Author Topic: cannot propely escape string  (Read 1411 times)

Offline noname8

  • Posts: 145
cannot propely escape string
« on: October 23, 2016, 12:24:39 PM »
I'm creating a snippet that updates json string into mysql.
The problem is that json contains " -charachters
but i cant get it to either run trogh php or run trough sql, always mismatch of the ' charachters:

Code: [Select]
$save_string='[{"page_id": "'.$pid.'", "viewed": "'.$pvalue.'"}]';


$save_string=addslashes($save_string);

$sql='UPDATE '.TABLE_PREFIX.'users SET checked_content='.$save_string.' WHERE user_id='.$uid;
$results = $database->query( $sql );
$retval.= $results.$sql;
$retval.= '<br>päivitetty';
-Fatal error: Call to a member function query() on a non-object in /var/www/verkkokurssi/modules/droplets/droplets.php(37) : eval()'d code on line 12

Code: [Select]
$sql='UPDATE '.TABLE_PREFIX.'users SET checked_content=''.$save_string.'' WHERE user_id='.$uid;
Parse error: syntax error, unexpected ''.$save_string.'' (T_CONSTANT_ENCAPSED _STRING) in ....droplets.php(37) : eval()'d code on line 41

Code: [Select]
$sql='UPDATE '.TABLE_PREFIX.'users SET checked_content=\''.$save_string.'\' WHERE user_id='.$uid;
Fatal error: Call to a member function query() on a non-object in /var/www/verkkokurssi/modules/droplets/droplets.php(37) : eval()'d code on line 12


Code: [Select]
$sql='UPDATE '.TABLE_PREFIX.'users SET checked_content=\\''.$save_string.'\\' WHERE user_id='.$uid;

Parse error: syntax error, unexpected ''.$save_string.'' (T_CONSTANT_ENCAPSED _STRING) in /var/www/verkkokurssi/modules/droplets/droplets.php(37) : eval()'d code on line 41


So what does it take to get it in to the system?!!
Working sql made manually and run into sql console:
Code: [Select]
UPDATE wbakervk1_users SET checked_content='[{\"page_id\":\"1\",\"viewed\":\"1\"},{\"page_id\":\"2\",\"viewed\":\"0\"},{\"page_id\":\"13\",\"viewed\":0}]' WHERE user_id=1


Offline DarkViper

  • Forum administrator
  • *****
  • Posts: 3021
  • Gender: Female
Re: cannot propely escape string
« Reply #1 on: October 23, 2016, 02:05:25 PM »
I'm creating a snippet Droplet that updates json string into mysql.
The problem is that json contains " -charachters
but i cant get it to either run trogh php or run trough sql, always mismatch of the ' charachters:

Code: [Select]
$save_string='[{"page_id": "'.$pid.'", "viewed": "'.$pvalue.'"}]';

$save_string=addslashes($save_string);

$sql='UPDATE '.TABLE_PREFIX.'users SET checked_content='.$save_string.' WHERE user_id='.$uid;
$results = $database->query( $sql );
$retval.= $results.$sql;  // <--  !! concate Boolean and String ???
$retval.= '<br>päivitetty';
-Fatal error: Call to a member function query() on a non-object in /var/www/verkkokurssi/modules/droplets/droplets.php(37) : eval()'d code on line 12

  • "Call to a member function query() on a non-object" means that $database does not contain a valid database object.
    You can try to import the global one.
  • the use of addslashes() with SQL statements is a bad solution.
    Use $database->escapeString($save_string); instead.

Ok, from this the following code should work properly.
Code: [Select]
<?php

global $database;
$sSaveString='[{"page_id": "'.$pid.'", "viewed": "'.$pvalue.'"}]';
$sql 'UPDATE `'.TABLE_PREFIX.'users` '
     
'SET `checked_content`=\''.$database->escapeString($sSaveString).'\' '
     
'WHERE `user_id`='.(int)$uid;
$bRetval $database->query($sql);

return 
'<br>'.($bRetval 'päivitetty' 'virhe');
have a nice day,
Manuela
« Last Edit: October 23, 2016, 02:11:24 PM by DarkViper »
Der blaue Planet - er ist nicht unser Eigentum - wir haben ihn nur von unseren Nachkommen geliehen

"You have to take the men as they are… but you can not leave them like that !" :-P
Das tägliche Stoßgebet: Oh Herr, wirf Hirn vom Himmel !

Offline noname8

  • Posts: 145
Re: cannot propely escape string
« Reply #2 on: October 23, 2016, 04:58:15 PM »
Thanks a million! (nynccats) https://www.youtube.com/watch?v=GE8M5QM1sf8
it was missing the global $database; row at the start.

And also thanks for the real escape, couldn't figure that out !
 :-)

 

postern-length