SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Zealot
    Join Date
    Feb 2005
    Posts
    103
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    any problem with this?

    Can anyone see a problem with this:

    PHP Code:
    $find $_REQUEST['find'];
    $replace $_REQUEST['replace'];
    $finder mysql_query("SELECT * FROM `texts` WHERE `text` LIKE '%$find%'");
        
    $count mysql_num_rows($finder);
        while (
    $find1 mysql_fetch_array($finder)){
        
    $id $find1['id'];
        
    $oldtext $find1['text'];
        
    $newtext str_replace($find$replace$oldtext);
        
    $sqlupdate mysql_query("UPDATE `texts` SET `text`='$newtext' WHERE `id`='$id'") or die("Update Query failed");


  2. #2
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    sorry, i do not enjoy guessing games. but right off the bat, i see three problems:

    1) you are not escaping your user input with mysql_real_escape_string
    2) you do not have a die() in your first query
    3) you have '' around numric values

  3. #3
    SitePoint Zealot
    Join Date
    Feb 2005
    Posts
    103
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your reply,
    I figured out the problem, some of the text in the $find1['text'] array had ' in them so it was creating an error in the command... when I added in str_replace("'", "’", $oldtext); it fixed the issue

  4. #4
    SitePoint Guru
    Join Date
    Jan 2004
    Location
    Uppsala, sverige
    Posts
    695
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    There is no need to do the select and the loop. You can use replace directly in an update statement.

  5. #5
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by tooxic
    Thanks for your reply,
    I figured out the problem, some of the text in the $find1['text'] array had ' in them so it was creating an error in the command... when I added in str_replace("'", "", $oldtext); it fixed the issue
    this is NOT appropriate. mysql_real_escape_quote() was written specifically to escape characters for proper insertion of data and to help prevent SQL injection attacks.

  6. #6
    SitePoint Zealot
    Join Date
    Feb 2005
    Posts
    103
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    so does the real escape convert apostrophes to the unicode equiv?
    Moxle.com | Wheres your profile?
    www.moxle.com

  7. #7
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •