thinsoldier

Everyone has already given correct advice but not assisted with the problem they are possibly having an emotional breakdown over. It's highly likely they've posted this to multiple forums and in every thread every reply is telling them "do it the right way" and their eyes are glazing over all of that as they franticly skip for "the solution to the problem". Once they get their problem to go away and their experimental code to work, they calm down, and maybe then re-read the replies that were trying to teach them something and decide to start a new experiment: try to do the same thing I just did but do it the modern way with PDO because 26 people told me to.

Provide an answer suitable to their current level so they can get to the next step. If they had a level of absolute zero I would have pointed to a PDO tutorial. But since they've already started to develop an understanding based on whatever old book they are following, answering their question using the original code from their question will be the most understandable answer for them at this time. Ignoring their current situation and telling them to drop what they're currently doing and go learn PDO might delay their short term needs by a week. Answering their old code question with more old code might delay their advancement as a developer by a year. Based on they way they asked their question, I don't think they care about that second one. With luck, somewhere over the next few months they will make the time to look into why mysql_* is bad and actually take that next step towards being a better developer.

'name'=>array( 'modelSetter'=>'setName', 'modelGetter'=>'getName' ), 'email'=>array( 'modelSetter'=>'setEmail', 'modelGetter'=>'getEmail' I would assume all form fields already match the method property and all getters and setters follow the same naming convention and then only need to define something in a mapping array for the few that do not. Set up throws or user errors in the model to notify you a.s.a.p. of a field your form is sending to the model that does not exist on the model and has not been mapped.

var_dump( $obj->mGender['Type'] ); to find out what kind of value it holds. I assume it will be the literal string "enum('M','F')". If so you'll have to do some string replacing and exploding to get an array of just ['M','F']. You could just hard code M and F <options> and save yourself the trouble.

If they were on PHP 7 they'd get a completely different error. Run var_dump( $query ); What does it tell you $query is? Suggestions: $table = mysql_real_escape_string($table); $where = mysql_real_escape_string($where); $equals = mysql_real_escape_string($equals); if( !!!!! some kind of boolean condition needs to be checked in here !!!!!) { $query_statement = "SELECT * FROM $table WHERE $where='$equals'"; $result = mysql_query( $query_statement ); } else { $query_statement = "SELECT * FROM $table"; $result = mysql_query( $query_statement ); } // If the query is syntactically invalid, mysql_query() fails and returns FALSE. if (!$result) { die('Invalid query: ' . mysql_error() . ' QUERY STATEMENT: ' . $query_statement); // Don't ever show the query string on a live website though. } $hasil = mysql_fetch_array($result); // http://www.catb.org/esr/faqs/smart-questions.html#intro

compare-items.php?id[]=1&id[]=2 $_GET['id'] will be an array with 2 items. Loop over those 2 Fetch the data and echo a table for each Use css to get the 2 tables to be side by side ( won't work well if any text in the table cells is multiple lines long for one id but only 1 line long for the other id ) Or use a more complicated html/php mixture to make a single table with all first cells from the first id and all second cells from the second id.

Laravel's eloquent models and others I can't remember the name of tend to have a method for every other model that has a defined relationship to another model. SalesRep models know they belong to an Office model. Office models know they own SalesRep models. SalesRep models know they own CustomerRelationsMessage models. CustomerRelationsMessage models know they belong to both a SalesRep model and a Customer model. Customer models know they own CustomerRelationsMessage models and OrderInvoice models and PaymentHistory models.

The problem with magic quotes is relying on it to escape values before concatenating them into an sql string and running it on your database. We're talking about escaping any html or css that might have gotten into our db already or in the values returned to form inputs after an unsuccessful submission to prevent them from actually affecting the page's html or css and preventing any JS from executing.

I guess it's just my specific projects then. I can't think of much logic we do in the view that involves anything more than booleans, integers, isset() and !empty() which would not be affected by running them through htmlspecialchars. If I'm doing a foreach loop it's almost certainly because I want to echo the contents of the array in which case I'd want all the values in the array to be escaped. I'm not arguing with you. You're poking holes in my system so I'm just checking to see if I'm covered or not. Yes, anything less than "just use twig" is moronic but like I said, in 12 years I've only been allowed to use 2 external php libraries (neither of which were chosen by me), I don't have a choice in the matter.

What, what? We're talking about escaping values for output in views. Within the view file most of the time you want the escaped value for output.

But considering my situation... not allowed to use twig or anything else, I'm the ONLY person editing the code, the one other person who might edit the code also knows php and is smart enough to look at all the other <?=$cooked->foo?> and follow convention, and in the rare case they need something intentionally unescaped they'll either consult me or consult my documentation on how the views work or explicitly use html_entity_decode() to reverse the escaping. I'm not knocking twig. I'm just stuck in a bad situation and could use some advice on the escaping aspect. Yes, there's a ton of great things twig does but when it comes to just the escaping part of it, is there anything other than htmlspecialchars that I should be doing when escaping output. Do you have any idea what twig does when it's escaping other than just htmlspecialchars?

Oh yeah. I've reinvented this wheel a few times. Inevitably you will find yourself in a situation where you want to manipulate attributes on the tag or change the tag from a div to an li or span or something else. My preferred approach is to use an actual html dom building tool like querypath so that you can construct your html using methods that feel just like jQuery and cache the result. https://github.com/technosophos/querypath

In their defense, I do this too because I'd typically be struggling with php 4 quality code for 10 hours a day 6 days a week for months at a time and then I'd have maybe 3 days of nothing to do so I go look up some aspect of modern php, suffer from library comparison burnout, make plans to try out 3 libraries, only try out one, and then my free time is gone and I'm back to legacy work before I'm anywhere close to making a decision.

I'm doing work for a place with a tradition of NIH Syndrome and no time to reinvent any wheels. When I show a view I pass an array containing only the few values that will actually be used by the view. That array has htmlspecialchars run on it recursively. So every value sent to the view is escaped and stored in $cooked. If I need a value to not be escaped for any reason, I have to pass it to the view as part of a second array that is stored in $raw. Is this still inferior to twig's escaping? Is there some other aspect of xss I'm missing? Can you point me to the code in twig that actually does their escaping? I assume it's probably doing much more than just htmlspecialchars.

At the very least they could look at other sites that post news about php and just post links to recent news instead of showing stuff from 2010. We're only 3 years away from 2020.