wolfcry

Yep, and thanks for the links but I really don't need them. If you re-read my OP you'll see that I already indicate the ASCII value of &, hence why I thought it wasn't working. In either case, I'm not sure why I thought that unless I read it wrong. I could have sworn I read an example with it saying all ASCII characters greater than 32 were stripped, but then again, I might have just gotten the greater than or less than signs reversed. Hmm, strange. I do know that FILTER_SANITIZE_SPECIAL_CHARS will encode those symbols but that's not what I'm looking to do because that's more of an output usage (equivalent to htmlentities() in my book). I simply want to strip them out completely. Oh well, I'll think of something.

You're not passing your id value as I stated above..

I don't think this: tep_$_SESSION is a valid function name and the script is looking for the following () to indicate that it's a function on its own. Try changing that to something else. As far as I remember, reserved key words and functions cannot be used in the names of variables and other functions.

That's too funny lol. I must have pasted what I was currently working on which was there as a comparison test. Oy, it's going to be one of them days I'm actually using FILTER_FLAG_STRIP_HIGH which isn't working as it should.

Well, from what I can see, you're missing the closing curly brace }. Other than that, I'd need to see exactly what is on line 69 and line 70. Usually it means a line wasn't properly ended with the semi-colon ';'

Good to know If you want it to be immediate, as in as soon as the user clicks a queried link, you will need client-side scripting to do so (like JavaScript etc..) because PHP is a server side language.

I see, I thought you were trying to store inputted data as one array much one would do in a form. That's a really bad practice to get into, especially since you will be alienating a huge user base and there's nothing wrong with having a different personal preference over another. I personally run FF, but If I were running IE and came across a site that intentionally directed me to a crappy page because of my browser, I'd never go back nor would I ever refer your site to those I know with the same interests..

Removing special characters such as & for instance. The filter flag was supposed to do that but I guess not.

http://php.net/manual/en/migration53.deprecated.php It means it can't / shouldn't be used. Read 12th one down from the Deprecated Functions header. If you're going to start learning PHP, that manual will be your best friend, though, it can become cluttered and confusing at times

Well, if it were me and this was a basic form someone could select what they wanted and I wanted to populate an array using their information, I'd simply use a group of checkboxes like so. <input type="checkbox" name="Food[]" value="Carrot"> Carrot </input> <input type="checkbox" name="Food[]" value="Spinach"> Spinach </input> <input type="checkbox" name="Food[]" value="Potato"> Potato </input> <input type="checkbox" name="Food[]" value="Banana"> Banana </input> <input type="checkbox" name="Food[]" value="Squash"> Squash </input> <input type="checkbox" name="Food[]" value="Peach"> Peach </input> The [] after the value Food tells the PHP script to store all values into one array called Food. Then you can extract the values as needed however you saw fit.

The connection will automatically close once the page is done, so that shouldn't be the problem. As far as I'm aware, you must manually close the first connection if you wish to open a new connection like you have, but I'm thinking it might be interfering somehow? I might be wrong there though. Try removing the first mysql_close and see if that helps. It could be what WTFranklin posted as well though too lol. However, can you post your connection details for both connections? It might be how your connecting and trying to query the data also.

I meant to say, EVEN after submitting your form. It should be sanitized before and after form submission.

Hey Psycho, Yeah, I know. The manual is really dropping the ball on that one IMHO. I have done quite a bit of research into it and I believe w3schools did a short blurb on it but from what I do find, it's basically repeating what the manual says without going into much detail. Well, I guess it's preg_match() all over again lol.

Maybe you have, but you're replies keep showing the same thing such as id = "'. $_GET['id'] .'". To us, that doesn't look sanitized but a direct query request. That's why we keep saying the same thing regarding sanitizing your query data first. But one of your major issues is you're using both POST and GET which will conflict with each other because a POST form will submit data behind the page, meaning it won't stream the data in the URL and GET can ONLY extract data from the url itself. So if you first query the id to show the page, but do not pass it along somehow after submitting POST, you will lose it. What you should do, is like Miko said earlier, is use a hidden form field, then pass that value like you would do with any other value. Here's an example of how to populate a hidden form field. $id = $_GET['id']; <input type="hidden" name="Id" value="<?php echo $id?>"> what will happen is the value of the hidden field will become "1" (or whatever value queried) and this value will be sent via POST which you can then grab using something like the following: $id = $_POST['Id']; You will then want to sanitize the new $id information and use the variable $id in your query AFTER submitting your form.

Ah, my bad, upon closer inspection, you're getting id and using that to display the form. To sanitize the value, you first $_GET the value, then place that value into a variable and sanitize the variable itself. Like so: $id = $_GET['id']; Sanitize_Variable_Using_Your_Method_Here($id); $query = "SELECT `id` WHERE `id` = $id"; Something like that.

Hey all, While the filter itself is functioning properly, the flag doesn't seem to be. Here's how I have it set up: $UserInput = filter_var($UserInput , FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); // Test Format 1 $UserInput = filter_input(INPUT_POST, 'UserInput', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); // Test Format 2 As you can see, I have set up to test methods however, each one fails regarding the flag..or so it's seeming to me. FILTER_FLAG_STRIP_LOW is supposed to strip out anything > 32 in ascii, but it isn't. '&' (38) is greater than 32 but it still displays in the browser. Am I missing something here?

I clicked the link and sent a test form but I didn't see anything after submitting which tells me you're now using $_POST. Since $_GET only extracts data streamed in the URL, you will want to use $_POST to extract that as well. Change this: '" . $_GET['id'] . "'" to this: '" . $_POST['id'] . "'" If your form method is POST. However, you really, really, REALLY need to get the user input out of the direct query and use a sanitize variable in it's place. If not, you're asking for a whole world of hurt.

What Mikosiko is suggesting is you use a hidden field for the id in the form itself, which means you'll have to perform a query obtaining the id before the form is submitted and echo that out as the value of the hidden form field. Now, you will still need to sanitize that even if it's hidden because anyone can use certain browser add-ons that allow them to change that and add whatever information they want in it. ALWAYS sanitize data if the user has a way of getting to it. You can use $_GET, just don't use it directly in the query itself, sanitize the data before passing it to the query. The major differences of $_POST compared it $_GET are of course, not having data directly streamed in the URL field, making it "invisible" per se and a bit more secured. Have you tried echoing out your $_GET and $_POST data to see if it's even being populated after submission? For example: $id = $_GET['id']; $id = $_POST['id']; The above depends on your form method of course. If it's not being populated, then you can start debugging "why" and / or "where from" isn't it being populated.

That's what I thought, but it wouldn't work until I changed the field type to Text. For VarChar I had the length set to 18 and it would only accept 1 character. With Text, it's set to the same amount and now accepts them all. It is strange and I'm going to look into it more today when I get the chance. I'm running the latest PHP and MySQL versions so it shouldn't be doing this unless somehow it was configured wrong or was a bad install. Who knows, with technology it can be a million and one things lol.

Found out the issue, apparently the DB field has to be set to text rather than varchar in-order to insert strings like that. I never realized that. In either case, thanks for the help, those functions are working beautifully in different aspects of my application.

Ok, I'm going to go back to square one and try to make my intention as clear as possible. array1 = array(1, 2, 3, 4, 5, 6); foreach(array1 as $key => $data){ echo $data.','; // will display 1,2,3,4,5,6 in browser. } if(is_true == 1){ INSERT $data values into DB here. } That's what I'm trying to accomplish in it's simplest form, I'm just have extreme difficulty achieving my goal.

I'm not sure what you mean, could you please elaborate? As for the INSERT syntax, I'm using prepared statements and have that parameter bound by the String notation 's'.

Hi Muddy, I have a strong feeling you're correct lol. Well, the program is pretty complex as it stands but to summarize how the data is being input: 1. User inputs say 3 as their $min value, and 10 as their $highest value with an operator of '*' and a $CalcSet of say 4. 2. Program takes (3 * 6) and places those values into a random generating function and randomly outputs as many results as the user selected. So for this case, 4 is the $CalcSet so the output will display 4 different randomized calculations. 3. The resulting displayed sets will look like so: "Calculations performed for set 1 (2, 3 etc.): 23, 12, 45, <...this will be displayed 4 times, each time with different values. I was able to just pass the values from $DisplayCalcs to another $variable and it worked but now all it shows is the last integer. So I went a more complex route and it's proving to be quite a task. I don't *really* want to store integers separated by commas in the DB (I can always cast to string and that's fine) but what I *really* want to do, is store the integers as one string and then format on display by placing a comma between each integer somehow because on a separate View page, their calculated set needs to be displayed in the format (int1, int2, int3, etc.) Hopefully that helps to better clarify.

had this working by simply passing the data from one variable to another like so: $CalcsSets = $DisplayCalcs; without the need to use the if() statement and it inserted the data without quotes but all of a sudden it's stopped working and I'm not sure why (it only started showing last integer), so I went with the more complex code trying to get it to work again as shown below. Here's the complex code I'm working with: for($i=1; $i<=$CalcSets; $i++){ $calculations = PerformCalc($min, $highest, $OperatorType); echo 'Calculations performed for '.$SetText[$i]; foreach ($calculations as $key => $DisplayCalcs) { echo $SetCalc[] = $DisplayCalcs.', '; //stores calculations with ',' in //array. } if($CalcSets == 1){ for($i=0;$i<$CalcSets;$i++){ $SetResults = $SetCalc[$i]; echo '<strong>'.(string)$SetResults.'</strong>'; } DB_Insert($SetResults); } What it's supposed to do is insert values in the following format (1,2,3,4,5,) into the database in a VARCHAR row but now all it shows is the last integer with no comma. I originally wanted to just store the integers and not a comma but I couldn't get it to display on the page with commas after each integer so I went this route as mentioned earlier. I realize I'm probably going about this the wrong way, but if any of you know a much easier, and shorter, way to do what I want, I'd be extremely appreciative of the help. Reason I'm doing it this way, is because on the results page, it needs to show in the format mentioned above. FYI, I did check the DB row and it is still set to VARCHAR with a length of 10 at the moment.

Ah nice, thank you litebearer!