Jump to content

about using & and ' in fields beingh processed by PHP


hempknight

Recommended Posts

hey ppl..

 

i'm sure the answer is out there somewhere but..i'm really short on time..need to finish this website by the 21st of may..and i'm stuck

 

my issue relates to a bands database that has some  names like D'Opus & Roshambo..now when i run my bands.php script that gets the info from the dbase and dynamically makes a table to store the info...

 

it takes the band name as a variable..

 

i have used the scripts for making the entries listed under the letter they begin with..i think it's on this page:http://www.phpfreaks.com/tutorials/146/0.php

 

and also some code from DMXforums that hid a feild from showing in the table if it was empty..

 

most of the bands work fine except those with ' and & wont show anything..

 

the band variable that holds the name being searched for by the band.php script is always just the first letter not the full band name like with the others..

 

i've included all of the code if anyone wants to see..

 

and yes i know it's not indented and messy..

 

the code for script that lists all the bands in the Dbase alpha sorted with hyperlinks to thier details...

<body bgcolor="#000000" text="#FFFFFF">
<center>

<?php
$link = mysql_connect("localhost", "*****", "*****");
if (!$link) {
    die('Could not connect: ' . mysql_error());
}
$db_selected = mysql_select_db("mitact_mitact");
if (!$db_selected) {
    die ('Can\'t use foo : ' . mysql_error());
}
?>

<form action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" method="get">                        
    <select name ="genre">
        <option value ="" <?php if(empty($_GET["genre"])) echo 'selected="selected"';?>>Any Genre</option>
        <?php $result = mysql_query("SELECT  `gid`,`name` FROM  `Bands_Genre` ORDER BY `name` ASC"); while ($row = mysql_fetch_array($result)) { ?>
        <option value ="<?php echo $row["gid"]; ?>" <?php if($_GET["genre"] === $row["gid"]) echo 'selected="selected"';?>><?php echo $row["name"]; ?></option>
        <?php } mysql_free_result($result);?>
    </select>
    <select name ="type">
        <option value =""           <?php if(empty($_GET["type"]))          echo 'selected="selected"';?>>Any Type</option>
        <option value ="Original"   <?php if($_GET["type"] === "Original")  echo 'selected="selected"';?>>Original</option>
        <option value ="Covers"     <?php if($_GET["type"] === "Covers")    echo 'selected="selected"';?>>Covers</option>
        <option value ="Both"       <?php if($_GET["type"] === "Both")    echo 'selected="selected"';?>>Both</option>
    </select>
    <input type="submit" value="Search"/>
    <input type="reset" value="Reset"/>
</form>

<?php
$db_selected = mysql_select_db("mitact_mitact");
if (!$db_selected) {
    die ('Can\'t use foo : ' . mysql_error());
}

//genre filter
$genre = "TRUE"; //any genre
if(!empty($_GET["genre"])) {//not any genre
    $gid = intval($_GET["genre"]);
    $genre = "`Bands_Confirmed`.`genre1`='$gid' OR `Bands_Confirmed`.`genre2`='$gid' OR `Bands_Confirmed`.`genre3`='$gid'";
/*
    $result = mysql_query("SELECT `gid` FROM `Bands_Genre` WHERE `name`='$_GET[genre]'");
    if (!$result) {
        die('Invalid query: ' . mysql_error());
    }

    if ($row = mysql_fetch_array($result)) {
        $genre = "`Bands_Confirmed`.`genre1`='$row[gid]' OR `genre2`='$row[gid]' OR `genre3`='$row[gid]'";
    }else $genre = "TRUE";
    mysql_free_result($result);*/
}

//type filter
$type = "TRUE";//any genre
if(!empty($_GET["type"])) {
    $type = "`type`='$_GET[type]'";
}

$result = mysql_query("SELECT  `Bands_Confirmed`.`bandname` FROM  `Bands_Confirmed` WHERE ($genre) AND ($type) ORDER BY `bandname` ASC");
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

$letterlinks = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; 
            echo '<a name="#top"></a>'; 
            echo '<a href="#number">0-9</a> '; 
            for ($i = 0; $i < 37; $i++): 
                echo '<a href="#'.$letterlinks[$i].'">'.$letterlinks[$i].'</a> '; 
            endfor; 
            while ($list = mysql_fetch_object($result)): 
                $letter = strtoupper(substr($list->bandname, 0, 1)); 
                if ($prev_row != '0-9' && is_numeric($letter)): 
                    echo '<br /><a name="number"></a><b><you>0-9</you></b> '; 
                    echo '<a href="#top"><i>goto top</i></a><br />'; 
                    $prev_row = '0-9'; 
                endif; 
                if ($letter != $prev_row && !is_numeric($letter)): 
                    echo '<br /><a name="'.$letter.'"></a><b><you>'.$letter.'</you></b> '; 
                    echo '<a href="#top"><i>goto top</i></a><br />'; 
                    $prev_row = $letter; 
                endif; 
$band="$list->bandname";
//addcslashes($band,"'");
htmlspecialchars($band);
echo $band;
echo "<a href='band.php?band=$band'>$list->bandname</a><br/>";
            endwhile; 


mysql_free_result($result);

mysql_close($link);
?>
</center>

 

the bands script that actually gets the name of the band that you clicked from the list and shows the details...

 

<body bgcolor="#000000" text="#FFFFFF">
<table width="500" border="1" bordercolor="#FFFFFF">

<?php
$link = mysql_connect("localhost", "****", "****");
if (!$link) {
    die('Could not connect: ' . mysql_error());
}

$db_selected = mysql_select_db("mitact_mitact");
if (!$db_selected) {
    die ('Can\'t use foo : ' . mysql_error());
}
$genre = null;
$result = mysql_query("SELECT * FROM  `Bands_Genre`");
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

while ($row = mysql_fetch_array($result)) {
    $genre[$row["gid"]] = $row["name"];
}

mysql_free_result($result);

$result = mysql_query("SELECT * FROM  `Bands_Confirmed` WHERE  `bandname` =  '". urldecode($_GET["band"]) ."'");
if (!$result) {
    die('Invalid query: ' . mysql_error());
}
addslashes($result);
while ($row = mysql_fetch_array($result)) {//while fetch BEGINS
?>

<tbody>
  <tr>
     <td colspan="2">
      <h2><?php echo $row["bandname"];?></h2>
    </td>
   </tr>
   <tr>
      <td colspan="2">
      <ul>
        <li>Genre 1: <?php echo $genre[$row["genre1"]];?></li>
        <?php if ($genre[$row["genre2"]]<>"") 
                  {echo'<li>Genre 2:',$genre[$row["genre2"]],'</li>';}?>

                <?php if ($genre[$row["genre3"]]<>"") 
                  {echo '<li>Genre 3:',$genre[$row["genre3"]],'</li>';}?>

        <li>Original music, Covers or Both: <?php echo $row["type"];?></li>
        </ul>
    </td>
   </tr>
    <tr>
       <td colspan="2">
      <div>
        <dl>
          <dt><?php echo $row["contact1"];?></dt>

         <?php if ($row["contact1number"]<>"")
           {echo '<dd>',$row["contact1number"],'</dd>';}?>

          <dd><?php echo $row["email1"];?></dd>
          <dt><?php echo $row["contact2"];?></dt>
          <dd><?php echo $row["contact2number"];?></dd>
          <dd><?php echo $row["email2"];?></dd>

          <?php if ($row["managerdetails"]<>"")
           {echo '<dt>Manager details</dt>';
             echo '<dd>',$row["managerdetails"],'</dd>';}?>
          
          <?php if ($row["managerdetails"]<>"")
           {echo '<dt>Booking agent</dt>';
             echo '<dd>',$row["bookingagentdetails"],'</dd>';}?>
        </dl>
      </div>
    </td>
  </tr>
  <tr>
<?php if ($row["myspace"]<>"")
           {echo '<td width="250">','MySpace: <a href="';
             echo $row["myspace"];
             echo'">',$row["myspace"],'</a></td>';}?>

<?php if ($row["website"]<>"")
           {echo '<td width="250">','Website: <a href="';
             echo $row["website"];
             echo'">',$row["website"],'</a></td>';}?>
  </tr>
</tbody>

<?php
} //END WHILE

mysql_free_result($result);
mysql_close($link);
?>

</table>
</body>

 

 

Link to comment
Share on other sites

On the second script that you've posted...

 

<body bgcolor="#000000" text="#FFFFFF">
<table width="500" border="1" bordercolor="#FFFFFF">

<?php
$link = mysql_connect("localhost", "****", "****");
if (!$link) {
    die('Could not connect: ' . mysql_error());
}

$db_selected = mysql_select_db("mitact_mitact");
if (!$db_selected) {
    die ('Can\'t use foo : ' . mysql_error());
}
$genre = null;
$result = mysql_query("SELECT * FROM  `Bands_Genre`");
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

while ($row = mysql_fetch_array($result)) {
    $genre[$row["gid"]] = $row["name"];
}

mysql_free_result($result);
$band_name = urldecode($_GET['band'];
$band_name_escaped = mysql_real_escape_string($band_name);

$result = mysql_query("SELECT * FROM  `Bands_Confirmed` WHERE  `bandname` =  '$band_name_escaped'");
if (!$result) {
    die('Invalid query: ' . mysql_error());
}
addslashes($result);
while ($row = mysql_fetch_array($result)) {//while fetch BEGINS
?>

<tbody>
  <tr>
     <td colspan="2">
      <h2><?php echo $row["bandname"];?></h2>
    </td>
   </tr>
   <tr>
      <td colspan="2">
      <ul>
        <li>Genre 1: <?php echo $genre[$row["genre1"]];?></li>
        <?php if ($genre[$row["genre2"]]<>"") 
                  {echo'<li>Genre 2:',$genre[$row["genre2"]],'</li>';}?>

                <?php if ($genre[$row["genre3"]]<>"") 
                  {echo '<li>Genre 3:',$genre[$row["genre3"]],'</li>';}?>

        <li>Original music, Covers or Both: <?php echo $row["type"];?></li>
        </ul>
    </td>
   </tr>
    <tr>
       <td colspan="2">
      <div>
        <dl>
          <dt><?php echo $row["contact1"];?></dt>

         <?php if ($row["contact1number"]<>"")
           {echo '<dd>',$row["contact1number"],'</dd>';}?>

          <dd><?php echo $row["email1"];?></dd>
          <dt><?php echo $row["contact2"];?></dt>
          <dd><?php echo $row["contact2number"];?></dd>
          <dd><?php echo $row["email2"];?></dd>

          <?php if ($row["managerdetails"]<>"")
           {echo '<dt>Manager details</dt>';
             echo '<dd>',$row["managerdetails"],'</dd>';}?>
          
          <?php if ($row["managerdetails"]<>"")
           {echo '<dt>Booking agent</dt>';
             echo '<dd>',$row["bookingagentdetails"],'</dd>';}?>
        </dl>
      </div>
    </td>
  </tr>
  <tr>
<?php if ($row["myspace"]<>"")
           {echo '<td width="250">','MySpace: <a href="';
             echo $row["myspace"];
             echo'">',$row["myspace"],'</a></td>';}?>

<?php if ($row["website"]<>"")
           {echo '<td width="250">','Website: <a href="';
             echo $row["website"];
             echo'">',$row["website"],'</a></td>';}?>
  </tr>
</tbody>

<?php
} //END WHILE

mysql_free_result($result);
mysql_close($link);
?>

Link to comment
Share on other sites

Change this

<?php
$result = mysql_query("SELECT * FROM  `Bands_Confirmed` WHERE  `bandname` =  '$band_name_escaped'");
if (!$result) {
    die('Invalid query: ' . mysql_error());
}
addslashes($result);
?>

to

<?php
$query = "SELECT * FROM  `Bands_Confirmed` WHERE  `bandname` =  '$band_name_escaped'";
$result = mysql_query($query) or die('Invalid query: <pre>. , $query . '</pre><br> ' . mysql_error());
}
?>

 

Ken

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.