php echo html form coding problem syntax

Posted on 2007-07-22
Last Modified: 2013-12-12
I am trying to change a form to use
html entities
I am not sure how to write the code correctly!
echo'<form enctype="multipart/form-data" method="post">
        Maximum accepted filesize is '.(intval($maxsize/1024)).' KB.<br>
        You can upload only JPG and PNG pics<br><br>
        Photo Name:<br><input name="update_photo_title" type="text" size="20"><br>
I would like to change the line below to use htm entities        
Photo Description:<br><textarea name="update_photo_text" rows="3" cols="65"></textarea>
I have this from antoher script, between <html></html>
<p><textarea name="update_photo_text" rows="8" cols="65"><?php print htmlentities($_GET[update_photo_text]); ?></textarea></p>
I know that I am using POST and not GET, so GET should be POST!
I tried to change this line, to get it to work within the <?php echo''; ?>
can you tell me how to fis this?

2.Should I re-code this lin above
Photo Name:<br><input name="update_photo_title" type="text" size="20"><br>
to incorporate html entities?

Upload:<br><input name="userfile" type="file" size="40"><br>
       <input type="submit" value="  Upload File  " name="submit">

in the sql statement I would like to add

3 for security can I use '".mysqli_real_escape_string($mysqli,$ID)."' in the sql statement, or is this only for use with the GET method? Shoul I use this with all sql insertion/updates of data?
Question by:derekstattin
    LVL 5

    Expert Comment

    1 & 2:Assuming it's part of your original echo statement:

    echo'<form enctype="multipart/form-data" method="post">
            Maximum accepted filesize is '.(intval($maxsize/1024)).' KB.<br>
            You can upload only JPG and PNG pics<br><br>
            Photo Name:<br><input name="update_photo_title" type="text" size="20" value="'.htmlentities($_POST['update_photo_title'].'"><br>
    Photo Description:<br><textarea name="update_photo_text" rows="3" cols="65">'.htmlentities($_POST['update_photo_text']).'</textarea>';

    Long strings can get confusing. Particularly when most of it is static (unchanging. I would recommend something like this:

    ?><form enctype="multipart/form-data" method="post">
            Maximum accepted filesize is <?php echo intval($maxsize/1024)); ?> KB.<br />
            You can upload only JPG and PNG pics<br/ ><br />
            Photo Name:<br /><input name="update_photo_title" type="text" size="20" value="<?php echo htmlentities($_POST['update_photo_title']); ?>" /><br />
    Photo Description:<br /><textarea name="update_photo_text" rows="3" cols="65"><?php echo htmlentities($_POST['update_photo_text']); ?></textarea><?php

    (I've assumed you would put that in the middle of a PHP active area (between <?php and ?>) otherwise, just drop the ?> and <?php from either end)

    Yes, you should definitely use mysqli_real_escape_string in all your SQL statements, both GET and POST. (Make sure that MAGIC_QUOTES_GPC is off or you'll get double quoting: Like
    Ain\\'t SQL grand

    I think I've suggested this to you before, but I really have to recommend you have a look at adding something like ADOdb in your site. It makes database access
    LVL 5

    Expert Comment

    Woops, accidentally submitted the form. Anyway, ADOdb at
    It's quick and easy to set up and takes the pain out of quoting your strings (if you use the method shown below it handles that for you. You could use something like this:

    $db->Execute("UPDATE photos SET title = ?, text = ? WHERE id = ?", array($_POST['update_photo_title'], $_POST['update_photo_text'], $_POST['photo_id']));

    It also makes things easier if you are good with arrays. After telling ADOdb to return associative arrays:

    You can use things like
      $photo = $db->GetRow("SELECT * FROM photos WHERE id = ?", array($id));
    And then use
      $photo['text'] and $photo['title']

    And my favourite usage is something like this:
    $num_photos = $db->GetOne("SELECT COUNT(*) FROM photos");
    Now $num_photos has the number of photos in the database.

    Accessing databases should be easy. I would recommend ignoring the Recordset stuff in ADOdb to start with, because it can complicate things further.

    Author Comment

    Thanks for the comments and for the help with the form!

    I will definetly get ADOdb,

    Can you help me with syntax, I have been stuck, when I use

    $updatephoto_sql = "UPDATE profile set (photo_title, photo_create_time, photo_text, photo_name ) VALUES ('".mysqli_real_escape_string($mysqli,$update_photo_title)."', now(), '".mysqli_real_escape_string($mysqli,$update_photo_text)."','$photo_name') where ID='$ID'";

    I get the sql error

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(photo_title, photo_create_time, photo_text, photo_name ) VALUES ('ggggggggg', n' at line 1


    LVL 5

    Accepted Solution

    Ok. UPDATE works differently from INSERT

    To keep things simple and clean I'll just so some basic SQL statements based on above, rather than containing all the extra clutter:

    UPDATE profile SET photo_title = 'ggggg', photo_create_time = '2007-07-23 13:45:12', photo_text = 'This is my photo' WHERE ID = '5';

    So simply include column = value pairs (separated by a comma) for each of the columns you want to update. A cut-down version of the syntax from the MySQL documentation is

    UPDATE tbl_name
        SET col_name1=expr1 [, col_name2=expr2 ...]
        [WHERE where_condition]

    Anything in square brackets is optional.

    Also, remember that you can look up the syntax of SQL at:

    If you fix your statement to use the correct syntax you should be right.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    As a database administrator, you may need to audit your table(s) to determine whether the data types are optimal for your real-world data needs.  This Article is intended to be a resource for such a task. Preface The other day, I was involved …
    Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
    The viewer will learn how to dynamically set the form action using jQuery.
    The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now