function formatSearchString($var)
{
$var = sanitizeString($var);
$var = sanitizeMySQL($var);
//separate out search words by any number of commas or
//space characters which include " ",\r,\t,\n and \f
$words = preg_split('/[\\s,]+/', $var);
$num = count($words);
for ($i = 0; $i < $num; ++$i) {
//all alphabetic characters stored in uppercase
$words[$i] = strtoupper($words[$i]);
}
$var = implode(" +", $words);
$var = "+" . $var;
return $var;
}
<?php
include 'database.php';
?>
<?php
// this scripts updates an exisiting record based on the id
if (isset($_POST['id']) && isset($_POST['task'])) {
// sanitizeMySQL() is a custom function, written below
// these values came from the form
$id = sanitizeMySQL($conn, $_POST['id']);
$task = sanitizeMySQL($conn, $_POST['task']);
$importance = sanitizeMySQL($conn, $_POST['importance']);
$length = sanitizeMySQL($conn, $_POST['length']);
$due = sanitizeMySQL($conn, $_POST['due']);
// the prepared statement - note: question marks represent
// variables we will send to database separately
// we don't check which fields the user changed - we just update all
$query = "UPDATE list SET task = ?,\n importance = ?,\n length = ?,\n due = ?\n WHERE id = ?";
// prepare the statement in db
if ($stmt = mysqli_prepare($conn, $query)) {
// bind the values to replace the question marks
// the order matters! so id is at end!
// note that 7 letters in 'sssidsi' MUST MATCH data types in table
// Type specification chars:
// i - integer, s - string , d - double (decimal), b - blob
mysqli_stmt_bind_param($stmt, 'ssisi', $task, $importance, $length, $due, $id);
// executes the prepared statement with the values already set, above
mysqli_stmt_execute($stmt);
// close the prepared statement
mysqli_stmt_close($stmt);
<?php
include 'database.php';
?>
<?php
function sanitizeMySQL($conn, $var)
{
$var = strip_tags($var);
$var = mysqli_real_escape_string($conn, $var);
return $var;
}
if (isset($_POST['language'])) {
$language = sanitizeMySQL($conn, $_POST['language']);
$query = "SELECT * FROM slangdata WHERE language = ?";
if ($stmt = mysqli_prepare($conn, $query)) {
mysqli_stmt_bind_param($stmt, 's', $language);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $id, $language, $word, $pronunciation, $translation, $example, $notes, $nsfw);
while (mysqli_stmt_fetch($stmt)) {
printf("<div class='%s'>", $nsfw);
printf("<p><span class='word'>%s</span>", stripslashes($word));
printf("<span class='pronounce'> %s </span></p>", stripslashes($pronunciation));
printf("<p class='translation'>%s</p>", stripslashes($translation));
printf("<p id='notes'>%s</p>", stripslashes($notes));
printf("<p id='ex'>%s</p>", stripslashes($example));
printf("<p class='%s'></p></div>", $nsfw);
}
mysqli_stmt_close($stmt);
mysqli_close($conn);
}
if (isset($_POST['id'])) {
?>
<!-- write into the HTML - table headings -->
<table class="table table-hover">
<tr>
<th>Task</th>
<th>Importance</th>
<th>Length</th>
<th>Due</th>
</tr>
<tr>
<?php
// this calls the function above to make sure id is clean
$id = sanitizeMySQL($conn, $_POST['id']);
// get the row indicated by the id
$query = "SELECT * FROM list WHERE id = ?";
// another if-statement inside the first one ensures that
// code runs only if the statement was prepared
if ($stmt = mysqli_prepare($conn, $query)) {
// bind the id that came from inventory_update.php
mysqli_stmt_bind_param($stmt, 'i', $id);
// execute the prepared statement
mysqli_stmt_execute($stmt);
// next line handles the row that was selected - all fields
// it is "_result" because it is the result of the query
mysqli_stmt_bind_result($stmt, $id, $task, $importance, $length, $due);
// handle the data we fetched with the SELECT statement ...
while (mysqli_stmt_fetch($stmt)) {
// another way to write variables into the HTML!
* If ok - login and go to index.html
* if not - display error message
*/
session_start();
require_once "functions/function.inputSanitizer.inc.php";
require_once "classes/class.User.inc.php";
require_once "classes/class.DbConnect.inc.php";
require_once "functions/function.inputSanitizer.inc.php";
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$db = Conn::getInstance();
$conn = $db->getConnection();
$user = new User($conn);
$email = sanitizeMySQL($conn, $_POST['userEmail']);
$password = sanitizeMySQL($conn, $_POST['userPassword']);
$password2 = sanitizeMySQL($conn, $_POST['userPassword2']);
$nick = sanitizeMySQL($conn, $_POST['userNick']);
if (strlen($nick) < 4) {
echo "Twój nick musi mieć długość conajmniej 4 znaków!";
} elseif (strlen($password) < 6) {
echo "Twoje hasło musi mieć conajmniej 6 znaków! (a-z, A-Z, 0-9)";
} elseif ($password !== $password2) {
echo "Podałeś różne hasła! Spróbuj ponownie.";
} else {
if ($user->registerUser($email, $password, $nick)) {
header("Location: index.php");
} else {
echo "Nie udało się zarejestrować użytkownika";
}
}
}
?>
$var = sanitizeString($var);
return $var;
}
if (isset($_POST['submit'])) {
//check if the form has been submitted
if (empty($_POST['favoritegraphicnovel']) || empty($_POST['age']) || empty($_POST['gender']) || empty($_POST['genre'])) {
echo "<center><p>Please fill out all of the form fields!</p></center>";
} else {
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) {
die($conn->connect_error);
}
$favoritegraphicnovel = sanitizeMySQL($conn, $_POST['favoritegraphicnovel']);
$age = sanitizeMySQL($conn, $_POST['age']);
$gender = sanitizeMySQL($conn, $_POST['gender']);
$genre = sanitizeMySQL($conn, $_POST['genre']);
$query = "INSERT INTO user_information(user_id,user_age,user_gender,user_genre) VALUES(NULL,\"{$age}\", \"{$gender}\", \"{$genre}\") ";
$result = $conn->query($query);
$theid = $conn->insert_id;
$query2 = "INSERT INTO user_graphic(user_id2,graphic_novel) VALUES({$theid},\"{$favoritegraphicnovel}\")";
$_SESSION['favoritegraphicnovel2'] = $favoritegraphicnovel;
$_SESSION['age2'] = $age;
$_SESSION['gender2'] = $gender;
$_SESSION['genre2'] = $genre;
$result2 = $conn->query($query2);
if (!$result) {
echo "<p>Database access failed</p>";
die("Database access failed: " . $conn->error);
} else {
header("Location: results.php");
}
require_once 'similarusers.php';
require_once 'basedonstats.php';
function sanitizeString($var)
{
$var = stripslashes($var);
$var = strip_tags($var);
$var = htmlentities($var);
return $var;
}
function sanitizeMySQL($connection, $var)
{
$var = $connection->real_escape_string($var);
$var = sanitizeString($var);
return $var;
}
$favoritegraphicnovel3 = sanitizeMySQL($conn, $_SESSION["favoritegraphicnovel2"]);
echo "<br>";
echo "<p>Since you liked " . $favoritegraphicnovel3 . "...</p>";
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) {
die($conn->connect_error);
}
# This query will do two things - first get the book_id of the baook they submitted
# then use that in a query to get all the recs from the recs table
# then we don't have to have those big chunks of code where you're hard-coding
# every book title and what to do (that is impossible to maintain once you get more
# than a handful of books)
$query = "SELECT books.books_title,books.books_author,books.books_link FROM books JOIN recs ON\nbooks.books_id=recs.recs_id WHERE recs.id_number LIKE \n(SELECT books_id FROM books WHERE books_title LIKE \"%" . $_SESSION["favoritegraphicnovel2"] . "%\")";
$result = $conn->query($query);
if (!$result) {
die("Database access failed: " . $conn->error);
</head>
<title>Game of Thrones - View Character</title>
<body>
<?php
/*include files*/
include_once 'header.php';
require_once 'login.php';
/*Create connection*/
$conn = new mysqli($hn, $un, $pw, $db);
/*Check connection*/
if ($conn->connect_error) {
die($conn->connect_error);
}
/*Get character*/
if (isset($_GET['id'])) {
$id = sanitizeMySQL($conn, $_GET['id']);
/*Database query*/
$query = "SELECT * FROM characters WHERE characterID=" . $id;
$result = $conn->query($query);
if (!$result) {
die("Invalid character id.");
}
$rows = $result->num_rows;
/*Is ID valid?*/
if ($rows == 0) {
echo "No character found with id of {$id}<br>";
} else {
while ($row = $result->fetch_assoc()) {
/*Query result is displayed*/
echo "<table><tr><th>ID</th><th>Frist Name</th><th>Last Name</th><th>Also known as</th><th>Origin</th><th>Affiliation</th><th>Role</th></tr>";
echo '<tr>';
require_once 'includes/login.php';
require_once 'includes/functions.php';
if (isset($_POST['submit'])) {
//check if the form has been submitted
if (empty($_POST['user_name']) || empty($_POST['password']) || empty($_POST['first_name']) || empty($_POST['last_name']) || empty($_POST['email'])) {
$message = '<p>Please fill out all of the form fields!</p>';
} else {
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) {
die($conn->connect_error);
}
$user_name = sanitizeMySQL($conn, $_POST['user_name']);
$password = sanitizeMySQL($conn, $_POST['password']);
$first_name = sanitizeMySQL($conn, $_POST['first_name']);
$last_name = sanitizeMySQL($conn, $_POST['last_name']);
$email = sanitizeMySQL($conn, $_POST['email']);
$salt1 = "rI3l*";
$salt2 = "@6HgY";
$token = hash('ripemd128', $salt1 . $password . $salt2);
$query = "INSERT INTO users (`user_name`, `password`, `first_name`, `last_name`, `email`) VALUES('{$user_name}', '{$token}', '{$first_name}', '{$last_name}', '{$email}' )";
$result = $conn->query($query);
if (!$result) {
die("database access failed: " . $conn->error);
} else {
$goto = '/Haunted-ILS/sign_in.php';
header('Location: ' . $goto);
}
}
}
?>
function mysql_entities_fix_string($conn, $string)
{
return htmlentities(sanitizeMySQL($conn, $string));
}
<?php
include_once 'header.php';
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) {
die($conn->connect_error);
}
?>
<div id="chefpage">
<?php
//Retrieve selected chef
if (isset($_GET['Chef_ID'])) {
$chefid = sanitizeMySQL($conn, $_GET['Chef_ID']);
$query = "SELECT Chefs.*,Family_Members.* FROM Chefs NATURAL JOIN Family_Members WHERE Chefs.Chef_ID=" . $chefid;
$result = $conn->query($query);
if (!$result) {
die("Invalid chef id.");
}
$rows = $result->num_rows;
//checks to see if chef id is valid
if ($rows == 0) {
echo "<p class=\\'error\\'> No chef found with id of {$chefid}<br></p>";
} elseif ($rows > 0) {
while ($row = $result->fetch_assoc()) {
echo '<div class=\'chef\'><h2 class=\'subtitle\'>' . $row['First_Name'] . " " . $row['Last_Name'] . '</h2>';
echo "<div><img src=\"images/" . $row['Image_Path'] . "\" alt=\"chef photo\"width=\"250\" height=\"250\"></img></div></div>";
//Loop through and find chef's recipes
$query2 = "SELECT Recipe_ID, Title FROM Recipe_Information WHERE Chef_ID=" . $chefid;
$result2 = $conn->query($query2);
if (!$result2) {
include 'database.php';
?>
<?php
if (isset($_POST['tags'])) {
//Insert a new video entry and bind its id to $video_id
$query = "INSERT INTO videos VALUES (NULL)";
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_execute($stmt);
$result = mysqli_query($conn, "SELECT id FROM videos ORDER BY ID DESC LIMIT 1");
$row = mysqli_fetch_assoc($result);
$video_id = $row['id'];
mysqli_stmt_close($stmt);
//Retrieve relevant tag IDs
$tags = explode("|", sanitizeMySQL($conn, $_POST['tags']));
$tag_ids = array();
for ($i = 0; $i < count($tags); $i++) {
$query = "SELECT id FROM tags WHERE name=?";
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, 's', stripslashes($tags[$i]));
mysqli_stmt_execute($stmt);
$result;
mysqli_stmt_bind_result($stmt, $result);
mysqli_stmt_fetch($stmt);
array_push($tag_ids, $result);
mysqli_stmt_close($stmt);
}
//Insert new relations entries
foreach ($tag_ids as $tag_id) {
$query = "INSERT INTO relations VALUES ({$video_id}, {$tag_id})";
<?php
if ($_SERVER['REQUEST_METHOD'] = 'POST' && isset($_POST['editUser'])) {
if ($_POST['editUser'] == 'nick') {
if (strlen($_POST['newNick']) < 4) {
echo "Podałeś zbyt krótki nick!";
} else {
if ($user->updateNick(sanitizeMySQL($conn, $_POST['newNick']))) {
header("Location: userEdit.php");
//Refresh page to view updated user name
}
}
} elseif ($_POST['editUser'] == 'password') {
if ($_POST['newPassword1'] !== $_POST['newPassword2']) {
echo "Nowe hasła są różne! Spróbuj jeszcze raz";
} elseif (strlen($_POST['newPassword1']) < 6) {
echo "Twoje nowe hasło jest za krótkie!";
} else {
if ($user->updatePassword(sanitizeMySQL($conn, $_POST['oldPassword']), sanitizeMySQL($conn, $_POST['newPassword1']))) {
echo "Hasło zmienione!";
} else {
echo "Hasło nie zmienione!";
}
}
} elseif ($_POST['editUser'] == 'delete') {
#TODO implement user prompt "ARE YOU SURE?"
$user->deleteUser();
header("Location: index.php");
}
}
?>
<?php
// this scripts updates an exisiting record based on the id
if (isset($_POST(['id'])) && isset($_POST(['name']))) {
// sanitizeMySQL() is a custom function, written below
// these values came from the form
$id = sanitizeMySQL($conn, $_POST(['id']));
$month = sanitizeMySQL($conn, $_POST(['month']));
$day = sanitizeMySQL($conn, $_POST(['day']));
$year = sanitizeMySQL($conn, $_POST(['year']));
$location = sanitizeMySQL($conn, $_POST(['location']));
$temperature_high = sanitizeMySQL($conn, $_POST(['temperature_high']));
$temperature_low = sanitizeMySQL($conn, $_POST(['temperature_low']));
$conditions = sanitizeMySQL($conn, $_POST(['conditions']));
$rainfall = sanitizeMySQL($conn, $_POST(['rainfall']));
// create a new PHP timestamp
date_default_timezone_set('America/New_York');
$date = date('m-d-Y', time());
// the prepared statement - note: question marks represent
// variables we will send to database separately
// we don't check which fields the user changed - we just update all
$query = "UPDATE weather SET month = ?,\n day = ?,\n year = ?,\n location = ?,\n temperature_high = ?,\n temperature_low = ?,\n conditions = ?,\n rainfall = ?\n WHERE id = ?";
// prepare the statement in db
if ($stmt = mysqli_prepare($conn, $query)) {
// bind the values to replace the question marks
// the order matters! so id is at end!
// note that 7 letters in 'sssidsi' MUST MATCH data types in table
// Type specification chars:
// i - integer, s - string , d - double (decimal), b - blob
mysqli_stmt_bind_param($stmt, 'ssssssssi', $month, $day, $year, $location, $temperature_high, $temperature_low, $conditions, $rainfall, $id);
<!DOCTYPE html>
<?php
session_start();
include_once 'C:\\xampp\\htdocs\\finalMcCabe\\includes\\header1215.php';
require_once 'C:\\xampp\\htdocs\\finalMcCabe\\includes\\login.php';
require_once 'C:\\xampp\\htdocs\\finalMcCabe\\includes\\functions.php';
if (isset($_POST['submit'])) {
if (empty($_POST['region'])) {
$message = '<p class="error">Please select a region</p>';
} else {
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) {
die($conn->connect_error);
}
$region = sanitizeMySQL($conn, $_POST['region']);
$query = "SELECT title, language, countryDisplay FROM titles WHERE region = {$region} NATURAL JOIN ON countryCode";
$result = $conn->query($query);
if (!$result) {
die("Database access failed: " . $conn->error);
} else {
$message = "<p class=\"message\">Here are some translated reads from {$region} : " . $result;
}
}
}
?>
<html>
<head>
<title>Regions</title>
</head>
function sanitizeMySQL($var)
{
$var = mysql_real_escape_string($var);
$var = sanitizeString($var);
return $var;
}
function auth_is_fail()
{
echo "<h3>Не верная пара логин/пароль!</h3><br><div style=\"cursor: pointer;\"><u>Обновите страницу и попробуйте снова</u></div>";
}
function auth_is_win()
{
echo "<span class='label label-success'>Добро пожаловать!</span>";
echo "<script>\nsetTimeout(function () {\nlocation.reload();\n}, 1600); \n\n </script>";
}
include "../db_connect.php";
$email = sanitizeMySQL(sanitizeString($_POST['email']));
$question = sanitizeMySQL(sanitizeString($_POST['question']));
$query = "INSERT INTO `u0095203_ls`.`questions` (`id`, `email`, `question`) VALUES (NULL, '{$email}', '{$question}');";
//echo $query;
$result = mysql_query($query);
/*отправляем на почту Н*/
$theme = "Новый вопрос на www.ladystyle.su";
$headers = "Content-type: text/html; charset=utf-8 \r\n";
$headers .= "From: info@ladystyle.su\r\n";
$message = $question . '<br>' . $email . "<br><br><br>";
mail("*****@*****.**", "{$theme}", "{$message}", $headers);
//mail ("$email","$theme", "$message",$headers);
/*отправляем на почту К*/
?>
Ваш вопрос будет обработан в ближайшее время. Спасибо!
<?php
require_once 'includes/functions.php';
include_once 'includes/header.php';
require_once 'includes/login.php';
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) {
die($conn->connect_error);
}
if (isset($_GET['characterID'])) {
$id = sanitizeMySQL($conn, $_GET['characterID']);
$query = "SELECT name, biography, image_path FROM characters WHERE characterID=" . $id;
$result = $conn->query($query);
if (!$result) {
die("Invalid character id.");
}
$rows = $result->num_rows;
if ($rows == 0) {
echo "No character found with id of {$id}<br>";
} else {
while ($row = $result->fetch_assoc()) {
echo '<h1>Character Information</h1>';
if ($row["image_path"]) {
echo "<img src=\"images/" . $row["image_path"] . '">';
}
echo '<h3>' . '<p>' . $row["name"] . '</p>' . '</h3>';
echo "<h4><table border=1 style=width:75%><tr><th>Biography</th></tr>";
echo '<tr>';
echo "<td>" . $row["biography"] . "</td";
echo '</tr>';
echo "</table></h4>";
<?php
session_start();
include_once 'C:\\xampp\\htdocs\\finalMcCabe\\includes\\header1215.php';
require_once 'C:\\xampp\\htdocs\\finalMcCabe\\includes\\login.php';
require_once 'C:\\xampp\\htdocs\\finalMcCabe\\includes\\functions.php';
if (isset($_POST['submit'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$message = '<p class="error">Please fill out ALL of the form fields</p>';
} else {
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) {
die($conn->connect_error);
}
$username = sanitizeMySQL($conn, $_POST['username']);
$password = sanitizeMySQL($conn, $_POST['password']);
$salt1 = "qm&h*";
$salt2 = "pg!@";
$password = hash('ripemd128', $salt1 . $password . $salt2);
$query = "SELECT f_name FROM readers WHERE username='******' AND password='******'";
$result = $conn->query($query);
if (!$result) {
die($conn->error);
}
$rows = $result->num_rows;
if ($rows == 1) {
$row = $result->fetch_assoc();
$_SESSION['f_name'] = $row['f_name'];
$goto = empty($_SESSION['goto']) ? '/titles/' : $_SESSION['goto'];
header('Location: ' . $goto);
exit;
<?php
include 'database.php';
?>
<?php
if (isset($_POST['game']) && isset($_POST['console'])) {
$customer = sanitizeMySQL($conn, $_POST['customer']);
$game = sanitizeMySQL($conn, $_POST['game']);
$console = sanitizeMySQL($conn, $_POST['console']);
$price = sanitizeMySQL($conn, $_POST['price']);
$quantity = sanitizeMySQL($conn, $_POST['quantity']);
$query = "INSERT INTO game_catalog (customer_initials, game, console, price, quantity) VALUES (?, ?, ?, ?, ?)";
if ($stmt = mysqli_prepare($conn, $query)) {
mysqli_stmt_bind_param($stmt, 'sssdi', $customer, $game, $console, $price, $quantity);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
mysqli_close($conn);
}
} else {
echo "Failed to enter!";
}
function sanitizeMySQL($conn, $var)
{
$var = strip_tags($var);
$var = mysqli_real_escape_string($conn, $var);
return $var;
}
require_once "functions/function.inputSanitizer.inc.php";
require_once "classes/class.DbConnect.inc.php";
require_once "classes/class.User.inc.php";
require_once "classes/class.Tweet.inc.php";
require_once "classes/class.Comment.inc.php";
require_once "classes/class.Message.inc.php";
require_once "includes/userLoginCheck.inc.php";
/**
* Upload from DB the data of the user who is the 'owner' of the page
*/
$visitedUser = new User($conn);
$visitedUser->loadFromDB(sanitizeMySQL($conn, $_GET['user']));
if ($_SERVER['REQUEST_METHOD'] = 'POST' && isset($_POST['messageText'])) {
if (strlen($_POST['messageText']) > 5 && strlen($_POST['messageText']) < 60) {
$message = new Message($conn);
if ($message->createMessage($user->getId(), $visitedUser->getId(), sanitizeMySQL($conn, $_POST['messageText']))) {
header("Location: userPage.php?user="******"");
}
}
}
?>
<!DOCTYPE html>
<html lang="pl-PL">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
<title>MyTwitt</title>
<!-- Bootstrap -->
$tweet = new Tweet($conn);
if (strlen($_POST['tweetText']) > 140) {
echo "Twój tweet jest za długi";
} else {
if (!$tweet->createTweet($user->getId(), sanitizeMySQL($conn, $_POST['tweetText']))) {
echo "BŁĄD!";
}
}
}
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['commentText'])) {
if (strlen($_POST['commentText']) > 5) {
$comment = new Comment($conn);
$comment->createComment($user->getId(), sanitizeMySQL($conn, $_POST['tweetID']), sanitizeMySQL($conn, $_POST['commentText']));
} else {
echo "Twój komentarz jest za krótki";
}
}
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['tweetDelete'])) {
$tweet = new Tweet($conn);
$tweet->loadFromDB(sanitizeMySQL($conn, $_POST['tweetDelete']));
$tweet->deleteTweet();
}
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['commentDelete'])) {
$comment = new Comment($conn);
$comment->loadFromDB(sanitizeMySQL($conn, $_POST['commentDelete']));
$comment->deleteComment();
}
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['userLogout'])) {
$user->logOut();
header("Location: index.php");
}
include 'database.php';
?>
<?php
// this scripts updates an exisiting record based on the id
if (isset($_POST['id']) && isset($_POST['name'])) {
// sanitizeMySQL() is a custom function, written below
// these values came from the form
$id = sanitizeMySQL($conn, $_POST['id']);
$name = sanitizeMySQL($conn, $_POST['name']);
$school = sanitizeMySQL($conn, $_POST['school']);
$grade = sanitizeMySQL($conn, $_POST['grade']);
$plan = sanitizeMySQL($conn, $_POST['plan']);
$quantity = sanitizeMySQL($conn, $_POST['quantity']);
$price = sanitizeMySQL($conn, $_POST['price']);
// create a new PHP timestamp
date_default_timezone_set('America/New_York');
$date = date('m-d-Y', time());
// the prepared statement - note: question marks represent
// variables we will send to database separately
// we don't check which fields the user changed - we just update all
$query = "UPDATE sales SET name = ?,\n school = ?,\n grade = ?,\n plan = ?,\n quantity = ?,\n price = ?,\n updated = ?\n WHERE id = ?";
// prepare the statement in db
if ($stmt = mysqli_prepare($conn, $query)) {
// bind the values to replace the question marks
// the order matters! so id is at end!
// note that 7 letters in 'sssidsi' MUST MATCH data types in table
// Type specification chars:
// i - integer, s - string , d - double (decimal), b - blob
mysqli_stmt_bind_param($stmt, 'ssssidsi', $name, $school, $grade, $plan, $quantity, $price, $date, $id);
# Check if the user entered an order and it isn't empty
if (isset($_POST['order']) && !empty($_POST['order']) || isset($_POST['family']) && !empty($_POST['family']) || isset($_POST['genus']) && !empty($_POST['genus']) || isset($_POST['species']) && !empty($_POST['species']) || isset($_POST['tissueBox']) && !empty($_POST['tissueBox']) || isset($_POST['tissueRack']) && !empty($_POST['tissueRack']) || isset($_POST['extractBox']) && !empty($_POST['extractBox']) || isset($_POST['extractRack']) && !empty($_POST['extractRack'])) {
# Connect to the db like usual
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) {
die($conn->connect_error);
}
# Grab our order we want to search for and make it safe for MySQL
$order = sanitizeMySQL($conn, $_POST['order']);
$family = sanitizeMySQL($conn, $_POST['family']);
$genus = sanitizeMySQL($conn, $_POST['genus']);
$species = sanitizeMySQL($conn, $_POST['species']);
$tissueBox = sanitizeMySQL($conn, $_POST['tissueBox']);
$tissueRack = sanitizeMySQL($conn, $_POST['tissueRack']);
$extractBox = sanitizeMySQL($conn, $_POST['extractBox']);
$extractRack = sanitizeMySQL($conn, $_POST['extractRack']);
# array to hold all our pieces of our WHERE statement
$whereStatement = array();
# Check if they entered something, if so write that piece of the query
if ($order != "") {
$whereStatement[] = "orders LIKE \"%{$order}%\"";
}
if ($family != "") {
$whereStatement[] = "family LIKE \"%{$family}%\"";
}
if ($genus != "") {
$whereStatement[] = "genus LIKE \"%{$genus}%\"";
}
if ($species != "") {
$whereStatement[] = "species LIKE \"%{$species}%\"";
}
<?php
include 'database.php';
?>
<?php
if (isset($_POST['videoId_Request']) && isset($_POST['tags_Request']) && isset($_POST['requester_Request'])) {
$videoId = sanitizeMySQL($conn, $_POST['videoId_Request']);
$tags = explode(",", sanitizeMySQL($conn, $_POST['tags_Request']));
$requester = sanitizeMySQL($conn, $_POST['requester_Request']);
foreach ($tags as $tag) {
$query = "INSERT INTO requests(video_id, requester, tag) VALUES(?, ?, ?)";
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, 'iss', $videoId, $requester, $tag);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
}
mysqli_close($conn);
echo "Your request for the addition of the following tags has been submitted:<ul>";
foreach ($tags as $tag) {
echo "<li>" . stripcslashes($tag) . "</li>";
}
echo "</ul>";
echo "<p id='resetRequestForm' onclick='resetRequestForm()'>Submit Another Request</p>";
}
function sanitizeMySQL($conn, $var)
{
$var = strip_tags($var);
$var = mysqli_real_escape_string($conn, $var);
return $var;
}
<?php
include_once 'header.php';
//$conn = new mysqli($hn, $un, $pw, $db);
//if ($conn->connect_error) die($conn->connect_error);
echo '<h2 class=\'subtitle\'>Recipe Information</h2>';
if (isset($_GET['Recipe_ID'])) {
$id = sanitizeMySQL($conn, $_GET['Recipe_ID']);
$query = "SELECT Recipe_Information.*, Family_Members.First_Name, Family_Members.Last_Name FROM Recipe_Information LEFT JOIN Chefs ON Recipe_Information.Chef_ID=Chefs.Chef_ID INNER JOIN Family_Members ON Chefs.Member_ID = Family_Members.Member_ID WHERE Recipe_Information.Chef_ID=Chefs.Chef_ID AND Recipe_Information.Recipe_ID=" . $id;
$result = $conn->query($query);
if (!$result) {
die("Invalid recipe id.");
}
$rows = $result->num_rows;
if ($rows == 0) {
echo "<p class=error> No recipe found with id of {$id}<br></p>";
} else {
while ($row = $result->fetch_assoc()) {
echo "<p><strong>" . $row["Title"], "</strong></p><div class=recipetext>";
echo "<p>Chef: <a href=\"viewchef.php?Chef_ID=" . $row['Chef_ID'] . "\">" . $row['First_Name'] . " " . $row['Last_Name'] . "</a></p>";
echo $row['Full_Recipe'] . "<br>";
}
echo "</div>";
}
} else {
echo "<p class=error> No recipe id passed </p>";
}
include_once 'footer.php';
function sanitizeString($var)
{
$var = stripslashes($var);
<?php
include 'database.php';
?>
<?php
// This is the "prepared statement" version of this file
if (isset($_POST['title']) && isset($_POST['genre'])) {
// sanitizeMySQL() is a custom function, written below
$title = sanitizeMySQL($conn, $_POST['title']);
$year = sanitizeMySQL($conn, $_POST['year']);
$genre = sanitizeMySQL($conn, $_POST['genre']);
$summary = sanitizeMySQL($conn, $_POST['summary']);
// the prepared statement - note: 6 question marks represent
// 6 variables we will send to database separately
$query = "INSERT INTO movies (title, year, genre, summary)\n VALUES (?, ?, ?, ?)";
// prepare the statement in db
if ($stmt = mysqli_prepare($conn, $query)) {
// bind the values to replace the 6 question marks
// note that 6 letters in 'sssids' MUST MATCH data types in table
// Type specification chars:
// i - integer, s - string , d - double (decimal), b - blob
mysqli_stmt_bind_param($stmt, 'siss', $title, $year, $genre, $summary);
// executes the prepared statement with the values already set, above
mysqli_stmt_execute($stmt);
// close the prepared statement
mysqli_stmt_close($stmt);
// close db connection
mysqli_close($conn);
}
// end if prepare
<!--HANDLES FORM SUBMISSION-->
<?php
include 'database.php';
?>
<?php
if (isset($_POST['language']) && isset($_POST['word'])) {
$language = sanitizeMySQL($conn, $_POST['language']);
$word = sanitizeMySQL($conn, $_POST['word']);
$pronunciation = sanitizeMySQL($conn, $_POST['pronunciation']);
$translation = sanitizeMySQL($conn, $_POST['translation']);
$example = sanitizeMySQL($conn, $_POST['example']);
$notes = sanitizeMySQL($conn, $_POST['notes']);
$nsfw = sanitizeMySQL($conn, $_POST['nsfw']);
$query = "INSERT INTO slangdata (language, word, pronunciation, translation, example, notes, nsfw)\n VALUES (?, ?, ?, ?, ?, ?, ?)";
if ($stmt = mysqli_prepare($conn, $query)) {
// i - integer, s - string , d - double (decimal), b - blob
mysqli_stmt_bind_param($stmt, 'sssssss', $language, $word, $pronunciation, $translation, $example, $notes, $nsfw);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
mysqli_close($conn);
}
} else {
echo "Failed to submit!";
}
function sanitizeMySQL($conn, $var)
{
$var = strip_tags($var);
$var = mysqli_real_escape_string($conn, $var);
return $var;
}
