robert_gsfame

I have this <style type="text/css"> @media screen { .colors{background:#000000;} } @media print { .colors{background:#000000;} } </style> <body> <table width="300"><tr><td class="colors">Its Black!</td></tr></table> </body> When i print the page out using window.print(), there is no background that i've set which is black color....which part is wrong anyway?? Thnx so much for any helps

I've tried using escape to encode any special character that is typed by user, but i found that i cannot use escape() to encode double quotes (" ") What function should i use then??

got it! it should be mysql_real_escape_string(htmlspecialchars($name))

I have retrieved some data from one table to be inserted into another table using this query $sql=mysql_query("SELECT * FROM table WHERE id='1'"); $array=mysql_fetch_array($sql); $name=$array['name']; * Let say i have $name= james"king" function clean($string) { if(get_magic_quotes_gpc()) { return stripslashes($string); }else{ return $string; } } mysql_query(sprintf("INSERT INTO table2(name, age)VALUES('%s','%s')", mysql_real_escape_string($name), mysql_real_escape_string($_POST['age'])); Let say if $_POST['age']= "25" * double quotes also included then i will have result like this in table2: name= NULL age= "25"

thx, i really worry as it could break the query

I really confused with this when should i use stripslashes when using mysql_real_escape_string() As far as i did, i only use it when there is INSERT, DELETE and UPDATE query...but not in SELECT query.. can anyone explain this to me..thx

okay so i have to use get_magic_quotes_gpc() , it will look like this $value=$_POST['value']; if(get_magic_quotes_gpc()){ $var = stripslashes($value); } sprintf("INSERT INTO table VALUES('%s')",mysql_real_escape_string($var)); is this correct?? i have to check whether get_magic_quotes_gpc() is off on every string before using it in a query?

okay so i have to use get_magic_quotes_gpc() , it will look like this $value=$_POST['value']; if(get_magic_quotes_gpc()){ $var = stripslashes($value); } sprintf("INSERT INTO table VALUES('%s')",mysql_real_escape_string($value)); is this correct?? i have to check whether get_magic_quotes_gpc() is off on every string before using it in a query?

so i should do is like this $value=stripslashes($_POST['value']); sprintf("INSERT INTO table VALUES('%s')",mysql_real_escape_string($value)); am i correct??i really new to this...really appreciate your helps

oops, but what i have here is that "\" appear in my database as a result of using mysql_real_escape_string()

I have used mysql_real_escape_string() and i have this \"\"james inside my database $sql=mysql_query("SELECT * FROM table"); $array=mysql_fetch_array($sql); $name=stripslashes($array['name']); sprintf("SELECT * FROM table1 WHERE name='%s'", mysql_real_escape_string($name)) In order to get another record from table1 using record from table, should i stripslashes first or not?? i really confused with this...hope anyone could help

I have this function _preview(){ param = document.getElementById("name").value param1 = document.getElementById("status").value window.open("preview?name=" + param + "&status=" + escape(param1),"width=200,height=200,scrollbars=1,resizable=1,top=0,left=10"); } The problem is that when i have my status let say "cool & kind", when i try to get the value which is cool&kind using $_GET then i will have this coolkind, i dont find any & How can i get cool&kind read completely?? what i have on url is this preview?name=myname&status=cool&kind thx

Okay, so what i have to do is to use mysql_real_escape_string() and use htmlspecialchars(stripslashes($value)) or htmlentities(stripslashes($value)) to retrieve the records.. is this correct??

I just wonder what is the use of get_magic_quotes_gpc() function compared to mysql_real_escape_string() As far as i know, get_magic_quotes_gpc() will add slash to all special characters like '', " ", \ so does the mysql_real_escape_string() What makes this 2 functions different?? and if it has the same function, then is it safe enough to use get_magic_quotes() Thx for any helps

I have created a function where when the button was clicked then it will parse the value typed on the textbox into url the problem is that the value that was typed contains special characted let say "myname" when i use $_GET, i only get backslash \ What is missing??

I really confused with three of this function. Hope anyone can explain and give me some helps.. Let say i have this query sprintf("INSERT INTO table(column1)VALUES('%s')",myql_real_escape_string($value)); And let say user put this as the value "aaa", then it will come like this inside my database \"aaa\" When retrieving the data i use stripslashes() to remove those slashes and i will have this "aaa" correctly displayed...and i will use htmlentities(stripslashes($value)) to retrieve the data into my textbox Is this correct and safe?? i really confused with all of this...

but let say i have this inside my database myname"\james\" and i use stripslashes() to retrieve the data into my textbox then it goes like this myname Is it correct if i use htmlspecialchars() or htmlentities for this

do i have to put this when retrieving the record??

I am new to mysql_real_escape_string() but i wish to use this as it might help preventing me from sql_injection attack. If let say users insert this record myname"james" then i will have it in my database like this myname\"james\" and when i retrieve it from my database i will get the same either.. What should i do?? do i need anything else besides mysql_real_escape_string() ??

I have this query $date=date("Y/m/d"); sprintf("INSERT INTO table(date)VALUES('%s')", mysql_real_escape_string($date)); and in the table i set date column as date Is the query okay?? thx for any helps...

thx andy-H!!

what is the different between "SELECT * FROM table WHERE id='{$id}' and "SELECT * FROM table WHERE id='id'" what is the really use of bracket "{}" in the query thx

how can i use mysql_real_escape_string() when i have the following query SELECT * FROM $table WHERE $search LIKE '%$data%' AND user_id='$userid' thx in advance

no holes means that you are not leaving something which can cause an error as Cause attacker always read from an error, is that what you mean?

I just want to know, is it still possible to get attacked by sql injection if we have used mysql_real_escape_string()?? Thx