Page 1 of 1

Writing PHP to place a snippet of code into MySql

Posted: Fri Mar 03, 2006 5:59 pm
by utahfriend
Hello,

I am tring to create a page that allows me to dynamically build new web pages. To do that, I have to dynamically put a line of code into Mysql.

This is the line I want to be put in the database:

<?php $_SESSION[id]=$user_id; $pagename='$newpage'; ?>

where $user_id and $newpage variables has previously been defined and their value must be put in hard code (i.e. if $user_id is 13 and $newpage is 'index" the line in the database would look like:

<?php $_SESSION[id]=13; $pagename='index'; ?>

However, when I try to run the following code, I get all kinds of errors, such as:

"You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'index';' WHERE `template_name` = 'temp'' at line 1"

Here is the code I have written, any ideas would be appreciated on how to fix it:

Code: Select all

<?PHP
include "g/global/database.php";
$user_id=13;
$newpage='index';

$temp_text="<?php $_SESSION[id]=$user_id; $pagename='$newpage';?>";


$queryString = "UPDATE template_wim SET template_header = '$temp_text' WHERE `template_name` = 'temp'";
mysql_query($queryString) or die(mysql_error());
    	

?>

Posted: Fri Mar 03, 2006 6:16 pm
by Chris Corbyn
mysql_escape_string()

You're putting unescaped quotes into a mysql query ;)

Posted: Fri Mar 03, 2006 6:42 pm
by utahfriend
That helped. However, I had to remove the "?>" at the end of the line to make it work and then it drops "$_SESSION[id]" So I end up with:

<?php =13; =\'index\';

I also get an error still when it tries to put the string in the database:

"You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'index';' WHERE `template_name` = 'temp'' at line 1"

The new PHP I wrote is:

Code: Select all

<?PHP
include "g/global/database.php";
$user_id=13;
$newpage='index';

$temp_text="<?php $_SESSION[id]=$user_id; $pagename='$newpage';";

$escaped_text = mysql_escape_string($temp_text);
printf("Escaped string: %s\n", $escaped_text);

$queryString = "UPDATE template_wim SET template_header = '$temp_text' WHERE `template_name` = 'temp'";
mysql_query($queryString) or die(mysql_error());
    	

?>

Posted: Fri Mar 03, 2006 7:03 pm
by neophyte

$queryString = "UPDATE template_wim SET template_header = '$temp_text' WHERE `template_name` = 'temp'";
So don't send the unescaped text to the db send $escaped_text.

Posted: Fri Mar 03, 2006 8:09 pm
by utahfriend
Thank you. that lets it put it in the database.

Now, how do I get "$_SESSION[id]" and "?>" put back in the line?

Posted: Fri Mar 03, 2006 9:36 pm
by a94060
after u do the mysql escape string put into db,how do u un escape when you retrieve them?

Posted: Sun Mar 05, 2006 7:22 am
by sheila
Now, how do I get "$_SESSION[id]" and "?>" put back in the line?

Code: Select all

$temp_text='<?php $_SESSION[id]=' . $user_id. '; $pagename=\'' . $newpage . "'?>;";
$escaped_text = mysql_escape_string($temp_text);
[/quote]

Posted: Sun Mar 05, 2006 10:43 pm
by utahfriend
Thank you! Problem Solved!!!!!

Posted: Sun Mar 05, 2006 10:47 pm
by John Cartwright
fyi, single quotes take text as is.. double quotes will parse the variables.

In your case, the session variable was parsing as empty, so no string was entered into the query

Posted: Sun Mar 05, 2006 11:04 pm
by utahfriend
That is very good to know, thanks!