PHP sanitize_mysql Beispiele

Beispiel #1

Datei: add_person.php Projekt: gleannabhann/records

 }
 // city -> city_person
 if (isset($_POST["city"]) && !empty($_POST["city"]) && is_string($_POST["city"])) {
     $city = sanitize_mysql($_POST["city"]);
     $query_head = $query_head . ",city_person";
     $query_tail = $query_tail . ",{$city}";
 }
 // state -> state_person
 if (isset($_POST["state"]) && !empty($_POST["state"]) && is_string($_POST["state"])) {
     $state = sanitize_mysql($_POST["state"]);
     $query_head = $query_head . ",state_person";
     $query_tail = $query_tail . ",{$state}";
 }
 // zip -> postcode_person
 if (isset($_POST["zip"]) && !empty($_POST["zip"]) && is_string($_POST["zip"])) {
     $zip = sanitize_mysql($_POST["zip"]);
     $query_head = $query_head . ",postcode_person";
     $query_tail = $query_tail . ",{$zip}";
 }
 $query_head = $query_head . ")";
 $query_tail = $query_tail . ");";
 //echo "Query is:<br>".$query_head."<br>".$query_tail."</p>";
 $query = $query_head . $query_tail;
 $result = update_query($cxn, $query);
 if ($result !== 1) {
     echo "Error updating record: " . mysqli_error($cxn);
 } else {
     echo "Successfully added {$sca_name} to the Database.<p>\n";
     $query = "SELECT id_person from Persons where name_person='{$sca_name}';";
     $result = mysqli_query($cxn, $query) or die("Couldn't execute query");
     $person = mysqli_fetch_array($result);

Beispiel #2

Datei: edit_person_marshal.php Projekt: gleannabhann/records

                $update_tail = $update_tail . ", {$dynmcard[$i]}";
            }
            if ($dynmdate[$i] != NULL) {
                $update_head = $update_head . ", expire_marshal";
                $update_tail = $update_tail . ", '{$dynmdate[$i]}'";
            }
            if ($dynmnote[$i] != NULL) {
                $update_head = $update_head . ", note_marshal";
                $update_tail = $update_tail . ", '" . sanitize_mysql($dynmnote[$i]) . "'";
            }
            $update = $update_head . ") " . $update_tail . ")";
        }
        if (DEBUG) {
            echo "Update query for {$name_combat} is:{$update}<p>";
        }
        echo form_subtitle("Updated {$name_combat} warrant: " . "expires on {$dynmdate[$id_combat]}, card number {$dynmcard[$id_combat]}," . " currently active is {$dynmact[$id_combat]}, and with note '" . sanitize_mysql($dynmnote[$id_combat]) . "'");
        $result = update_query($cxn, $update);
        if ($result !== 1) {
            echo "Error updating warrant date/card number: " . mysqli_error($cxn);
        }
    }
    // Else data wasn't changed so do nothing
    $i++;
}
// Now we update based on check marks.  Note that these entries *can* get deleted.
// if dynmidauth is not set, then no boxes were checked and all entries can be
// deleted in one mass update
// NEED TO ADD CHECKING SO THAT Persons_CombatCard has to have entry before we update
// NOTE: We delay query to here, so Persons_CombatCards table is already update
$query_marshals = "SELECT * FROM\n   (SELECT * FROM \n       (SELECT id_marshal, name_marshal, Combat.id_combat, name_combat \n        FROM Marshals, Combat \n        WHERE Marshals.id_combat = Combat.id_combat \n        ORDER BY name_combat, name_marshal) AS AC\n   LEFT JOIN \n        (SELECT id_person_combat_card as ipcc, id_person as ip, \n           expire_marshal as p_ea, card_marshal as p_cn, id_combat as ic\n        FROM Persons_CombatCards\n        WHERE id_person={$id_person}) AS PCC\n   ON AC.id_combat=PCC.ic) AS ACPCC\nLEFT JOIN\n   ( SELECT id_marshal as ia, id_person as idp\n     FROM Persons_Marshals\n     WHERE id_person={$id_person}) AS AU\nON ACPCC.ip=AU.idp AND ACPCC.id_marshal=AU.ia;";
if (DEBUG) {

Beispiel #3

Datei: add_event.php Projekt: gleannabhann/records

/* Add Events to the database
 * 
 */
if (DEBUG) {
    var_dump($_SESSION);
}
if (permissions("Herald") >= 3) {
    // // If we got here from Post:
    //    - add the new site and include a message
    //    - reset the form?
    $cxn = open_db_browse();
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        // Build the update query
        $query_head = "INSERT INTO Events (name_event";
        $query_tail = " VALUES (";
        $name_event = sanitize_mysql($_POST["name_event"]);
        $query_tail = $query_tail . "'{$name_event}'";
        $varname = "id_group";
        if (isset($_POST[$varname]) && !empty($_POST[$varname]) && is_numeric($_POST[$varname])) {
            $id_group = $_POST[$varname];
        } else {
            $id_group = -1;
        }
        $query_head = $query_head . ",{$varname}";
        $query_tail = $query_tail . ",{$id_group}";
        $varname = "id_site";
        if (isset($_POST[$varname]) && is_numeric($_POST[$varname]) && $_POST[$varname] > 0) {
            $id_site = $_POST[$varname];
        } else {
            $id_site = -1;
        }

Beispiel #4

Datei: add_award.php Projekt: gleannabhann/records

<?php

if (permissions("Herald") < 3) {
    // We don't have permission to add awards so let's just exit now.
    echo '<p class="error"> This page has been accessed in error.</p>';
    exit_with_footer();
}
$cxn = open_db_browse();
if ($_SERVER['REQUEST_METHOD'] == 'POST' && permissions("Herald") >= 3) {
    // We have a form submission.
    // Note: we allow for addition of multiple awards which is why the blank
    //       award form will reappear at the bottom of the page
    $query_head = "INSERT INTO Awards(name_award";
    $query_tail = " VALUES('" . sanitize_mysql($_POST["name_award"]) . "'";
    if (isset($_POST["id_group"]) && !empty($_POST["id_group"]) && is_numeric($_POST["id_group"])) {
        $query_head = $query_head . ",id_group";
        $query_tail = $query_tail . "," . $_POST["id_group"];
    }
    if (isset($_POST["id_kingdom"]) && !empty($_POST["id_kingdom"]) && is_numeric($_POST["id_kingdom"])) {
        $query_head = $query_head . ",id_kingdom";
        $query_tail = $query_tail . "," . $_POST["id_kingdom"];
    }
    if (isset($_POST["id_rank"]) && !empty($_POST["id_rank"]) && is_numeric($_POST["id_rank"])) {
        $query_head = $query_head . ",id_rank";
        $query_tail = $query_tail . "," . $_POST["id_rank"];
    }
    $query = $query_head . ") " . $query_tail . ");";
    if (DEBUG) {
        echo "Insert Query is:<br>{$query}<p>";
    }
    $result = update_query($cxn, $query);

Beispiel #5

Datei: edit_person_authorization.php Projekt: gleannabhann/records

                $update_tail = $update_tail . ", {$dyncard[$id_combat]}";
            }
            if ($dyndate[$id_combat] != NULL) {
                $update_head = $update_head . ", expire_authorize";
                $update_tail = $update_tail . ", '{$dyndate[$id_combat]}'";
            }
            if ($dynnote[$id_combat] != NULL) {
                $update_head = $update_head . ", note_authorize";
                $update_tail = $update_tail . ", '" . sanitize_mysql($dynnote[$id_combat]) . "'";
            }
            $update = $update_head . ") " . $update_tail . ")";
        }
        if (DEBUG) {
            echo "Update query for {$name_combat} is:{$update}<p>";
        }
        echo form_subtitle("Updated {$name_combat} authorization: " . "expires on {$dyndate[$id_combat]}, card number {$dyncard[$id_combat]}," . " currently active is {$dynact[$id_combat]}, and with note '" . sanitize_mysql($dynnote[$id_combat]) . "'");
        $result = update_query($cxn, $update);
        if ($result !== 1) {
            echo "Error updating authorization date/card number: " . mysqli_error($cxn);
        }
    }
    // Else data wasn't changed so do nothing
    $i++;
}
// Now we update based on check marks.  Note that these entries *can* get deleted.
// if dynidauth is not set, then no boxes were checked and all entries can be deleted
// in one mass update
// NEED TO ADD CHECKING SO THAT Persons_CombatCard has to have entry before we update
// NOTE: We delay query to here, so Persons_CombatCards table is already update
$query_auths = "SELECT * FROM\n   (SELECT * FROM \n       (SELECT id_auth, name_auth, Combat.id_combat, name_combat \n        FROM Authorizations, Combat \n        WHERE Authorizations.id_combat = Combat.id_combat \n        ORDER BY name_combat, name_auth) AS AC\n   LEFT JOIN \n        (SELECT id_person_combat_card as ipcc, id_person as ip, \n           expire_authorize as p_ea, card_authorize as p_cn, id_combat as ic\n        FROM Persons_CombatCards\n        WHERE id_person={$id_person}) AS PCC\n   ON AC.id_combat=PCC.ic) AS ACPCC\nLEFT JOIN\n   ( SELECT id_auth as ia, id_person as idp\n     FROM Persons_Authorizations\n     WHERE id_person={$id_person}) AS AU\nON ACPCC.ip=AU.idp AND ACPCC.id_auth=AU.ia;";
if (DEBUG) {

Beispiel #6

Datei: add_site.php Projekt: gleannabhann/records

 }
 $varname = "city_site";
 if (isset($_POST[$varname]) && !empty($_POST[$varname]) && is_string($_POST[$varname])) {
     $city_site = sanitize_mysql($_POST[$varname]);
     $query_head = $query_head . ",{$varname}";
     $query_tail = $query_tail . ",'{$city_site}'";
 }
 $varname = "state_site";
 if (isset($_POST[$varname]) && !empty($_POST[$varname]) && is_string($_POST[$varname])) {
     $state_site = sanitize_mysql($_POST[$varname]);
     $query_head = $query_head . ",{$varname}";
     $query_tail = $query_tail . ",'{$state_site}'";
 }
 $varname = "zip_site";
 if (isset($_POST[$varname]) && !empty($_POST[$varname]) && is_string($_POST[$varname])) {
     $zip_site = sanitize_mysql($_POST[$varname]);
     $query_head = $query_head . ",{$varname}";
     $query_tail = $query_tail . ",'{$zip_site}'";
 }
 //       $varname = "area_site";
 //       if (isset($_POST[$varname]) && !empty($_POST[$varname]) && is_string($_POST[$varname])) {
 //            $url_site =   sanitize_mysql($_POST[$varname]);
 //            $query_head = $query_head.",$varname";
 //            $query_tail = $query_tail.",'$area_site'";
 //       }
 $var_name = "area_site";
 //$area_site = "$street_site, $city_site, $state_site, $zip_site";
 $area_site = "";
 if (!empty($street_site)) {
     $area_site = "{$street_site}";
 }