier for you. To me, my way is better. In fact, my code is shorter and does exactly the same thing, so there you go.


Shorter? Not really. You still query the DB, read out the results, grab the first one and do something with it.



Thats your ideology, and that style of learning doesn't apply to me.


Why? - Are you the 'chosen' one? - Are you 'special'?



I like seeing things - no explanations, just the raw code. My IQ is high enough to put together the logic in it to understand it.


From what you've written above your IQ is pretty low and its actually your ego thats higher (too high I may add). If you like raw code and can understand it by looking at it then how come you're posting so many topics each day and using words like 'Arghhhh!!!' in the subject?

I thought your high IQ handled these things? Oh and with a high IQ you would of had enough foresight to see that gvre was looking at the bigger picture and doing you a favour. High IQ? Rubbish.

Don't expect much more help from people here to your 5 posts for emergency help every day (look at the title of this thread).

People will see you and think "I won't bother, he won't appreciate it". Good luck on your php island :thumbsup:

gvre
09-20-2011, 02:06 PM
Btw, I have removed my code because it's useless.
The result of the following query will be the same with $_POST['id'].


$query = "select id from products where id=" . $_POST['id']

BluePanther
09-20-2011, 02:14 PM
hate to break it it to you, but your code is in fact the longest in this thread, and least correct for its purpose. Just because its all on the same line, your still carrying out an equal or greater number of instructions. Putting all your code on one line and thinking its faster and better is a beginners mistake.

Your code will become useless if there's more than one product, which is why I offered my solution.

My solution was to benefit YOU, help YOU learn good programming technique, not anyone else. The amount of help you've gotten on this forum from me and others certainly did not warrant that response.

We are all people who volunteer to help people like you, who struggle with programming.

Be thankful for the time we take to make sure people don't just blindly follow tutorials and not learn the intricacies of PHP.

tangoforce
09-20-2011, 02:17 PM
Btw, I have removed my code because it's useless.
The result of the following query will be the same with $_POST['id'].


$query = "select id from products where id=" . $_POST['id']

I was waiting for someone to point that out (I thought about it but decided I'd be going OTT).

Still.. with such a high IQ I'm sure Democrybaby will soon work out that querying the table for an ID to get the the ID he's feeding in will be pointless :D

EDIT:
With such a high IQ (and determination to use less code) shouldn't you be doing this?:


echo 'Product ID: <INPUT name="id" type="text" value=' .$_POST['id'] .'>';


I thought you were proud of your small amounts of code that were highly efficient? - You've started a flame war about querying a database to get out the same number you put in when you could of just echo'd it straight into the field.

High IQ? - Gibberish.

Dormilich
09-20-2011, 02:33 PM
echo 'Product ID: <INPUT name="id" type="text" value="$query = "select id from products where id=".$_POST['id'].""; $result = mysql_query($query); $row = mysql_fetch_array($result); print $row['id']">';

this is what my PHP tells me about the code:

Parse error: syntax error, unexpected T_STRING, expecting ',' or ';'
though without the appropriate error display setting, it will not be seen.

Democrazy
09-20-2011, 02:38 PM
Tango, I have better things to do than scouting around for the most efficienct code on the planet. All I know is the code works. Now I have moved on.
You should probably do the same.


Dormilich:

I stripped some of the code that was not relevant to braking out of HTML. The full code is this:

echo '<DIV class="datainputid">Product ID:'; $query = "select id from products where id=".$_POST['id'].""; $result = mysql_query($query); $row = mysql_fetch_array($result); echo ' <INPUT name="id" type="text" value="'.$row['id'].'"></DIV>';

tangoforce
09-20-2011, 02:41 PM
I stripped some of the code that was not relevant to braking out of HTML. The full code is this:

echo '<DIV class="datainputid">Product ID:'; $query = "select id from products where id=".$_POST['id'].""; $result = mysql_query($query); $row = mysql_fetch_array($result); echo ' <INPUT name="id" type="text" value="'.$row['id'].'"></DIV>';

You still don't see it do you? - You're asking to the database to give you the very same number you're telling it.

select id where id=$_POST['id']

In other words, the id you get out will be exactly the same as you already have - $_POST['id'].

Why are you even using the database to get something you already have?

If you're serious about learning php and being good at it, follow my advice: Drop the database query and just echo $_POST['id'] into your fields value.


Tango, I have better things to do than scouting around for the most efficienct code on the planet.

So why waste your own time querying the DB then?

Democrazy
09-20-2011, 02:49 PM
Yes, I boiced this earlier on today that stupid code flow and noted it. Stopping to fix something that already works will brake my work flow.
Code optimization will come once the entire website is finished.
The code is generally used as:

select category from products where id=".$_POST['id']
category... size, colour, price, country, pricerange, etc.....


Why are you even using the database to get something you already have?

Update products page... Pulling all the information and prefilling the inputs so I don't have to enter them all again if I need to update something.

Wanna
09-20-2011, 02:51 PM
You can better optimize your code when you are working on it.
Because then you will learn something from it.

And don't go say: I don't learn from this i only learn from raw code.

When you optimize your code it still is raw code and much easier to read.

Democrazy
09-20-2011, 02:53 PM
You can better optimize your code when you are working on it.
Because then you will learn something from it.

Again, that is your philosophy and learning style and that does not work for me. I do not like the flow braking.

Once something works that code becomes frozen until my goal is finished, and right now my goal is to get the website fully built and functional.

Wanna
09-20-2011, 02:56 PM
Everybody learns from this, you can't say you don't.

Everybody learns from asking a question and see how others do it.

Democrazy
09-20-2011, 03:01 PM
Yes, but stopping to asking questions brakes my flow.

I want my project finished ASAP.

I spend 12 hours a day on this website, I am unemployed and can't get a job until its done. I've become lazy with gym and becoming fat - put on 15kg in last 2 months coz this **** (not just the website... learning Linux as a server - Postfix, Dovecot, BIND etc, writing instructions, testing my own deployment for the future, etc, I have no money and I don't do anything.
I really couldn't care for PHP as an enthusiast right now. I just want my life back.

tangoforce
09-20-2011, 03:04 PM
Yes, I boiced this earlier on today that stupid code flow and noted it. Stopping to fix something that already works will brake my work flow.

No, it makes you a better programmer and debugger.



Update products page... Pulling all the information and prefilling the inputs so I don't have to enter them all again if I need to update something.

But you're query isn't doing that.

You're using "select id from.." - You're simply selecting the id and then printing it into your form field. THAT is the real issue here.

You're querying the DB to get information that you already have. You don't need to do it and saying that you'll break your code flow is not a good excuse. You're still learning to program - you're not experienced enough to be talking about code flow etc so just get on and fix it.

Democrazy
09-20-2011, 03:09 PM
You're querying the DB to get information that you already have.

No. You have to see the way my system is to understand. I am building this system myself, everything works together. All information on my HTML is dynamic that gets pulled from MySQL, so when I want to alter a product, it asked "please enter ID", I enter the ID oft he product and it pulls everything from MySQL and populates the INPUT fields, therefore, I must query.

I'm selecting "selecting id from.." for the reason above... "please enter your ID", I enter it, and then it pulls all the information about that ID:
select category from products where id=".$_POST['id']."
select colour from products where id=".$_POST['id']."
select price from products where id=".$_POST['id']."
select country from products where id=".$_POST['id']." "select country from products where id=".$_POST['id'].""; $result = mysql_query($query); $row = mysql_fetch_array($result); echo ' <INPUT name="category" type="text" value="'.$row['category'].'"></DIV>';

Your assuming something that is not.

Wanna
09-20-2011, 03:15 PM
You already have the ID in the $_POST['id'] and after that you going to make a call to the database to get the ID from the row where ID = $_POST['id']

This is like: Ask a price to a salesmen when the price is on the product.

If you select multipli columns from the same table you can use this:


SELECT category, colour, price, country FROM products WHERE id=".$_POST['id']."

Democrazy
09-20-2011, 03:19 PM
Add product (put into MySQL)
http://i55.tinypic.com/35kkj2b.png

Alter product (pull from MySQL
http://i55.tinypic.com/25kscna.png

Update MySQL
http://i51.tinypic.com/der90k.png
(See 1 is already prepopulated? I am coding this page right now, thats why the rest isn't populated - I have to program it to do so for the other inputs)

Democrazy
09-20-2011, 03:20 PM
you already have the id in the $_post['id'] and after that you going to make a call to the database to get the id from the row where id = $_post['id']

yes.. I know!!! I will fix it later! :d

Wanna
09-20-2011, 03:21 PM
Like i said: You can extract all the data from a row with a single query.
And not use a query for all the data you need.

Democrazy
09-20-2011, 03:36 PM
SELECT category, colour, price, country FROM products WHERE id=".$_POST['id']."


Yes! This is very much superior over my way heaps!
I will change the code to this style when the time for optimization comes.

If I back track now and change it all, I will come back to my current task in a different state of mind "Ok, where was I, what was I doing.. oh ****! > jump on facebook"
The fact is, my current code works and I am moving forward. Thats all that matters. LOL dude, I have two 3GHZ cores in my CPU and 2GB of RAM. My computer is not going to die under the load I am expecting. This is not a life support system or something mission critical.
While I am a computer enthousiast, I really do have better things to do than code optimization.

Thanks!!

Inigoesdr
09-20-2011, 03:42 PM
SO... this thread has run it's course. Everyone calm down and be nice to each other. :)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum